UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Allow Fallback to SSL 3.0 (Internet Explorer) must be disabled.


Overview

Finding ID Version Rule ID IA Controls Severity
V-250541 DTBI1100-IE11 SV-250541r942485_rule Medium
Description
This parameter ensures only DoD-approved ciphers and algorithms are enabled for use by the web browser by blocking an insecure fallback to SSL when TLS 1.0 or greater fails. Satisfies: SRG-APP-000514, SRG-APP-000555, SRG-APP-000625, SRG-APP-000630, SRG-APP-000635
STIG Date
Microsoft Internet Explorer 11 Security Technical Implementation Guide 2023-12-01

Details

Check Text ( C-53976r799947_chk )
The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Security Features >> "Allow fallback to SSL 3.0 (Internet Explorer)" must be "Enabled", and "No Sites" selected from the drop-down box. If "Allow fallback to SSL 3.0 (Internet Explorer)" is not "Enabled" or any other drop-down option is selected, this is a finding.

Procedure: Use the Windows Registry Editor to navigate to the following key:

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings.

Criteria: If the value "EnableSSL3Fallback" is REG_DWORD=0, this is not a finding.
Fix Text (F-53930r799948_fix)
Set the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Security Features >> "Allow fallback to SSL 3.0 (Internet Explorer)" to "Enabled", and select "No Sites" from the drop-down box.