Allow Fallback to SSL 3.0 (Internet Explorer) must be disabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-64729	DTBI1100-IE11	SV-79219r2_rule		Medium

Description
This parameter ensures only DoD-approved ciphers and algorithms are enabled for use by the web browser by blocking an insecure fallback to SSL when TLS 1.0 or greater fails.

STIG	Date
Microsoft Internet Explorer 11 Security Technical Implementation Guide	2016-06-24

Details

Check Text ( C-65471r3_chk )
Open Internet Explorer. From the menu bar, select "Tools". From the "Tools" drop-down menu, select "Internet Options". From the "Internet Options" window, select the "Advanced" tab, from the "Advanced" tab window scroll down to the "Security" category. Verify there is not a check placed in the check box for "Use SSL 2.0" or "Use SSL 3.0". If "Use SSL 2.0" or "Use SSL 3.0" is checked, this is a finding. The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Security Features >> "Allow fallback to SSL 3.0 (Internet Explorer)" must be "Enabled", and "No Sites" selected from the drop-down box. If "Allow fallback to SSL 3.0 (Internet Explorer)" is not "Enabled" or any other drop-down option is selected, this is a finding. The registry value for HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings?\SecureProtocols must be "2688". If the "SecureProtocols" DWORD value is not "2688", this is a finding.

Check Text ( C-65471r3_chk )

Open Internet Explorer. From the menu bar, select "Tools". From the "Tools" drop-down menu, select "Internet Options". From the "Internet Options" window, select the "Advanced" tab, from the "Advanced" tab window scroll down to the "Security" category. Verify there is not a check placed in the check box for "Use SSL 2.0" or "Use SSL 3.0". If "Use SSL 2.0" or "Use SSL 3.0" is checked, this is a finding.

The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Security Features >> "Allow fallback to SSL 3.0 (Internet Explorer)" must be "Enabled", and "No Sites" selected from the drop-down box. If "Allow fallback to SSL 3.0 (Internet Explorer)" is not "Enabled" or any other drop-down option is selected, this is a finding.

The registry value for HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings?\SecureProtocols must be "2688". If the "SecureProtocols" DWORD value is not "2688", this is a finding.

Fix Text (F-70659r3_fix)
Open Internet Explorer. From the menu bar, select "Tools". From the "Tools" drop-down menu, select "Internet Options". From the "Internet Options" window, select the "Advanced" tab, from the "Advanced" tab window scroll down to the "Security" category. Uncheck "Use SSL 2.0" and "Use SSL 3.0" options. Set the policy value for Computer Configuration >> Administrative Templates >> Internet Explorer >> Security Features >> "Allow fallback to SSL 3.0 (Internet Explorer)" to "Enabled", and select "No Sites" from the drop-down box. Set the registry value for HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings?\SecureProtocols must to "2688".

Fix Text (F-70659r3_fix)

Open Internet Explorer. From the menu bar, select "Tools". From the "Tools" drop-down menu, select "Internet Options". From the "Internet Options" window, select the "Advanced" tab, from the "Advanced" tab window scroll down to the "Security" category. Uncheck "Use SSL 2.0" and "Use SSL 3.0" options.

Set the policy value for Computer Configuration >> Administrative Templates >> Internet Explorer >> Security Features >> "Allow fallback to SSL 3.0 (Internet Explorer)" to "Enabled", and select "No Sites" from the drop-down box.

Set the registry value for HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings?\SecureProtocols must to "2688".