https://www.moonlightdesign.org/wiki/api.php?action=feedcontributions&feedformat=atom&user=StevenlawranceMoonlight Design - User contributions [en]2026-05-15T10:56:44ZUser contributionsMediaWiki 1.43.8https://www.moonlightdesign.org/wiki/index.php?title=Main_Page&diff=2292Main Page2026-05-11T21:55:19Z<p>Stevenlawrance: Removed the guest wireless reference, and updated Henry</p>
<hr />
<div>{|<br />
|valign="top"|<br />
Welcome to Moonlight Design -- the personal web site of [[Henry Lamb]] and [[Steven Lawrance]]<br />
<br />
==Henry Lamb==<br />
[[Henry Lamb]] is working on becoming a licensed psychologist.<br />
<br />
==Steven Lawrance==<br />
[[Steven Lawrance]] is a [https://en.wikipedia.org/wiki/Software_engineering software engineer] and [https://en.wikipedia.org/wiki/Open-source_software open-source software enthusiast] trained at [http://www.mse.cs.cmu.edu/ Carnegie Mellon University] and business administration at [https://www.bryant.edu/ Bryant University]<br />
<br />
[[Steven Lawrance#Software Project Experience|View the list of software that Steven has either written or contributed to]]<br />
<br />
|valign="top" width="25%"|<br />
{|border="1"<br />
|<br />
<font size="5">[https://www.moonlightdesign.org/urllock/ IE URL Lock]</font> <font size="5">[https://gnucashtoqif.us/ GnuCashToQIF]</font> <font size="4">[[TLS-SSL-Protocols|TLS/SSL Protocol Group Policy Template]]</font> <font size="3">[https://www.moonlightdesign.org/dirlist DirList] [[CompactOnDelete]]</font> <font size="3">[[PortProxy]]</font> <font size="2">[[Serendipity|Team Serendipity]]</font> <font size="2">[[Disk Imager]]</font> <font size="1">[[ScreenWindowX]]</font> <font size="1">[https://www.moonlightdesign.org/kjmouse/ KJMouse]</font><br />
|}<br />
|}</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=Main_Page&diff=2289Main Page2017-12-03T20:25:03Z<p>Stevenlawrance: </p>
<hr />
<div>{|<br />
|valign="top"|<br />
Welcome to Moonlight Design -- the personal web site of [[Henry Lamb]] and [[Steven Lawrance]]<br />
<br />
==Henry Lamb==<br />
[[Henry Lamb]] is a psychology masters student at [https://www.ggu.edu Golden Gate University].<br />
<br />
==Steven Lawrance==<br />
[[Steven Lawrance]] is a [https://en.wikipedia.org/wiki/Software_engineering software engineer] and [https://en.wikipedia.org/wiki/Open-source_software open-source software enthusiast] trained at [http://www.mse.cs.cmu.edu/ Carnegie Mellon University] and business administration at [https://www.bryant.edu/ Bryant University]<br />
<br />
[[Steven Lawrance#Software Project Experience|View the list of software that Steven has either written or contributed to]]<br />
<br />
|valign="top" width="25%"|<br />
{|border="1"<br />
|<br />
<font size="5">[https://www.moonlightdesign.org/urllock/ IE URL Lock]</font> <font size="5">[https://gnucashtoqif.us/ GnuCashToQIF]</font> <font size="4">[[TLS-SSL-Protocols|TLS/SSL Protocol Group Policy Template]]</font> <font size="3">[https://www.moonlightdesign.org/dirlist DirList] [[CompactOnDelete]]</font> <font size="3">[[PortProxy]]</font> <font size="2">[[Serendipity|Team Serendipity]]</font> <font size="2">[[Disk Imager]]</font> <font size="1">[[ScreenWindowX]]</font> <font size="1">[https://www.moonlightdesign.org/kjmouse/ KJMouse]</font><br />
|}<br />
<small>[https://www.moonlightdesign.org/wireless/ Guest wireless network sign-up] (local network only)</small><br />
|}</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=TLS-SSL-Protocols&diff=2288TLS-SSL-Protocols2015-12-07T01:37:48Z<p>Stevenlawrance: /* Configure Without Group Policies */</p>
<hr />
<div>As a way to mitigate the [https://www.openssl.org/~bodo/ssl-poodle.pdf Padding Oracle On Downgraded Legacy Encryption (POODLE) attack], information technology (IT) administrators can disable all protocols older than TLSv1 via ActiveDirectory group policies. This page describes how to do that.<br />
<br />
Using the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] with the group policy editor allows IT administrators to deploy computer-level policies that disable legacy protocols within Windows Schannel and deploy user-level policies that disable legacy protocols within Internet Explorer. Note that a computer-level disable policy for a protocol overrides Internet Explorer's configuration for that protocol.<br />
<br />
This template implements [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommended registry settings to disable SSLv3].<br />
<br />
Please note that Microsoft has a group policy setting for disabling TLS/SSL protocols in Internet Explorer, as described in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 their recommendations], but it doesn't work reliably with Internet Explorer 6 or 7. As a result, Microsoft noted in their policy template that it works only with Internet Explorer 8 and higher. If you run Internet Explorer 6 or 7, then the group policy template described on this page is a tenable option for you. The computer policies in this policy template are also useful to IT administrators whom are targeting only Internet Explorer 8 or higher.<br />
<br />
To handle systems that are not covered by group policies, this page also includes registry merge files for convenience.<br />
<br />
==Configure With Group Policies==<br />
To use the group policies, you'll need to install the policy template file. The policy template includes two group policy targets for configuration: Computer and User.<br />
<br />
===Installation===<br />
Save the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] as TLS-SSL-Protocols.adm within your Windows INF folder. This is typically <code>C:\Windows\INF</code>.<br />
<br />
===Computer Policies===<br />
The Computer policies configure the Windows Schannel protocol support, which impacts client software and server software with dedicated settings for each. Internet Explorer, email software, and any program that connects to the local network or Internet and uses Windows Schannel for securing its connections are affected by the client policies. Internet Information Server, .NET server software, and any program that listens for and accepts secure connections from the local network or Internet and uses Windows Schannel for securing connections are affected by the server policies.<br />
<br />
Mozilla Firefox, Google Chrome, and Java, however, use their own software for securing connections and aren't affected by the client policies. Similarly, Java and software that uses OpenSSL (Apache, etc) or other non-Schannel software aren't affected by the server policies.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of computers. The computer policy won't have an effect if it applies only to users and not to computers.<br />
<br />
====Add the Policy Template====<br />
Right-click on the Computer Configuration | Administrative Templates folder. Alternatively, right-clicking on the User Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
====Show All Policy Settings====<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the Computer Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-Computer.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
====TLS/SSL Protocols====<br />
Open the TLS/SSL Protocols folder within the Computer Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-Computer.png|650px]]<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then enable TLS 1.0 for client and server use while disabling PCT 1.0, SSL 2.0, and SSL 3.0 for client and server use. The screenshot above shows what this configuration looks like.<br />
<br />
The Group Policy Editor makes configuration convenient with the Next Setting button, as shown in the screenshot below. Starting with the first setting, position the dialog box such that the recommendation for that setting at the top of the "Description:" line is visible. Apply that recommendation to every setting in this list, clicking Next Setting to navigate to the next setting. Click OK when done. After clicking OK, this group policy is ready to get picked up by computers upon their next application of the computer group policies to their local computer. Running gpupdate.exe on the computers that have this group policy assigned to them will cause them to pick up the change before gpupdate.exe returns.<br />
<br />
[[File:Policies-Computer-SSLv3Client.png|650px]]<br />
<br />
If your network is comprised entirely of Windows Server 2008 R2, Windows 7, or newer operating systems, then disabling TLS 1.0 can theoretically improve security further, but when this was tested in Windows 8 with Internet Explorer 11, Internet Explorer 11 wouldn't start up successfully until TLS 1.0 was enabled in Schannel. As a result, TLS 1.0 will need to be left enabled in Windows Schannel, even if it's disabled in Internet Explorer.<br />
<br />
===User Policy===<br />
The User policy configures Internet Explorer and has been tested with versions 6 and higher. If you are targeting only Internet Explorer 8 or higher, it is recommended that you instead use the group policy for disabling TLS/SSL protocols as documented in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommendations for mitigating the POODLE attack]. Microsoft's built-in group policy, however, doesn't work reliably with Internet Explorer 6 and 7.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of users. The user policy won't have an effect if it applies only to computers and not to users.<br />
<br />
====Add the Policy Template====<br />
Right-click on the User Configuration | Administrative Templates folder. Alternatively, right-clicking on the Computer Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
====Show All Policy Settings====<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the User Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-User.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
====TLS/SSL Protocols====<br />
Open the TLS/SSL Protocols folder within the User Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-User.png|650px]]<br />
<br />
Edit the policy setting and choose the Enabled radio button.<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then choose the Recommended item. Although those operating systems don't implement TLS 1.1 and 1.2, enabling TLS 1.1 and 1.2 is properly ignored by those older operating systems while being enabled on Windows 7, Windows Server 2008 R2, and newer operating systems.<br />
<br />
If all systems on your network run Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier, then the Windows Vista/XP option is feasible as that enables only TLS 1.0, but it's typically best to choose Recommended as that will allow upgraded systems to prefer TLS 1.1 and 1.2.<br />
<br />
If all systems on your network run Windows 7, Windows Server 2008 R2, or newer operating systems, then the Recommended setting works, but the Windows 7 Best Security and Windows 7 Good Security items provide stronger security. If you choose Windows 7 Best Security, then only TLS 1.2 will be used, and that will give your secure connections maximum protection against known attacks. If some web sites that your organization use support TLS 1.1 as their highest protocol, then the Windows 7 Good Security item enables TLS 1.1 while preferring TLS 1.2. Some web sites may support only TLS 1.0 as their strongest option, and working with such web sites requires choosing the Recommended item.<br />
<br />
The Insecure and Highly Insecure items should never be used for medium or long term production use. They are present primarily for testing and as a short-term fallback if needed. Don't use them unless if it's absolutely necessary for a short time period. While enabled, your secure connections will effectively be as secure as using no encryption at all, even if Internet Explorer is using TLS 1.0 or higher. It's possible for a downgrade attack to cause Internet Explorer or the remote server to drop down to SSL 3.0, and disabling SSL 3.0 entirely is an effective mitigation against a downgrade attack to SSL 3.0.<br />
<br />
[[File:Policies-User-IE.png|375px]]<br />
<br />
Click OK when done. After clicking OK, this group policy is ready to get picked up by users upon their next application of the user group policies. Having the users log out and back in or having the users run gpupdate.exe will cause them to pick up the change.<br />
<br />
Please note that users can update this setting within Internet Explorer's configuration options. This policy won't overwrite their customizations unless if this policy is changed to another value or if all policies are reapplied to that user, such as with 'gpupdate /force'.<br />
<br />
==Configure Without Group Policies==<br />
To quickly configure a computer that doesn't have group policies, it is possible to use a registry merge file. The following files implement their stated configuration scenarios:<br />
*[https://www.moonlightdesign.org/dl/TLS1-1.2.reg Recommended: TLS 1.2, 1.1, and 1.0]<br />
**Compatible with all versions of Windows that implement TLS 1.0, including those that don't implement TLS 1.1 and 1.2.<br />
*[https://www.moonlightdesign.org/dl/TLS1.2.reg Windows 7 Best Security: TLS 1.2 only]<br />
**A shrinking number of web sites on the Internet won't work with this configuration.<br />
*[https://www.moonlightdesign.org/dl/TLS1-1.2.reg Windows 7 Good Security: TLS 1.2 and 1.1]<br />
**A shrinking number of web sites on the Internet won't work with this configuration.<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Windows-Vista-XP.reg Windows Vista/XP: TLS 1.0 Only]<br />
**Don't use this on Windows 7, Windows Server 2008 R2, or newer as it disables TLS 1.1 and TLS 1.2 in Internet Explorer.<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Insecure.reg Insecure: SSL 3.0 and TLS 1.0]<br />
**Don't use this unless if absolutely necessary. This configuration opens up your https connections to attack and should be considered equivalent to having no encryption.<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Highly-Insecure.reg Highly Insecure: SSL 3.0 only]<br />
**Don't use this unless if absolutely necessary. This configuration opens up your https connections to attack and should be considered equivalent to having no encryption.<br />
**TLS 1.0 remains enabled in Windows Schannel, but it's off in Internet Explorer with this file.</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=Steven_Lawrance&diff=2287Steven Lawrance2015-06-06T15:12:09Z<p>Stevenlawrance: /* Software that I created */</p>
<hr />
<div>__NOTOC__<br />
<br />
Welcome to the web site of '''Steven Lawrance''', [http://www.mse.cs.cmu.edu/ master of software engineering (MSE)]. I enjoy building complete computing solutions at all levels of abstraction to automate business processes at a low cost, in a short time frame, and with high quality. Put my experience, interests, training, and expertise to work for you. Please feel free to [mailto:steven@moonlightdesign.org contact me today].<br />
<br />
<div align="center"><br />
<table style="text-align: left;" border="0" cellpadding="1" cellspacing="5"><br />
<tr><br />
<td style="background-color: rgb(240, 240, 240); border: 2px solid rgb(90, 90, 90); padding: 3px;"><big>[[Steven Lawrance#Team software|Software Built in a Team]]</big></td><br />
<td style="background-color: rgb(240, 240, 240); border: 2px solid rgb(90, 90, 90); padding: 3px;"><big>[[Steven Lawrance#Software that I created|Software Built by Just Me]]</big></td><br />
<td style="background-color: rgb(240, 240, 240); border: 2px solid rgb(90, 90, 90); padding: 3px;"><big>[[Steven Lawrance#Employment History|Employment History]]</big></td><br />
<td style="background-color: rgb(240, 240, 240); border: 2px solid rgb(90, 90, 90); padding: 3px;"><big>[[Steven Lawrance#Education and Training|Education and Training]]</big></td><br />
</tr><br />
</table><br />
</div><br />
<br />
'''Résumé:''' [https://www.moonlightdesign.org/steve/resume.pdf Portable document format (PDF)]<br />
<br />
'''Network:''' [http://www.linkedin.com/in/meowmeow LinkedIn]<br />
<br />
Please feel free to ask me for more information about any project listed on this page.<br />
<br />
==Software Project Experience==<br />
<br />
===Team software===<br />
I materially participated in the team software projects listed below:<br />
<br />
{|class="software sortable"<br />
!Name<br />
!Description<br />
!Technologies<br />
!SLOC<br />
!Year<br />
|-<br />
|[http://www.salesforce.com/ Salesforce.com]||Web-based business software platform and suite of integrated business applications. During my time at Salesforce.com, I have worked on several teams -- API, Force.com Sites, Site.com, and Platform Security. Most recently, I led the implementation of custom https domains for Salesforce's site technologies, and this included tangential work, such as the domain management screens that were added in Summer '14. I've been a go-to person for several parts of the platform, and this includes Force.com Sites, the database tier of Site.com, site publishing, custom https domains, clickjack protection, inbound and outbound https connections, the reverse proxy caching layer for sites, IPv6, and our main production feature testing tool.<br><br>At Salesforce.com's Dreamforce 2013 conference, I presented a [http://www.youtube.com/watch?v=Z7L1pSfcCJc session on the lessons learned while developing a Force.com solution] to replace an older Microsoft Access solution for the San Francisco AIDS Foundation.<br><br>Earlier at Salesforce.com, I integrated the low-level parts of Siteforce into the core Salesforce.com product; wrote Siteforce's Resin and runtime server configurations; wrote a [http://en.wikipedia.org/wiki/Cross-site_scripting cross site scripting] [http://en.wikipedia.org/wiki/Mozilla_Firefox Firefox]/[http://en.wikipedia.org/wiki/Firebug_(Firefox_extension) Firebug] extension to test proper output escaping in the manual and automated tests; improved an internal production testing tool's scheduling of tests by adding prerequisite expressions to increase test parallelization; and added per-window screenshots to an internal testing tool by extending Selenium with JNI native code.||{{Tech:Java}}, {{Tech:Ant}}, {{Tech:Selenium}}, {{Tech:JUnit}}, {{Tech:Salesforce.com}}, {{Tech:Jetty}}, {{Tech:Resin}}, {{Tech:JSP}}, {{Tech:Servlet}}, {{Tech:JNI}}, {{Tech:Win32}}, {{Tech:X11}}||large||2007-current<br />
|-<br />
|[[Reggie/CIS]]||A 200-user multi-tenant three-tiered HIV/AIDS client database system that was used by all Ryan White Foundation CARE-funded AIDS service organizations in San Francisco in collaboration with the [http://www.sfdph.org/ San Francisco Department of Public Health (DPH)] [http://www.sfdph.org/PHP/HIVHlthSvc.htm AIDS Office] and two partners to the [http://www.sfaf.org/ San Francisco AIDS Foundation (SFAF)], where I worked for about five years. I actively maintained this system with a colleague at the DPH AIDS Office and was principally responsible for maintaining the "CIS" portion of Reggie/CIS, which extended the Reggie platform with extra features that the SFAF and two other organizations used.||{{Tech:Java}}, {{Tech:VBScript}}, {{Tech:Swing}}, {{Tech:T-SQL}}, {{Tech:MS SQL Server}}, {{Tech:CVS}}, {{Tech:JavaScript}}, {{Tech:C}}, {{Tech:JNI}}, {{Tech:CORBA}}, {{Tech:IIS}}, {{Tech:COM}}, {{Tech:Win32}}||162,005||2000-2005<br />
|-<br />
|[[DonorPerfect Online]]||Donor and fundraising event management system used by the San Francisco AIDS Foundation. I migrated [http://www.aidslifecycle.org/index.html AIDS/LifeCycle] data from a [http://www.goldmine.com/micro.aspx?id=4398 Goldmine] database to the [http://www.sfaf.org/ San Francisco AIDS Foundation's] customized [http://www.donorperfect.com/ DonorPerfect Online] system using a [http://en.wikipedia.org/wiki/Test_driven_development test-driven development process] for the SQL scripts. I also contributed substantially to the bulk data entry wizard, fixed bugs throughout the system, including security holes, made all pages and [http://en.wikipedia.org/wiki/Javascript JavaScripts] operate properly in [http://en.wikipedia.org/wiki/Firefox Mozilla Firefox], and implemented strict URL filtering security using an [http://httpd.apache.org/ Apache] [http://en.wikipedia.org/wiki/Reverse_proxy reverse-proxy] and [http://en.wikipedia.org/wiki/Mod_rewrite mod_rewrite].||{{Tech:VBScript}}, {{Tech:T-SQL}}, {{Tech:MS SQL Server}}, {{Tech:JavaScript}}, {{Tech:Apache}}, {{Tech:IIS}}, {{Tech:CVS}}||97,592||2004-2005<br />
|-<br />
|[[SFAF CRM]]||Customer relationship management system that was implemented by a colleague at the [http://www.sfaf.org/ San Francisco AIDS Foundation] that primarily serves the organization's [http://www.sfaf.org/volunteer/ volunteer based programs department], automates expense reports, and runs the [http://www.aidshotline.org/ California AIDS Hotline]. I enhanced the deployment system using [http://en.wikipedia.org/wiki/Concurrent_Versions_System CVS] in a web-based front-end, helped my colleague fix various bugs, and enhanced its Internet-facing security with an [http://httpd.apache.org/ Apache] [http://en.wikipedia.org/wiki/Reverse_proxy reverse-proxy] and [http://en.wikipedia.org/wiki/Mod_rewrite mod_rewrite].||{{Tech:VBScript}}, {{Tech:T-SQL}}, {{Tech:MS SQL Server}}, {{Tech:JavaScript}}, {{Tech:Apache}}, {{Tech:IIS}}, {{Tech:CVS}}||69,015||2001-2005<br />
|-<br />
|[[Serendipity|Bosch Security Configuration Assistant]]||An Eclipse-based application that generates three-dimensional security plans for buildings using a rule engine and three-dimensional visualization. In this project, I integrated a Windows-based three-dimensional visualization program into an Eclipse view, kept our RedHat Fedora Core server and software available, secure, usable, and backed up using only one hour per week of my time on average throughout the project, and automated our data collection and reporting processes to minimize project overhead work. This group project involved four other students -- two whom also work at Salesforce.com -- and served as a laboratory for us to directly apply coursework to a software project with a real client throughout our software engineering masters' programs.||{{Tech:Java}}, {{Tech:Eclipse}}, {{Tech:UML}}, {{Tech:Ant}}, {{Tech:Bugzilla}}, {{Tech:CruiseControl}}, {{Tech:MediaWiki}}, {{Tech:Subversion}}, {{Tech:SWT}}, {{Tech:C++}}, {{Tech:JNI}}, {{Tech:Win32}}||21,274||2005-2006<br />
|-<br />
|[[Park 'N Park]]||A fault-tolerant, distributed, real-time three-tiered application for tracking parking garage usage. This was an academic project.||{{Tech:Java}}, {{Tech:CORBA}}, {{Tech:MySQL}}, {{Tech:CVS}}||2,027||2006<br />
|-<br />
|[[Teacher's Pet]]||Shares a tab in your Mozilla Firefox browser with one or more remote browsers, which can be useful in virtual classroom environments||{{Tech:JavaScript}}, {{Tech:Java}}, {{Tech:XUL}}, {{Tech:XPCOM}}, {{Tech:Subversion}}||1,251||2006<br />
|-<br />
|[[Hulk]]||Physically navigates a maze using a customized {{Tech:Boe-Bot}}. This project involved both custom hardware and custom software as well as trade-offs between the two when implementing features.||{{Tech:BASIC Stamp}}, {{Tech:Boe-Bot}}, {{Tech:Subversion}}||784||2006<br />
|-<br />
|[https://www.moonlightdesign.org/urllock/Configuration_editor URL Lock]||Follow-up project to [http://www.moonlightdesign.org/urllock/ IE URL Lock] that sports a configuration user interface and implements new ideas for visually disabling content on the web||{{Tech:JavaScript}}, {{Tech:XUL}}, {{Tech:C++}}, {{Tech:XPCOM}}, {{Tech:Win32}}, {{Tech:Subversion}}||3,868||2006<br />
|-<br />
|[[Ariesbase]]||Intranet system for Ariesnet, Inc. During the Summer of 1999, I helped shape the back-end functionality, such as the security system and global includes, and I also created a high-level specification for an employee rating system for virtual team environments.||{{Tech:PHP}}, {{Tech:MySQL}}, {{Tech:JavaScript}}, {{Tech:CVS}}||medium||1999-2000<br />
|}<br />
<br><br />
<br />
===Software that I created===<br />
I wrote and maintain the following software:<br />
{|class="software sortable"<br />
!Name<br />
!Description<br />
!Technologies<br />
!SLOC<br />
!Year<br />
|-<br />
|[[Home Profiler]]||Synchronizes user profile data between multiple desktop computers, regardless of the operating system. This was used at the [http://www.sfaf.org/ San Francisco AIDS Foundation] to migrate user profile data from Windows NT to Windows XP while leaving malware and spyware behind.||{{Tech:Java}}, {{Tech:C}}, {{Tech:JNI}}, {{Tech:JACOB}}, {{Tech:COM}}, {{Tech:Win32}}, {{Tech:CVS}}||5,679||2005<br />
|-<br />
|[https://www.moonlightdesign.org/urllock/ IE URL Lock]||A browser helper object (BHO) that prevents users from navigating to web sites in Internet Explorer and Windows Explorer while permitting URLs that match a Perl-compatible regular expression stored in the registry||{{Tech:C++}}, {{Tech:COM}}, {{Tech:BHO}}, {{Tech:Win32}}, {{Tech:Subversion}}||1,607||2005-2012<br />
|-<br />
|[[Backup system]]||Multi-platform, SSH-secured, Internet-based incremental backup system that I assembled and use to back up all computers that I manage||{{Tech:Unison}}, {{Tech:Apache}}, {{Tech:OpenSSH}}|| ||2005-2007<br />
|-<br />
|[[Read-only filesystem]]|||FUSE filesystem view that makes all files unconditionally read-only. I use this in my [[Backup system|backup system]] for the web-based file restore interface.||{{Tech:C}}, {{Tech:Fuse}}||241||2005-2007<br />
|-<br />
|[[Serendipity Time Tracking Tool]]||A two-tier software team time tracking tool used by [[Serendipity|Team Serendipity]] while designing and building the [[Serendipity|Bosch Security Configuration Assistant]]. It was rapidly developed using Microsoft Access 2003 as the front-end user interface, MySQL 5 as the back-end database, and SSH as the MySQL connection tunnel.||{{Tech:VBA}}, {{Tech:Microsoft Access}}, {{Tech:MySQL}}, {{Tech:OpenSSH}}||small||2006<br />
|-<br />
|[https://gnucashtoqif.us/ GnuCash to QIF]||Converts a GnuCash XML file into a QIF or an IIF file||{{Tech:Java}}, {{Tech:Xerces}}||2,274||2002-2007<br />
|-<br />
|[[PDF Access Reports]]||Web-based PDF reports using Microsoft Access, a customized PHP build to run as a COM server, and a custom-built COM object for use by ASP on the reporting server. This was a component of [[Reggie/CIS|Reggie/CIS's]] reporting system.||{{Tech:PHP}}, {{Tech:COM}}, {{Tech:C++}}, {{Tech:Sockets}}, {{Tech:VBA}}, {{Tech:ASP}}, {{Tech:Access}}||651||2002-2005<br />
|-<br />
|[[PDFFile and InvokeAsUser]]||Enables easy portable document format (PDF) file generation on Windows computers when used with AFPL GhostScript and RedMon||{{Tech:C}}, {{Tech:Win32}}||396||2005<br />
|-<br />
|[[SFAF VPN Client]]||Connects a [http://en.wikipedia.org/wiki/Microsoft_windows Microsoft Windows] 2000 or XP computer to the [http://www.sfaf.org/ San Francisco AIDS Foundation's] [http://en.wikipedia.org/wiki/Vpn virtual private network (VPN)] by using the built-in [http://en.wikipedia.org/wiki/Ipsec IPsec] and [http://en.wikipedia.org/wiki/Pptp PPTP] capabilities in Windows. Each client computer is secured with a machine-unique [http://en.wikipedia.org/wiki/Public-key_cryptography public/private key], and users are authenticated against the [http://en.wikipedia.org/wiki/Windows_Server_domain NT domain] using PPTP over the IPsec connection.||{{Tech:C}}, {{Tech:Win32}}, {{Tech:Java}}, {{Tech:Swing}}, {{Tech:CVS}}||2,623||2003-2005<br />
|-<br />
|[https://www.moonlightdesign.org/thunderforce/shared/Door%20lock%20example/ Door Lock]||Specification (not an implementation) of a secure residential door real-time, embedded software system that uses electronic locks, secure entry, easy exiting, and alarm state awareness to securely and efficiently manage a door||{{Tech:Javelin}}||0||2006<br />
|-<br />
|[https://www.moonlightdesign.org/steve/SpellChecker.pdf Swing Inline Spell Checker]||Inline spell checker that plugs into Swing's look-and-feel system. This was used in [[Reggie/CIS]] as its distributed spell checker with [http://aspell.net/ GNU Aspell] running on the server.||{{Tech:Java}}, {{Tech:Swing}}, {{Tech:CORBA}}, {{Tech:Aspell}}||2,859||2002-2005<br />
|-<br />
|[https://www.moonlightdesign.org/dirlist/ DirList]||User directory system that runs as a CGI to serve up user lists, search, and synchronize with the operating system's user database. When used with [http://www.moonlightdesign.org/dirlist DirList2ODBC], the ODBC driver that I wrote for DirList2, the entire DirList2 system becomes a [http://en.wikipedia.org/wiki/Sql structured query language (SQL)]-compliant database system within the limits of the [https://www.moonlightdesign.org/dirlist/doc/server/ DirList2 Server]. This project began in January of 1998 and is actively patched for any security issues that arise. [http://www.bryant.edu/ Bryant University] continues to use this program for their [http://web.bryant.edu/forhelp/pointer.html student web site list].||{{Tech:C++}}, {{Tech:C}}, {{Tech:Sockets}}, {{Tech:ODBC}}, {{Tech:Linux}}, {{Tech:Win32}}, {{Tech:VBA}}, {{Tech:Access}}||8,268||1999-2007<br />
|-<br />
|[https://www.moonlightdesign.org/dirlist/ DirList2ODBC]||[http://en.wikipedia.org/wiki/Odbc ODBC] 2.0 compliant driver written for the [https://www.moonlightdesign.org/dirlist/ DirList] server. This driver is primarily used with [http://en.wikipedia.org/wiki/Microsoft_access Microsoft Access], but can also be used from other ODBC client applications, such as [http://en.wikipedia.org/wiki/Spss SPSS].||{{Tech:C++}}, {{Tech:Win32}}, {{Tech:Sockets}}, {{Tech:ODBC}}||12,671||1999-2000<br />
|-<br />
|[https://www.moonlightdesign.org/pam-cuecat/ PAM CueCat Module]||Turns the CueCat barcode scanner into a pluggable authentication module (PAM) library, permitting logins with bar code scans||{{Tech:C}}, {{Tech:PAM}}, {{Tech:Linux}}, {{Tech:CueCat}}||285||2000<br />
|-<br />
|[[Home Control]]||The project that marked my first significant work towards complete home and office automation systems||{{Tech:C}}, {{Tech:Win32}}, {{Tech:Serial}}, {{Tech:CP290}}||2,270||1996,1998<br />
|-<br />
|[[ResNet Online]]||I rewrote the old site for ease of use with more capabilities. Automatic port registration and heavy database integration saved the ResNet program a substantial amount of time while greatly improving customer/student satisfaction.||{{Tech:PHP}}, {{Tech:SNMP}}, {{Tech:MySQL}}, {{Tech:PHPLib}}||4,572||1999-2001<br />
|-<br />
|[[FAT Recover]]||Manual FAT filesystem recovery tool that I made to help with manual floppy disk recoveries and to salvage my dad's laptop when Windows totally crashed||{{Tech:C}}, {{Tech:Linux}}||246||2000<br />
|-<br />
|[[Bryant PRIDE web site]]||Web site for the [http://web.bryant.edu/~pride/ Bryant PRIDE] LGBT group. In the Fall of 1997, when I was a freshman at [http://www.bryant.edu/ Bryant University], I greatly enhanced the web site with several pages and JavaScripts. This also included a JavaScript-driven background {{Tech:MIDI}} music jukebox in a [http://en.wikipedia.org/wiki/Pop-under pop-under], which was unique for a web site at that time. While I was the web site's maintainer, it moved from static {{Tech:HTML}} to {{Tech:ASP}} and then to {{Tech:PHP}}.||{{Tech:JavaScript}}, {{Tech:PHP}}, {{Tech:VBScript}}, {{Tech:ASP}}||3,681||1997-2000<br />
|-<br />
|[[ActiveMail]]||Provides SMTP email sending, POP3 email downloading, and FTP authentication services to {{Tech:ASP}}, {{Tech:VisualBasic}}, and other {{Tech:COM}}-consuming programs||{{Tech:C++}}, {{Tech:COM}}, {{Tech:Win32}}, {{Tech:VisualBasic}}||4,691||1998-2000<br />
|-<br />
|[[CPU ID]]||A very simple program that displays information about the CPU that it happens to execute on||{{Tech:C}}, {{Tech:x86 Assembler}}, {{Tech:Win32}}||111||1999<br />
|-<br />
|[[Disk Imager]]||Reads, writes, verifies, and erases entire disks into/from [http://en.wikipedia.org/wiki/Disk_image raw image files]. This is similar in principle to [http://www.tux.org/pub/dos/rawrite/ rawrite.exe], but Disk Imager implements a graphical user interface.||{{Tech:C}}, {{Tech:Win32}}||520||1998<br />
|-<br />
|[[EzMIDI32]]||A 32-bit version of the ScreenWindow+EasyMIDI libraries that I wrote for Grapevine High School||{{Tech:C++}}, {{Tech:Win32}}||854||1998<br />
|-<br />
|[[LPD]]||Written for the [http://www.gcisd-k12.org/ Grapevine-Colleyville Independent School District (GCISD)] to allow employees to send [http://en.wikipedia.org/wiki/AS/400 AS/400] printouts to their local Windows printers. I wrote the piece that translates HP DeskJet 500 compatible instructions into a Windows GDI context.||{{Tech:C}}, {{Tech:Win32}}||1,850||1996-1998<br />
|-<br />
|[[PortProxy]]||[http://en.wikipedia.org/wiki/Transmission_Control_Protocol TCP] connection forwarding [http://en.wikipedia.org/wiki/Windows_service service] that I wrote in college so that I could run servers from behind a firewall. When I put Linux onto resnet.bryant.edu, I no longer needed this program, but it's still cool if you are running [http://en.wikipedia.org/wiki/Microsoft_Windows Windows]. I also wrote a version that runs as a [http://en.wikipedia.org/wiki/System_tray system tray] application in [http://en.wikipedia.org/wiki/Windows_95 Windows 95].||{{Tech:C}}, {{Tech:Win32}}, {{Tech:Sockets}}||1,461||1999<br />
|-<br />
|[[ScreenWindowX]]||An {{Tech:ActiveX}} version of [[ScreenWindow]] that I created during the ActiveX hype. This gives [http://en.wikipedia.org/wiki/Internet_Explorer Internet Explorer] pages, [http://en.wikipedia.org/wiki/Component_Object_Model COM] clients, and [http://en.wikipedia.org/wiki/.NET_Framework .NET] applications an easy-to-use text console user interface control.||{{Tech:C++}}, {{Tech:COM}}, {{Tech:Win32}}, {{Tech:ActiveX}}||1,614||1998<br />
|-<br />
|[https://www.moonlightdesign.org/kjmouse/ KJMouse]||Busy cursor for {{Tech:Java}} that is similar to the launch feedback in [http://en.wikipedia.org/wiki/KDE KDE] 2.2||{{Tech:Java}}, {{Tech:JNI}}, {{Tech:Win32}}, {{Tech:X11}}, {{Tech:Cocoa}}||736||2001-2004<br />
|-<br />
|[[CatSetup]]||Scriptable install and uninstall utility for [http://en.wikipedia.org/wiki/Windows_3.1 16-bit Windows] that I wrote in the mid-1990s to ease the distribution of my software. Most of my software from 1994 to 2000 used CatSetup. I eventually switched to using [http://en.wikipedia.org/wiki/Nullsoft_Scriptable_Install_System NSIS] and, later, [http://dennisbareis.com/makemsi.htm MAKEMSI].||{{Tech:C}}, {{Tech:Win16}}||3,676||1994-1998<br />
|-<br />
|[[Trig Grapher]]||Plots [http://en.wikipedia.org/wiki/Trigonometry trigonometric functions] in a window. This was my first [http://en.wikipedia.org/wiki/Thread_%28computer_science%29 multi-threaded] {{Tech:Win32}} program, which I wrote in high school for fun. I later back-ported it to {{Tech:Win16}}.||{{Tech:C}}, {{Tech:Win32}}, {{Tech:Win16}}||1,441||1995-1996<br />
|-<br />
|[[256-Color SDK]]||Library that I wrote a to easily manage 256-color bitmaps on 256-color displays||{{Tech:C}}, {{Tech:Win16}}||704||1994<br />
|-<br />
|[[AudioCD Pictures]]||Displays predefined pictures as a playing CD reaches predefined moments||{{Tech:C}}, {{Tech:Win16}}||550||1994<br />
|-<br />
|[[BBS Ads]]||Simply a program that can advertise bulletin board systems, when they used to be popular||{{Tech:C}}, {{Tech:Win16}}||258||1993-1994<br />
|-<br />
|[[Bids-to-ASP]]||Converts American Airlines bidsheet files into Procomm Plus for DOS ASPect scripts||{{Tech:C}}, {{Tech:Win16}}||562||1994<br />
|-<br />
|[[Horses]]||A fun horse racing strategy game for Windows||{{Tech:C}}, {{Tech:Win16}}||3,348||1995,1997<br />
|-<br />
|[[KittyCat! Comm]]||[http://en.wikipedia.org/wiki/Bulletin_board_system Bulletin board system (BBS)] communications program with a [http://en.wikipedia.org/wiki/Dynamic_Data_Exchange dynamic data exchange (DDE)] based [http://en.wikipedia.org/wiki/Application_programming_interface application programming interface (API)] and support for [http://en.wikipedia.org/wiki/ANSI_escape_code ANSI text] and [http://en.wikipedia.org/wiki/Remote_imaging_protocol RIPscrip graphics]. This was never finished due to the Internet and the World Wide Web making it obsolete.||{{Tech:C}}, {{Tech:Win16}}||8,166||1994-1995<br />
|-<br />
|[[MCI SendString]]||Allows users to work with the [http://en.wikipedia.org/wiki/Media_Control_Interface Microsoft Windows media control interface (MCI)] with text rather than through pointing and clicking||{{Tech:C}}, {{Tech:Win16}}||212||1994<br />
|-<br />
|[[MeowyMIDI]]||A [http://en.wikipedia.org/wiki/SoundFont 1.0 sound font] with cat meows and purrs for [http://en.wikipedia.org/wiki/Sound_Blaster Sound Blaster] AWE32 and AWE64 audio cards||{{Tech:SoundFont}}, {{Tech:MIDI}}||0||1994-1995<br />
|-<br />
|[[PCL Page]]||Manipulate [http://en.wikipedia.org/wiki/Printer_Command_Language PCL]-compliant printers with this utility that works in both {{Tech:Win16}} and {{Tech:DOS}}||{{Tech:C}}, {{Tech:Win16}}, {{Tech:DOS}}||196||1995<br />
|-<br />
|[[ScreenWindow]]||Text console and {{Tech:MIDI}} library for {{Tech:Win16}} that I wrote so that students at [http://www.gcisd-ghs.org/ Grapevine High School] in first-year computer science class could use MIDI in their music projects using [http://en.wikipedia.org/wiki/Turbo_Pascal Borland's Turbo Pascal]. When they switched to teaching {{Tech:C++}}, I made a 32-bit version of the library that used {{Tech:Win32}}'s native console rather than my own.||{{Tech:C++}}, {{Tech:C}}, {{Tech:Pascal}}, {{Tech:Win16}}, {{Tech:Win32}}, {{Tech:MIDI}}||2,953||1996-1997<br />
|-<br />
|[[AriesType]]||A [http://en.wikipedia.org/wiki/Touch_typing touch typing] education program that I made while I was a freshman in high school. It tied into the local [http://en.wikipedia.org/wiki/Novell_Netware Novell NetWare] network to be a multi-user application with different capabilities given to students, teachers, and system operators. AriesType also included basic local email and paging capabilities.||{{Tech:BASIC}}, {{Tech:DOS}}||4,364||1993-1994<br />
|-<br />
|[[IntMap]]||A small image library that I wrote for a Pascal project in high school to provide image drawing, movement, and rotation operations in DOS||{{Tech:Pascal}}, {{Tech:DOS}}, {{Tech:C}}||1,797||1995,1998<br />
|-<br />
|[[Jingle Bells]]||A first-year computer science course project to visually and audibly play a [http://en.wikipedia.org/wiki/Christmas_song traditional December holiday song], which I later ported to Windows using [[ScreenWindow]]||{{Tech:Pascal}}, {{Tech:DOS}}, {{Tech:C}}, {{Tech:Win16}}, {{Tech:Win32}}, {{Tech:MIDI}}||611||1994,1996<br />
|-<br />
|[[SLOS-DOS]]||A small interpreted toy operating environment written in BASIC for DOS. Programs are written in a trivial and limited scripting language.||{{Tech:BASIC}}, {{Tech:DOS}}||1,277||1993<br />
|-<br />
|[[SLOS-Win]]||Windows version of [[SLOS-DOS|SLOS]], a small interpreted toy operating environment written in BASIC for DOS. Programs are written in a trivial and limited scripting language.||{{Tech:C++}}, {{Tech:Win16}}||1,679||1993<br />
|-<br />
|[[TSNHead]]||Kept track of how much time my brothers and I spent on [http://en.wikipedia.org/wiki/The_Sierra_Network The Sierra Network (TSN)]||{{Tech:BASIC}}, {{Tech:DOS}}||291||1992<br />
|-<br />
|[[TrackTrek]]||A track meet program that "keeps track" of events and allows others to view scores in realtime. This was my first {{Tech:Java}} program. This was more of a self-driven academic exercise as the project was never finished.||{{Tech:Java}}, {{Tech:AWT}}||3,690||1996-1998<br />
|-<br />
|[https://www.moonlightdesign.org/thunderforce/ Thunderforce]||An open-source Mozilla Thunderbird extension for Salesforce.com. This project is now abandoned due to other priorities and interests.||{{Tech:JavaScript}}, {{Tech:XPCOM}}, {{Tech:C++}}, {{Tech:XUL}}, {{Tech:Subversion}}, {{Tech:MediaWiki}}||5,411||2007-2009<br />
|}<br />
<br><br />
<br />
===Software and project contributions===<br />
I contributed to the following projects:<br />
{|class="software sortable"<br />
!Name<br />
!Description<br />
!Technologies<br />
!SLOC<br />
!Year<br />
|-<br />
|[http://www.mozilla.org/ Mozilla]||[https://www.moonlightdesign.org/startfirefox/ Workaround code] for a shutdown bug in Firefox ([https://bugzilla.mozilla.org/show_bug.cgi?id=239223 bug 239223]) and helped others find the cause of a [https://bugzilla.mozilla.org/show_bug.cgi?id=245742 NTLM authentication crash] in a pre-Firefox build|| ||156||2005<br />
|-<br />
|[http://www.samba.org/ Samba]||[https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=134570 Patch] to allow the use of 32-bit user and group IDs in smbmnt|| ||11||2004<br />
|-<br />
|[http://pan.rebelbase.com/ Pan]||Contributed a small multi-threaded bugfix to a function that was crashing on several important dialog boxes in version 0.6.3|| ||small||1999<br />
|-<br />
|[http://www.php.net/ PHP]||Contributed the [http://us.php.net/snmpset snmpset()] function to [http://cvs.php.net/viewvc.cgi/php3/functions/?pathrev=php_3_0_12 PHP 3.0.12] and [http://cvs.php.net/viewvc.cgi/php-src/ext/snmp/?pathrev=php_4_0b2-2 PHP4 Beta2] so that [[ResNet Online]] could turn on the ResHall ports when students registered their computers||{{Tech:C}}, {{Tech:Net-SNMP}}, {{Tech:CVS}}||172||1999<br />
|-<br />
|[http://spruce.sourceforge.net/ Spruce]||Contributed several small usability patches and a fix for a thread-based crash that brought down Spruce while checking messages in previous versions||{{Tech:C}}, {{Tech:GLib}} threads, {{Tech:GTK+}}||200||2000<br />
|-<br />
|[http://www.opensuse.org/ Novell openSUSE]||Fixed bugs related to [https://bugzilla.novell.com/show_bug.cgi?id=343891 LVM on a USB boot drive] and [https://bugzilla.novell.com/show_bug.cgi?id=410736 J-Pilot thinking that the username is always wrong on 64-bit platforms], and added a [https://bugzilla.novell.com/show_bug.cgi?id=328116 workaround for Bluetooth DUND issues]. [https://bugzilla.novell.com/buglist.cgi?query_format=advanced&short_desc_type=allwordssubstr&short_desc=&long_desc_type=fulltext&long_desc=&bug_file_loc_type=allwordssubstr&bug_file_loc=&status_whiteboard_type=allwordssubstr&status_whiteboard=&keywords_type=anywords&keywords=&emailassigned_to1=1&emailreporter1=1&emailinfoprovider1=1&emailcc1=1&emaillongdesc1=1&emailtype1=exact&email1=novell%40moonlightdesign.org&emailassigned_to2=1&emailreporter2=1&emailqa_contact2=1&emailcc2=1&emailtype2=substring&email2=&bugidtype=include&bug_id=&votes=&chfieldfrom=&chfieldto=Now&chfieldvalue=&cmdtype=doit&order=Reuse+same+sort+as+last+time&field0-0-0=noop&type0-0-0=noop&value0-0-0= Full bug list].||{{Tech:C}}||small||2007-2008<br />
|-<br />
|[http://www.bryant.edu/ Bryant University]||During the Spring of 1998, I enhanced Bryant's main page with rollovers and images. Other miscellaneous pages were also updated, and the [http://www.moonlightdesign.org/dirlist/ DirList] project was started originally as a web directory for Bryant.||{{Tech:JavaScript}}, {{Tech:HTML}}||small||1998-1999<br />
|}<br />
<br><br />
Lines of code were computed using [http://www.dwheeler.com/sloccount/ SLOCCount] and, for extensions not supported by SLOCCount, <code>find . -iname \*\\.js -print0 -or -iname \*\\.bs2 -print0 -or -iname \*\\.idl -print0 -or -iname \*\\.asp -print0 -or -iname \*\\.clp -print0 -or -iname \*\\.xul -print0 -or -iname \*\\.bas -print0 -or -iname \*\\.exc -print0| xargs -0 -Ixxx cat xxx| grep "[a-zA-Z0-9]"|wc -l</code>. SLOC counts that relate to San Francisco AIDS Foundation software that has not been made open-source were computed during my final months of employment; Carnegie Mellon University asked for those numbers as part of the admission process. Generated code is excluded from the SLOC counts. With generated code, such as the [[Reggie/CIS]] code generated from [http://java.sun.com/j2se/1.4.2/docs/guide/rmi-iiop/toJavaPortableUG.html idlj], the SLOC counts balloon significantly.<br />
<br />
==Employment History==<br />
<br />
===[http://www.salesforce.com/ Salesforce.com]===<br />
*'''Senior Member of the Technical Staff: [http://developer.force.com/sites Force.com Sites], Core Infrastructure, Security, and [http://wiki.developerforce.com/index.php/Web_Services_API API] Teams'''<br />
*January 2007 to present<br />
*'''Accomplishments'''<br />
**Brought attention to specific [http://en.wikipedia.org/wiki/Cross-site_scripting cross-site scripting (XSS)] vulnerabilities by writing a Firefox Firebug extension that looked for improper string escaping in a test org that had been specially populated with attack strings by another tool and having quality engineers from every functional team test the system with the Firebug extension running. This led to the identification and resolution of a large number of vulnerabilities, thus making Salesforce.com even more secure. A security research firm later commended Salesforce.com's security, saying that they couldn't find any XSS or cross site request forgery (CSRF) vulnerabilities, despite looking for them over the course of several days.<br />
**Championed an improvement to an anti-phishing feature's design successfully, and that improvement is patent-pending<br />
**Resolved customer cases related to the [http://wiki.apexdevnet.com/index.php/Web_Services_API application programming interface] (API) and [http://en.wikipedia.org/wiki/Secure_Sockets_Layer secure sockets layer] (SSL), quickly becoming a go-to person for HTTPS and SSL<br />
**Improved an internal production testing tool's scheduling of tests by adding prerequisite expressions to increase test parallelization<br />
**Built the initial security testing framework for [http://wiki.apexdevnet.com/index.php/Partner_Access_Controls package access controls], which helped quickly bring that feature to market with confidence in its quality and security<br />
**Designed and began to implement a Thunderbird add-on for Salesforce.com: [https://www.moonlightdesign.org/thunderforce Thunderforce]<br />
**Enhanced the user interface of, added Apache Ant build files to, significantly improved the configuration system of, and added multiple-window browser screenshots to an internal production testing tool that is used by multiple teams<br />
**Created and automated anti-phishing and security test scenarios<br />
**Automated HTTPS troubleshooting with an internal utility for support representatives that substantially reduced the number of escalated HTTPS cases<br />
**Ensured that new releases of the core product did not break older API versions through gold files and automated testing<br />
**Established a methodology for determining equivalence partition coverage in the test cases for the [http://www.salesforce.com/us/developer/docs/api/Content/sforce_api_calls_soql.htm Salesforce.com object query language (SOQL)]<br />
**Assisted developers and quality engineers with installing and maintaining [http://www.opensuse.org/ Novell openSUSE Linux] on their primary desktops<br />
<br />
===[http://www.sfaf.org/ San Francisco AIDS Foundation]===<br />
*'''Database Administrator and Software Engineer'''<br />
*September 2000 to July 2005<br />
*'''Accomplishments'''<br />
**Maintained a [[Reggie/CIS|large 200-user multi-tenant three-tiered system]] used by all Ryan White CARE-funded AIDS service organizations in San Francisco in collaboration with the Department of Public Health AIDS Office of San Francisco and two direct partners. That involved all aspects of the software development lifecycle as well as server and client deployments, network maintenance, and top-tier user support.<br />
**Gathered requirements for new features collaboratively with stakeholders, designed those features, coded them, tested them, and deployed them<br />
**Assisted the other database administrator with the foundation's customized [[SFAF CRM|customer relationship management]] (CRM) and [[DonorPerfect Online|donor relationship management]] systems<br />
**Implemented large parts of the data conversion and customization of the Foundation's purchased donor relationship management system<br />
**Secured the Internet-facing presence of the donor relationship management system using a locked-down Apache configuration and strict URL regular expressions<br />
**Obviated a need for Crystal Reports by implementing web-based [[PDF Access Reports|PDF reports]] using Microsoft Access, a customized PHP build to run as a COM server, and a custom-built COM object for use by ASP on the reporting server, saving a significant amount of money<br />
**Migrated client operating system data during the Windows XP transition using a [[Home Profiler|multi-platform profile migration tool]] that I wrote<br />
**Planned, deployed, and provided training for Mozilla Firefox as the default web browser to all foundation users and created [https://www.moonlightdesign.org/urllock IE URL Lock] for business-related sites that only worked in Internet Explorer<br />
**Evaluated, purchased, and managed the licenses of software related to Reggie/CIS<br />
**Maintained the Cisco network equipment, including the PIX firewall's access control lists (ACLs) and routers' virtual local area network (VLAN) ACLs<br />
**Cut unsolicited commercial email (UCE or SPAM) drastically and added virtual private networking (VPN) using Astaro Secure Linux (ASL) in the demilitarized zone (DMZ) behing the Cisco PIX firewall<br />
**Administered databases, servers, and the organization's backup system<br />
<br />
===[http://www.ariesnet.com/ Ariesnet]===<br />
*'''Intranet Developer'''<br />
*May 1999 to August 1999 and May 2000 to July 2000<br />
*'''Accomplishments'''<br />
**Developed specifications for a statistical employee rating system to help Ariesnet move towards building teams of virtual at−home employees<br />
**Helped Ariesnet build their secure intranet system using PHP and MySQL<br />
**Administered the intranet system's Linux server as well as the development test server using the CVS versioning software<br />
<br />
===[http://www.bryant.edu/ Bryant University]===<br />
*'''ResNet Consultant'''<br />
**January 1999 to May 2000<br />
**'''Accomplishments'''<br />
***Shortened residence hall computer registration port activation turnaround times from two weeks to one second with a [[ResNet Online|custom-written Linux-based PHP web site]]<br />
***Provided in-person network and computer support to students living in the university's residence halls<br />
*'''Internet Developer'''<br />
**January 1998 to May 1998 and September 1998 to May 1999<br />
**'''Accomplishments'''<br />
***Implemented the university’s first web-based faculty and student directory using the common gateway interface (CGI)<br />
***Wrote an ODBC driver and Microsoft Access database for its administration. This lives on as the [https://www.moonlightdesign.org/dirlist/ DirList2] open-source project<br />
<br />
===[http://www.gcisd-k12.org/ Grapevine-Colleyville Independent School District]===<br />
*'''Student Intern'''<br />
*January 1996 to August 1997<br />
*'''Accomplishments'''<br />
**Provided hardware and software support, winning an employee award for exceptional service<br />
**Worked with wide-area network configurations<br />
**Wrote a [[LPD|networked printer driver]] to save thousands of dollars in licenses by allowing printing from their AS/400s to local printers<br />
<br />
==Education and Training==<br />
<br />
===[http://www.cmu.edu Carnegie Mellon University]===<br />
*'''[http://www.mse.cs.cmu.edu/ Master of Software Engineering]''', [http://www.isri.cmu.edu/index.jsp Institute of Software Research]<br />
*[http://en.wikipedia.org/wiki/Pittsburgh%2C_Pennsylvania Pittsburgh, Pennsylvania]<br />
*'''Graduation:''' December 2006<br />
*'''Masters group project:''' [[Serendipity|Bosch Security Configuration Assistant]], which is an [http://www.eclipse.org/ Eclipse-based] application that generates three-dimensional security plans for buildings using the [http://en.wikipedia.org/wiki/Jess_programming_language Jess] [http://en.wikipedia.org/wiki/Rule_engine rule engine] and three-dimensional visualization<br />
*'''Project roles:''' Technology support manager and, via rotation, planning manager, software process manager, project risk manager, and quality manager<br />
*'''Focus areas studied:''' Fault tolerant, distributed, real-time systems; software project management; formal models and analysis of software systems; software architecture; and software requirements elicitation methods<br />
*'''Accomplishments'''<br />
**As a team, we met and exceeded our client's original picture of success by the end of the project's one-year time frame.<br />
**I reduced the status meeting data collection time to less than 30 minutes through automation and used historical data to reduce our estimation error.<br />
**As the support manager, I kept our [http://fedoraproject.org/ RedHat Fedora Core] server and software available, secure, usable, and backed up using only one hour per week of my time on average throughout the project.<br />
*'''[http://www.cmu.edu/hub/reg/grading.html Quality point average]:''' Graduated with 4.03 out of 4.00, which is a weighted grade point average (GPA), due to earning several A+ grades<br />
<br />
===[http://www.bryant.edu/ Bryant University]===<br />
*'''[http://www.bryant.edu/wps/wcm/connect/Bryant/Academics/Undergraduate%20Programs/ Bachelor of Science in Business Administration]'''<br />
*[http://en.wikipedia.org/wiki/Smithfield%2C_Rhode_Island Smithfield, Rhode Island]<br />
*'''Graduation:''' May 2000<br />
*[http://www.aacsb.edu/ AACSB] [http://www.aacsb.edu/members/Omd/Profile_page2.asp?LinkId=38588&CallingPage=InstLists Accredited]<br />
*'''Focus areas studied:''' [http://www.bryant.edu/wps/wcm/connect/Bryant/Academics/Areas%20of%20Study/Computer%20Information%20Systems Computer information systems] with a minor in [http://www.bryant.edu/wps/wcm/connect/Bryant/Academics/Areas%20of%20Study/Applied%20Statistics applied business statistics]<br />
*'''[http://en.wikipedia.org/wiki/GPA#United_States Grade point average]:''' Graduated [http://en.wikipedia.org/wiki/Summa_cum_laude summa cum laude] with a GPA of 3.96 out of 4.00<br />
*'''Leadership:''' Served as president of [http://web.bryant.edu/~pride Bryant PRIDE] for more than a year and conducted a [http://en.wikipedia.org/wiki/Linux Linux] installation event<br />
<br />
===Certification===<br />
*'''[https://www.redhat.com/training/rhce/courses/ RedHat Certified Engineer]''' (RHCE for 6.2): [https://www.redhat.com/training/certification/verify/ 806200565301847]</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=Main_Page&diff=2286Main Page2015-06-06T15:11:15Z<p>Stevenlawrance: </p>
<hr />
<div>{|<br />
|valign="top"|<br />
Welcome to Moonlight Design -- the personal web site of [[Henry Lamb]] and [[Steven Lawrance]]<br />
<br />
==Henry Lamb==<br />
[[Henry Lamb]] is a professional [http://en.wikipedia.org/wiki/Restaurant restaurateur] trained in both [http://www.baychef.com/programs/hospitality_and_restaurant.asp restaurant management] and [http://www.baychef.com/programs/culinary_arts.asp culinary arts] at the [http://www.baychef.com/ California Culinary Academy]. For a few years from the late 1990s to the early 2000s, Henry was a [http://en.wikipedia.org/wiki/Graphic_designer graphic designer] trained at the [http://www.artinstitutes.edu/sanfrancisco/ Art Institute of San Francisco] and the [http://www.academyart.edu/ Academy of Art University]<br />
<br />
Visit Henry's new wine site: [http://glassofgrape.com/ Glass of Grape]<br />
<br />
==Steven Lawrance==<br />
[[Steven Lawrance]] is an active practitioner of [http://en.wikipedia.org/wiki/Software_engineering software engineering] and [http://en.wikipedia.org/wiki/Open-source_software open-source software enthusiast] trained in [http://www.mse.cs.cmu.edu/ software engineering] at [http://www.mse.cs.cmu.edu/ Carnegie Mellon University] and [http://www.bryant.edu/wps/wcm/connect/Bryant/Academics/Undergraduate%20Programs/ business administration] with [http://www.bryant.edu/wps/wcm/connect/Bryant/Academics/Areas%20of%20Study/Computer%20Information%20Systems computer information systems] at [http://www.bryant.edu/ Bryant University]<br />
<br />
[[Steven Lawrance#Software Project Experience|Check out the list of software that Steven has either written or contributed to]]<br />
<br />
|valign="top" width="25%"|<br />
{|border="1"<br />
|<br />
<font size="5">[https://www.moonlightdesign.org/urllock/ IE URL Lock]</font> <font size="5">[https://gnucashtoqif.us/ GnuCashToQIF]</font> <font size="4">[[TLS-SSL-Protocols|TLS/SSL Protocol Group Policy Template]]</font> <font size="3">[https://www.moonlightdesign.org/dirlist DirList] [[CompactOnDelete]]</font> <font size="3">[[PortProxy]]</font> <font size="2">[[Serendipity|Team Serendipity]]</font> <font size="2">[[Disk Imager]]</font> <font size="1">[[ScreenWindowX]]</font> <font size="1">[https://www.moonlightdesign.org/kjmouse/ KJMouse]</font><br />
|}<br />
<small>[https://www.moonlightdesign.org/wireless/ Guest wireless network sign-up] (local network only)</small><br />
|}</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=Main_Page&diff=2285Main Page2015-06-06T15:04:53Z<p>Stevenlawrance: </p>
<hr />
<div>{|<br />
|valign="top"|<br />
Welcome to Moonlight Design -- the personal web site of [[Henry Lamb]] and [[Steven Lawrance]]<br />
<br />
==Henry Lamb==<br />
[[Henry Lamb]] is a professional [http://en.wikipedia.org/wiki/Restaurant restaurateur] trained in both [http://www.baychef.com/programs/hospitality_and_restaurant.asp restaurant management] and [http://www.baychef.com/programs/culinary_arts.asp culinary arts] at the [http://www.baychef.com/ California Culinary Academy]. For a few years from the late 1990s to the early 2000s, Henry was a [http://en.wikipedia.org/wiki/Graphic_designer graphic designer] trained at the [http://www.artinstitutes.edu/sanfrancisco/ Art Institute of San Francisco] and the [http://www.academyart.edu/ Academy of Art University]<br />
<br />
Visit Henry's new wine site: [http://glassofgrape.com/ Glass of Grape]<br />
<br />
==Steven Lawrance==<br />
[[Steven Lawrance]] is an active practitioner of [http://en.wikipedia.org/wiki/Software_engineering software engineering] and [http://en.wikipedia.org/wiki/Open-source_software open-source software enthusiast] trained in [http://www.mse.cs.cmu.edu/ software engineering] at [http://www.mse.cs.cmu.edu/ Carnegie Mellon University] and [http://www.bryant.edu/wps/wcm/connect/Bryant/Academics/Undergraduate%20Programs/ business administration] with [http://www.bryant.edu/wps/wcm/connect/Bryant/Academics/Areas%20of%20Study/Computer%20Information%20Systems computer information systems] at [http://www.bryant.edu/ Bryant University]<br />
<br />
[[Steven Lawrance#Software Project Experience|Check out the list of software that Steven has either written or contributed to]]<br />
<br />
|valign="top" width="25%"|<br />
{|border="1"<br />
|<br />
<font size="5">[https://www.moonlightdesign.org/urllock/ IE URL Lock]</font> <font size="5">[https://gnucashtoqif.us/ GnuCashToQIF]</font> <font size="4">[[TLS-SSL-Protocols|TLS/SSL Protocol Group Policy Template]]</font> <font size="3">[https://www.moonlightdesign.org/dirlist DirList] [[CompactOnDelete]]</font> <font size="3">[[PortProxy]]</font> <font size="2">[[Serendipity|Team Serendipity]]</font> <font size="2">[[Disk Imager]]</font> <font size="1">[[ScreenWindowX]]</font> <font size="1">[https://www.moonlightdesign.org/kjmouse/ KJMouse]</font> <font size="1">[https://www.moonlightdesign.org/pam-cuecat/ PAM-CueCat]</font><br />
|}<br />
<small>[https://www.moonlightdesign.org/wireless/ Guest wireless network sign-up] (local network only)</small><br />
|}</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=Main_Page&diff=2284Main Page2015-06-06T14:03:37Z<p>Stevenlawrance: </p>
<hr />
<div>{|<br />
|valign="top"|<br />
Welcome to Moonlight Design -- the personal web site of [[Henry Lamb]] and [[Steven Lawrance]]<br />
<br />
==Henry Lamb==<br />
[[Henry Lamb]] is a professional [http://en.wikipedia.org/wiki/Restaurant restaurateur] trained in both [http://www.baychef.com/programs/hospitality_and_restaurant.asp restaurant management] and [http://www.baychef.com/programs/culinary_arts.asp culinary arts] at the [http://www.baychef.com/ California Culinary Academy]. For a few years from the late 1990s to the early 2000s, Henry was a [http://en.wikipedia.org/wiki/Graphic_designer graphic designer] trained at the [http://www.artinstitutes.edu/sanfrancisco/ Art Institute of San Francisco] and the [http://www.academyart.edu/ Academy of Art University]<br />
<br />
Visit Henry's new wine site: [http://glassofgrape.com/ Glass of Grape]<br />
<br />
==Steven Lawrance==<br />
[[Steven Lawrance]] is an active practitioner of [http://en.wikipedia.org/wiki/Software_engineering software engineering] and [http://en.wikipedia.org/wiki/Open-source_software open-source software enthusiast] trained in [http://www.mse.cs.cmu.edu/ software engineering] at [http://www.mse.cs.cmu.edu/ Carnegie Mellon University] and [http://www.bryant.edu/wps/wcm/connect/Bryant/Academics/Undergraduate%20Programs/ business administration] with [http://www.bryant.edu/wps/wcm/connect/Bryant/Academics/Areas%20of%20Study/Computer%20Information%20Systems computer information systems] at [http://www.bryant.edu/ Bryant University]<br />
<br />
[[Steven Lawrance#Software Project Experience|Check out the list of software that Steven has either written or contributed to]]<br />
<br />
|valign="top" width="25%"|<br />
{|border="1"<br />
|<br />
<font size="5">[https://www.moonlightdesign.org/urllock/ IE URL Lock]</font> <font size="5">[https://gnucashtoqif.us/ GnuCashToQIF]</font> <font size="4">[[TLS-SSL-Protocols|TLS/SSL Protocol Group Policy Template]]</font> <font size="3">[https://www.moonlightdesign.org/dirlist DirList] [[CompactOnDelete]]</font> <font size="3">[[PortProxy]]</font> <font size="2">[[Serendipity|Team Serendipity]]</font> <font size="2">[[Disk Imager]]</font> <font size="1">[[ScreenWindowX]]</font><br />
|}<br />
<small>[https://www.moonlightdesign.org/wireless/ Guest wireless network sign-up] (local network only)</small><br />
|}</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=Steven_Lawrance&diff=2283Steven Lawrance2015-06-06T14:01:44Z<p>Stevenlawrance: /* Software that I created */</p>
<hr />
<div>__NOTOC__<br />
<br />
Welcome to the web site of '''Steven Lawrance''', [http://www.mse.cs.cmu.edu/ master of software engineering (MSE)]. I enjoy building complete computing solutions at all levels of abstraction to automate business processes at a low cost, in a short time frame, and with high quality. Put my experience, interests, training, and expertise to work for you. Please feel free to [mailto:steven@moonlightdesign.org contact me today].<br />
<br />
<div align="center"><br />
<table style="text-align: left;" border="0" cellpadding="1" cellspacing="5"><br />
<tr><br />
<td style="background-color: rgb(240, 240, 240); border: 2px solid rgb(90, 90, 90); padding: 3px;"><big>[[Steven Lawrance#Team software|Software Built in a Team]]</big></td><br />
<td style="background-color: rgb(240, 240, 240); border: 2px solid rgb(90, 90, 90); padding: 3px;"><big>[[Steven Lawrance#Software that I created|Software Built by Just Me]]</big></td><br />
<td style="background-color: rgb(240, 240, 240); border: 2px solid rgb(90, 90, 90); padding: 3px;"><big>[[Steven Lawrance#Employment History|Employment History]]</big></td><br />
<td style="background-color: rgb(240, 240, 240); border: 2px solid rgb(90, 90, 90); padding: 3px;"><big>[[Steven Lawrance#Education and Training|Education and Training]]</big></td><br />
</tr><br />
</table><br />
</div><br />
<br />
'''Résumé:''' [https://www.moonlightdesign.org/steve/resume.pdf Portable document format (PDF)]<br />
<br />
'''Network:''' [http://www.linkedin.com/in/meowmeow LinkedIn]<br />
<br />
Please feel free to ask me for more information about any project listed on this page.<br />
<br />
==Software Project Experience==<br />
<br />
===Team software===<br />
I materially participated in the team software projects listed below:<br />
<br />
{|class="software sortable"<br />
!Name<br />
!Description<br />
!Technologies<br />
!SLOC<br />
!Year<br />
|-<br />
|[http://www.salesforce.com/ Salesforce.com]||Web-based business software platform and suite of integrated business applications. During my time at Salesforce.com, I have worked on several teams -- API, Force.com Sites, Site.com, and Platform Security. Most recently, I led the implementation of custom https domains for Salesforce's site technologies, and this included tangential work, such as the domain management screens that were added in Summer '14. I've been a go-to person for several parts of the platform, and this includes Force.com Sites, the database tier of Site.com, site publishing, custom https domains, clickjack protection, inbound and outbound https connections, the reverse proxy caching layer for sites, IPv6, and our main production feature testing tool.<br><br>At Salesforce.com's Dreamforce 2013 conference, I presented a [http://www.youtube.com/watch?v=Z7L1pSfcCJc session on the lessons learned while developing a Force.com solution] to replace an older Microsoft Access solution for the San Francisco AIDS Foundation.<br><br>Earlier at Salesforce.com, I integrated the low-level parts of Siteforce into the core Salesforce.com product; wrote Siteforce's Resin and runtime server configurations; wrote a [http://en.wikipedia.org/wiki/Cross-site_scripting cross site scripting] [http://en.wikipedia.org/wiki/Mozilla_Firefox Firefox]/[http://en.wikipedia.org/wiki/Firebug_(Firefox_extension) Firebug] extension to test proper output escaping in the manual and automated tests; improved an internal production testing tool's scheduling of tests by adding prerequisite expressions to increase test parallelization; and added per-window screenshots to an internal testing tool by extending Selenium with JNI native code.||{{Tech:Java}}, {{Tech:Ant}}, {{Tech:Selenium}}, {{Tech:JUnit}}, {{Tech:Salesforce.com}}, {{Tech:Jetty}}, {{Tech:Resin}}, {{Tech:JSP}}, {{Tech:Servlet}}, {{Tech:JNI}}, {{Tech:Win32}}, {{Tech:X11}}||large||2007-current<br />
|-<br />
|[[Reggie/CIS]]||A 200-user multi-tenant three-tiered HIV/AIDS client database system that was used by all Ryan White Foundation CARE-funded AIDS service organizations in San Francisco in collaboration with the [http://www.sfdph.org/ San Francisco Department of Public Health (DPH)] [http://www.sfdph.org/PHP/HIVHlthSvc.htm AIDS Office] and two partners to the [http://www.sfaf.org/ San Francisco AIDS Foundation (SFAF)], where I worked for about five years. I actively maintained this system with a colleague at the DPH AIDS Office and was principally responsible for maintaining the "CIS" portion of Reggie/CIS, which extended the Reggie platform with extra features that the SFAF and two other organizations used.||{{Tech:Java}}, {{Tech:VBScript}}, {{Tech:Swing}}, {{Tech:T-SQL}}, {{Tech:MS SQL Server}}, {{Tech:CVS}}, {{Tech:JavaScript}}, {{Tech:C}}, {{Tech:JNI}}, {{Tech:CORBA}}, {{Tech:IIS}}, {{Tech:COM}}, {{Tech:Win32}}||162,005||2000-2005<br />
|-<br />
|[[DonorPerfect Online]]||Donor and fundraising event management system used by the San Francisco AIDS Foundation. I migrated [http://www.aidslifecycle.org/index.html AIDS/LifeCycle] data from a [http://www.goldmine.com/micro.aspx?id=4398 Goldmine] database to the [http://www.sfaf.org/ San Francisco AIDS Foundation's] customized [http://www.donorperfect.com/ DonorPerfect Online] system using a [http://en.wikipedia.org/wiki/Test_driven_development test-driven development process] for the SQL scripts. I also contributed substantially to the bulk data entry wizard, fixed bugs throughout the system, including security holes, made all pages and [http://en.wikipedia.org/wiki/Javascript JavaScripts] operate properly in [http://en.wikipedia.org/wiki/Firefox Mozilla Firefox], and implemented strict URL filtering security using an [http://httpd.apache.org/ Apache] [http://en.wikipedia.org/wiki/Reverse_proxy reverse-proxy] and [http://en.wikipedia.org/wiki/Mod_rewrite mod_rewrite].||{{Tech:VBScript}}, {{Tech:T-SQL}}, {{Tech:MS SQL Server}}, {{Tech:JavaScript}}, {{Tech:Apache}}, {{Tech:IIS}}, {{Tech:CVS}}||97,592||2004-2005<br />
|-<br />
|[[SFAF CRM]]||Customer relationship management system that was implemented by a colleague at the [http://www.sfaf.org/ San Francisco AIDS Foundation] that primarily serves the organization's [http://www.sfaf.org/volunteer/ volunteer based programs department], automates expense reports, and runs the [http://www.aidshotline.org/ California AIDS Hotline]. I enhanced the deployment system using [http://en.wikipedia.org/wiki/Concurrent_Versions_System CVS] in a web-based front-end, helped my colleague fix various bugs, and enhanced its Internet-facing security with an [http://httpd.apache.org/ Apache] [http://en.wikipedia.org/wiki/Reverse_proxy reverse-proxy] and [http://en.wikipedia.org/wiki/Mod_rewrite mod_rewrite].||{{Tech:VBScript}}, {{Tech:T-SQL}}, {{Tech:MS SQL Server}}, {{Tech:JavaScript}}, {{Tech:Apache}}, {{Tech:IIS}}, {{Tech:CVS}}||69,015||2001-2005<br />
|-<br />
|[[Serendipity|Bosch Security Configuration Assistant]]||An Eclipse-based application that generates three-dimensional security plans for buildings using a rule engine and three-dimensional visualization. In this project, I integrated a Windows-based three-dimensional visualization program into an Eclipse view, kept our RedHat Fedora Core server and software available, secure, usable, and backed up using only one hour per week of my time on average throughout the project, and automated our data collection and reporting processes to minimize project overhead work. This group project involved four other students -- two whom also work at Salesforce.com -- and served as a laboratory for us to directly apply coursework to a software project with a real client throughout our software engineering masters' programs.||{{Tech:Java}}, {{Tech:Eclipse}}, {{Tech:UML}}, {{Tech:Ant}}, {{Tech:Bugzilla}}, {{Tech:CruiseControl}}, {{Tech:MediaWiki}}, {{Tech:Subversion}}, {{Tech:SWT}}, {{Tech:C++}}, {{Tech:JNI}}, {{Tech:Win32}}||21,274||2005-2006<br />
|-<br />
|[[Park 'N Park]]||A fault-tolerant, distributed, real-time three-tiered application for tracking parking garage usage. This was an academic project.||{{Tech:Java}}, {{Tech:CORBA}}, {{Tech:MySQL}}, {{Tech:CVS}}||2,027||2006<br />
|-<br />
|[[Teacher's Pet]]||Shares a tab in your Mozilla Firefox browser with one or more remote browsers, which can be useful in virtual classroom environments||{{Tech:JavaScript}}, {{Tech:Java}}, {{Tech:XUL}}, {{Tech:XPCOM}}, {{Tech:Subversion}}||1,251||2006<br />
|-<br />
|[[Hulk]]||Physically navigates a maze using a customized {{Tech:Boe-Bot}}. This project involved both custom hardware and custom software as well as trade-offs between the two when implementing features.||{{Tech:BASIC Stamp}}, {{Tech:Boe-Bot}}, {{Tech:Subversion}}||784||2006<br />
|-<br />
|[https://www.moonlightdesign.org/urllock/Configuration_editor URL Lock]||Follow-up project to [http://www.moonlightdesign.org/urllock/ IE URL Lock] that sports a configuration user interface and implements new ideas for visually disabling content on the web||{{Tech:JavaScript}}, {{Tech:XUL}}, {{Tech:C++}}, {{Tech:XPCOM}}, {{Tech:Win32}}, {{Tech:Subversion}}||3,868||2006<br />
|-<br />
|[[Ariesbase]]||Intranet system for Ariesnet, Inc. During the Summer of 1999, I helped shape the back-end functionality, such as the security system and global includes, and I also created a high-level specification for an employee rating system for virtual team environments.||{{Tech:PHP}}, {{Tech:MySQL}}, {{Tech:JavaScript}}, {{Tech:CVS}}||medium||1999-2000<br />
|}<br />
<br><br />
<br />
===Software that I created===<br />
I wrote and maintain the following software:<br />
{|class="software sortable"<br />
!Name<br />
!Description<br />
!Technologies<br />
!SLOC<br />
!Year<br />
|-<br />
|[[Home Profiler]]||Synchronizes user profile data between multiple desktop computers, regardless of the operating system. This was used at the [http://www.sfaf.org/ San Francisco AIDS Foundation] to migrate user profile data from Windows NT to Windows XP while leaving malware and spyware behind.||{{Tech:Java}}, {{Tech:C}}, {{Tech:JNI}}, {{Tech:JACOB}}, {{Tech:COM}}, {{Tech:Win32}}, {{Tech:CVS}}||5,679||2005<br />
|-<br />
|[https://www.moonlightdesign.org/urllock/ IE URL Lock]||A browser helper object (BHO) that prevents users from navigating to web sites in Internet Explorer and Windows Explorer while permitting URLs that match a Perl-compatible regular expression stored in the registry||{{Tech:C++}}, {{Tech:COM}}, {{Tech:BHO}}, {{Tech:Win32}}, {{Tech:Subversion}}||1,607||2005-2012<br />
|-<br />
|[[Backup system]]||Multi-platform, SSH-secured, Internet-based incremental backup system that I assembled and use to back up all computers that I manage||{{Tech:Unison}}, {{Tech:Apache}}, {{Tech:OpenSSH}}|| ||2005-2007<br />
|-<br />
|[[Read-only filesystem]]|||FUSE filesystem view that makes all files unconditionally read-only. I use this in my [[Backup system|backup system]] for the web-based file restore interface.||{{Tech:C}}, {{Tech:Fuse}}||241||2005-2007<br />
|-<br />
|[[Serendipity Time Tracking Tool]]||A two-tier software team time tracking tool used by [[Serendipity|Team Serendipity]] while designing and building the [[Serendipity|Bosch Security Configuration Assistant]]. It was rapidly developed using Microsoft Access 2003 as the front-end user interface, MySQL 5 as the back-end database, and SSH as the MySQL connection tunnel.||{{Tech:VBA}}, {{Tech:Microsoft Access}}, {{Tech:MySQL}}, {{Tech:OpenSSH}}||small||2006<br />
|-<br />
|[https://gnucashtoqif.us/ GnuCash to QIF]||Converts a GnuCash XML file into a QIF or an IIF file||{{Tech:Java}}, {{Tech:Xerces}}||2,274||2002-2007<br />
|-<br />
|[[PDF Access Reports]]||Web-based PDF reports using Microsoft Access, a customized PHP build to run as a COM server, and a custom-built COM object for use by ASP on the reporting server. This was a component of [[Reggie/CIS|Reggie/CIS's]] reporting system.||{{Tech:PHP}}, {{Tech:COM}}, {{Tech:C++}}, {{Tech:Sockets}}, {{Tech:VBA}}, {{Tech:ASP}}, {{Tech:Access}}||651||2002-2005<br />
|-<br />
|[[PDFFile and InvokeAsUser]]||Enables easy portable document format (PDF) file generation on Windows computers when used with AFPL GhostScript and RedMon||{{Tech:C}}, {{Tech:Win32}}||396||2005<br />
|-<br />
|[[SFAF VPN Client]]||Connects a [http://en.wikipedia.org/wiki/Microsoft_windows Microsoft Windows] 2000 or XP computer to the [http://www.sfaf.org/ San Francisco AIDS Foundation's] [http://en.wikipedia.org/wiki/Vpn virtual private network (VPN)] by using the built-in [http://en.wikipedia.org/wiki/Ipsec IPsec] and [http://en.wikipedia.org/wiki/Pptp PPTP] capabilities in Windows. Each client computer is secured with a machine-unique [http://en.wikipedia.org/wiki/Public-key_cryptography public/private key], and users are authenticated against the [http://en.wikipedia.org/wiki/Windows_Server_domain NT domain] using PPTP over the IPsec connection.||{{Tech:C}}, {{Tech:Win32}}, {{Tech:Java}}, {{Tech:Swing}}, {{Tech:CVS}}||2,623||2003-2005<br />
|-<br />
|[https://www.moonlightdesign.org/thunderforce/shared/Door%20lock%20example/ Door Lock]||Specification (not an implementation) of a secure residential door real-time, embedded software system that uses electronic locks, secure entry, easy exiting, and alarm state awareness to securely and efficiently manage a door||{{Tech:Javelin}}||0||2006<br />
|-<br />
|[https://www.moonlightdesign.org/steve/SpellChecker.pdf Swing Inline Spell Checker]||Inline spell checker that plugs into Swing's look-and-feel system. This was used in [[Reggie/CIS]] as its distributed spell checker with [http://aspell.net/ GNU Aspell] running on the server.||{{Tech:Java}}, {{Tech:Swing}}, {{Tech:CORBA}}, {{Tech:Aspell}}||2,859||2002-2005<br />
|-<br />
|[https://www.moonlightdesign.org/dirlist/ DirList]||User directory system that runs as a CGI to serve up user lists, search, and synchronize with the operating system's user database. When used with [http://www.moonlightdesign.org/dirlist DirList2ODBC], the ODBC driver that I wrote for DirList2, the entire DirList2 system becomes a [http://en.wikipedia.org/wiki/Sql structured query language (SQL)]-compliant database system within the limits of the [https://www.moonlightdesign.org/dirlist/doc/server/ DirList2 Server]. This project began in January of 1998 and is actively patched for any security issues that arise. [http://www.bryant.edu/ Bryant University] continues to use this program for their [http://web.bryant.edu/forhelp/pointer.html student web site list].||{{Tech:C++}}, {{Tech:C}}, {{Tech:Sockets}}, {{Tech:ODBC}}, {{Tech:Linux}}, {{Tech:Win32}}, {{Tech:VBA}}, {{Tech:Access}}||8,268||1999-2007<br />
|-<br />
|[https://www.moonlightdesign.org/dirlist/ DirList2ODBC]||[http://en.wikipedia.org/wiki/Odbc ODBC] 2.0 compliant driver written for the [https://www.moonlightdesign.org/dirlist/ DirList] server. This driver is primarily used with [http://en.wikipedia.org/wiki/Microsoft_access Microsoft Access], but can also be used from other ODBC client applications, such as [http://en.wikipedia.org/wiki/Spss SPSS].||{{Tech:C++}}, {{Tech:Win32}}, {{Tech:Sockets}}, {{Tech:ODBC}}||12,671||1999-2000<br />
|-<br />
|[http://pam-cuecat.sourceforge.net/ PAM CueCat Module]||Turns the CueCat barcode scanner into a pluggable authentication module (PAM) library, permitting logins with bar code scans||{{Tech:C}}, {{Tech:PAM}}, {{Tech:Linux}}, {{Tech:CueCat}}||285||2000<br />
|-<br />
|[[Home Control]]||The project that marked my first significant work towards complete home and office automation systems||{{Tech:C}}, {{Tech:Win32}}, {{Tech:Serial}}, {{Tech:CP290}}||2,270||1996,1998<br />
|-<br />
|[[ResNet Online]]||I rewrote the old site for ease of use with more capabilities. Automatic port registration and heavy database integration saved the ResNet program a substantial amount of time while greatly improving customer/student satisfaction.||{{Tech:PHP}}, {{Tech:SNMP}}, {{Tech:MySQL}}, {{Tech:PHPLib}}||4,572||1999-2001<br />
|-<br />
|[[FAT Recover]]||Manual FAT filesystem recovery tool that I made to help with manual floppy disk recoveries and to salvage my dad's laptop when Windows totally crashed||{{Tech:C}}, {{Tech:Linux}}||246||2000<br />
|-<br />
|[[Bryant PRIDE web site]]||Web site for the [http://web.bryant.edu/~pride/ Bryant PRIDE] LGBT group. In the Fall of 1997, when I was a freshman at [http://www.bryant.edu/ Bryant University], I greatly enhanced the web site with several pages and JavaScripts. This also included a JavaScript-driven background {{Tech:MIDI}} music jukebox in a [http://en.wikipedia.org/wiki/Pop-under pop-under], which was unique for a web site at that time. While I was the web site's maintainer, it moved from static {{Tech:HTML}} to {{Tech:ASP}} and then to {{Tech:PHP}}.||{{Tech:JavaScript}}, {{Tech:PHP}}, {{Tech:VBScript}}, {{Tech:ASP}}||3,681||1997-2000<br />
|-<br />
|[[ActiveMail]]||Provides SMTP email sending, POP3 email downloading, and FTP authentication services to {{Tech:ASP}}, {{Tech:VisualBasic}}, and other {{Tech:COM}}-consuming programs||{{Tech:C++}}, {{Tech:COM}}, {{Tech:Win32}}, {{Tech:VisualBasic}}||4,691||1998-2000<br />
|-<br />
|[[CPU ID]]||A very simple program that displays information about the CPU that it happens to execute on||{{Tech:C}}, {{Tech:x86 Assembler}}, {{Tech:Win32}}||111||1999<br />
|-<br />
|[[Disk Imager]]||Reads, writes, verifies, and erases entire disks into/from [http://en.wikipedia.org/wiki/Disk_image raw image files]. This is similar in principle to [http://www.tux.org/pub/dos/rawrite/ rawrite.exe], but Disk Imager implements a graphical user interface.||{{Tech:C}}, {{Tech:Win32}}||520||1998<br />
|-<br />
|[[EzMIDI32]]||A 32-bit version of the ScreenWindow+EasyMIDI libraries that I wrote for Grapevine High School||{{Tech:C++}}, {{Tech:Win32}}||854||1998<br />
|-<br />
|[[LPD]]||Written for the [http://www.gcisd-k12.org/ Grapevine-Colleyville Independent School District (GCISD)] to allow employees to send [http://en.wikipedia.org/wiki/AS/400 AS/400] printouts to their local Windows printers. I wrote the piece that translates HP DeskJet 500 compatible instructions into a Windows GDI context.||{{Tech:C}}, {{Tech:Win32}}||1,850||1996-1998<br />
|-<br />
|[[PortProxy]]||[http://en.wikipedia.org/wiki/Transmission_Control_Protocol TCP] connection forwarding [http://en.wikipedia.org/wiki/Windows_service service] that I wrote in college so that I could run servers from behind a firewall. When I put Linux onto resnet.bryant.edu, I no longer needed this program, but it's still cool if you are running [http://en.wikipedia.org/wiki/Microsoft_Windows Windows]. I also wrote a version that runs as a [http://en.wikipedia.org/wiki/System_tray system tray] application in [http://en.wikipedia.org/wiki/Windows_95 Windows 95].||{{Tech:C}}, {{Tech:Win32}}, {{Tech:Sockets}}||1,461||1999<br />
|-<br />
|[[ScreenWindowX]]||An {{Tech:ActiveX}} version of [[ScreenWindow]] that I created during the ActiveX hype. This gives [http://en.wikipedia.org/wiki/Internet_Explorer Internet Explorer] pages, [http://en.wikipedia.org/wiki/Component_Object_Model COM] clients, and [http://en.wikipedia.org/wiki/.NET_Framework .NET] applications an easy-to-use text console user interface control.||{{Tech:C++}}, {{Tech:COM}}, {{Tech:Win32}}, {{Tech:ActiveX}}||1,614||1998<br />
|-<br />
|[http://kjmouse.sourceforge.net/ KJMouse]||Busy cursor for {{Tech:Java}} that is similar to the launch feedback in [http://en.wikipedia.org/wiki/KDE KDE] 2.2||{{Tech:Java}}, {{Tech:JNI}}, {{Tech:Win32}}, {{Tech:X11}}, {{Tech:Cocoa}}||736||2001-2004<br />
|-<br />
|[[CatSetup]]||Scriptable install and uninstall utility for [http://en.wikipedia.org/wiki/Windows_3.1 16-bit Windows] that I wrote in the mid-1990s to ease the distribution of my software. Most of my software from 1994 to 2000 used CatSetup. I eventually switched to using [http://en.wikipedia.org/wiki/Nullsoft_Scriptable_Install_System NSIS] and, later, [http://dennisbareis.com/makemsi.htm MAKEMSI].||{{Tech:C}}, {{Tech:Win16}}||3,676||1994-1998<br />
|-<br />
|[[Trig Grapher]]||Plots [http://en.wikipedia.org/wiki/Trigonometry trigonometric functions] in a window. This was my first [http://en.wikipedia.org/wiki/Thread_%28computer_science%29 multi-threaded] {{Tech:Win32}} program, which I wrote in high school for fun. I later back-ported it to {{Tech:Win16}}.||{{Tech:C}}, {{Tech:Win32}}, {{Tech:Win16}}||1,441||1995-1996<br />
|-<br />
|[[256-Color SDK]]||Library that I wrote a to easily manage 256-color bitmaps on 256-color displays||{{Tech:C}}, {{Tech:Win16}}||704||1994<br />
|-<br />
|[[AudioCD Pictures]]||Displays predefined pictures as a playing CD reaches predefined moments||{{Tech:C}}, {{Tech:Win16}}||550||1994<br />
|-<br />
|[[BBS Ads]]||Simply a program that can advertise bulletin board systems, when they used to be popular||{{Tech:C}}, {{Tech:Win16}}||258||1993-1994<br />
|-<br />
|[[Bids-to-ASP]]||Converts American Airlines bidsheet files into Procomm Plus for DOS ASPect scripts||{{Tech:C}}, {{Tech:Win16}}||562||1994<br />
|-<br />
|[[Horses]]||A fun horse racing strategy game for Windows||{{Tech:C}}, {{Tech:Win16}}||3,348||1995,1997<br />
|-<br />
|[[KittyCat! Comm]]||[http://en.wikipedia.org/wiki/Bulletin_board_system Bulletin board system (BBS)] communications program with a [http://en.wikipedia.org/wiki/Dynamic_Data_Exchange dynamic data exchange (DDE)] based [http://en.wikipedia.org/wiki/Application_programming_interface application programming interface (API)] and support for [http://en.wikipedia.org/wiki/ANSI_escape_code ANSI text] and [http://en.wikipedia.org/wiki/Remote_imaging_protocol RIPscrip graphics]. This was never finished due to the Internet and the World Wide Web making it obsolete.||{{Tech:C}}, {{Tech:Win16}}||8,166||1994-1995<br />
|-<br />
|[[MCI SendString]]||Allows users to work with the [http://en.wikipedia.org/wiki/Media_Control_Interface Microsoft Windows media control interface (MCI)] with text rather than through pointing and clicking||{{Tech:C}}, {{Tech:Win16}}||212||1994<br />
|-<br />
|[[MeowyMIDI]]||A [http://en.wikipedia.org/wiki/SoundFont 1.0 sound font] with cat meows and purrs for [http://en.wikipedia.org/wiki/Sound_Blaster Sound Blaster] AWE32 and AWE64 audio cards||{{Tech:SoundFont}}, {{Tech:MIDI}}||0||1994-1995<br />
|-<br />
|[[PCL Page]]||Manipulate [http://en.wikipedia.org/wiki/Printer_Command_Language PCL]-compliant printers with this utility that works in both {{Tech:Win16}} and {{Tech:DOS}}||{{Tech:C}}, {{Tech:Win16}}, {{Tech:DOS}}||196||1995<br />
|-<br />
|[[ScreenWindow]]||Text console and {{Tech:MIDI}} library for {{Tech:Win16}} that I wrote so that students at [http://www.gcisd-ghs.org/ Grapevine High School] in first-year computer science class could use MIDI in their music projects using [http://en.wikipedia.org/wiki/Turbo_Pascal Borland's Turbo Pascal]. When they switched to teaching {{Tech:C++}}, I made a 32-bit version of the library that used {{Tech:Win32}}'s native console rather than my own.||{{Tech:C++}}, {{Tech:C}}, {{Tech:Pascal}}, {{Tech:Win16}}, {{Tech:Win32}}, {{Tech:MIDI}}||2,953||1996-1997<br />
|-<br />
|[[AriesType]]||A [http://en.wikipedia.org/wiki/Touch_typing touch typing] education program that I made while I was a freshman in high school. It tied into the local [http://en.wikipedia.org/wiki/Novell_Netware Novell NetWare] network to be a multi-user application with different capabilities given to students, teachers, and system operators. AriesType also included basic local email and paging capabilities.||{{Tech:BASIC}}, {{Tech:DOS}}||4,364||1993-1994<br />
|-<br />
|[[IntMap]]||A small image library that I wrote for a Pascal project in high school to provide image drawing, movement, and rotation operations in DOS||{{Tech:Pascal}}, {{Tech:DOS}}, {{Tech:C}}||1,797||1995,1998<br />
|-<br />
|[[Jingle Bells]]||A first-year computer science course project to visually and audibly play a [http://en.wikipedia.org/wiki/Christmas_song traditional December holiday song], which I later ported to Windows using [[ScreenWindow]]||{{Tech:Pascal}}, {{Tech:DOS}}, {{Tech:C}}, {{Tech:Win16}}, {{Tech:Win32}}, {{Tech:MIDI}}||611||1994,1996<br />
|-<br />
|[[SLOS-DOS]]||A small interpreted toy operating environment written in BASIC for DOS. Programs are written in a trivial and limited scripting language.||{{Tech:BASIC}}, {{Tech:DOS}}||1,277||1993<br />
|-<br />
|[[SLOS-Win]]||Windows version of [[SLOS-DOS|SLOS]], a small interpreted toy operating environment written in BASIC for DOS. Programs are written in a trivial and limited scripting language.||{{Tech:C++}}, {{Tech:Win16}}||1,679||1993<br />
|-<br />
|[[TSNHead]]||Kept track of how much time my brothers and I spent on [http://en.wikipedia.org/wiki/The_Sierra_Network The Sierra Network (TSN)]||{{Tech:BASIC}}, {{Tech:DOS}}||291||1992<br />
|-<br />
|[[TrackTrek]]||A track meet program that "keeps track" of events and allows others to view scores in realtime. This was my first {{Tech:Java}} program. This was more of a self-driven academic exercise as the project was never finished.||{{Tech:Java}}, {{Tech:AWT}}||3,690||1996-1998<br />
|-<br />
|[https://www.moonlightdesign.org/thunderforce/ Thunderforce]||An open-source Mozilla Thunderbird extension for Salesforce.com. This project is now abandoned due to other priorities and interests.||{{Tech:JavaScript}}, {{Tech:XPCOM}}, {{Tech:C++}}, {{Tech:XUL}}, {{Tech:Subversion}}, {{Tech:MediaWiki}}||5,411||2007-2009<br />
|}<br />
<br><br />
<br />
===Software and project contributions===<br />
I contributed to the following projects:<br />
{|class="software sortable"<br />
!Name<br />
!Description<br />
!Technologies<br />
!SLOC<br />
!Year<br />
|-<br />
|[http://www.mozilla.org/ Mozilla]||[https://www.moonlightdesign.org/startfirefox/ Workaround code] for a shutdown bug in Firefox ([https://bugzilla.mozilla.org/show_bug.cgi?id=239223 bug 239223]) and helped others find the cause of a [https://bugzilla.mozilla.org/show_bug.cgi?id=245742 NTLM authentication crash] in a pre-Firefox build|| ||156||2005<br />
|-<br />
|[http://www.samba.org/ Samba]||[https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=134570 Patch] to allow the use of 32-bit user and group IDs in smbmnt|| ||11||2004<br />
|-<br />
|[http://pan.rebelbase.com/ Pan]||Contributed a small multi-threaded bugfix to a function that was crashing on several important dialog boxes in version 0.6.3|| ||small||1999<br />
|-<br />
|[http://www.php.net/ PHP]||Contributed the [http://us.php.net/snmpset snmpset()] function to [http://cvs.php.net/viewvc.cgi/php3/functions/?pathrev=php_3_0_12 PHP 3.0.12] and [http://cvs.php.net/viewvc.cgi/php-src/ext/snmp/?pathrev=php_4_0b2-2 PHP4 Beta2] so that [[ResNet Online]] could turn on the ResHall ports when students registered their computers||{{Tech:C}}, {{Tech:Net-SNMP}}, {{Tech:CVS}}||172||1999<br />
|-<br />
|[http://spruce.sourceforge.net/ Spruce]||Contributed several small usability patches and a fix for a thread-based crash that brought down Spruce while checking messages in previous versions||{{Tech:C}}, {{Tech:GLib}} threads, {{Tech:GTK+}}||200||2000<br />
|-<br />
|[http://www.opensuse.org/ Novell openSUSE]||Fixed bugs related to [https://bugzilla.novell.com/show_bug.cgi?id=343891 LVM on a USB boot drive] and [https://bugzilla.novell.com/show_bug.cgi?id=410736 J-Pilot thinking that the username is always wrong on 64-bit platforms], and added a [https://bugzilla.novell.com/show_bug.cgi?id=328116 workaround for Bluetooth DUND issues]. [https://bugzilla.novell.com/buglist.cgi?query_format=advanced&short_desc_type=allwordssubstr&short_desc=&long_desc_type=fulltext&long_desc=&bug_file_loc_type=allwordssubstr&bug_file_loc=&status_whiteboard_type=allwordssubstr&status_whiteboard=&keywords_type=anywords&keywords=&emailassigned_to1=1&emailreporter1=1&emailinfoprovider1=1&emailcc1=1&emaillongdesc1=1&emailtype1=exact&email1=novell%40moonlightdesign.org&emailassigned_to2=1&emailreporter2=1&emailqa_contact2=1&emailcc2=1&emailtype2=substring&email2=&bugidtype=include&bug_id=&votes=&chfieldfrom=&chfieldto=Now&chfieldvalue=&cmdtype=doit&order=Reuse+same+sort+as+last+time&field0-0-0=noop&type0-0-0=noop&value0-0-0= Full bug list].||{{Tech:C}}||small||2007-2008<br />
|-<br />
|[http://www.bryant.edu/ Bryant University]||During the Spring of 1998, I enhanced Bryant's main page with rollovers and images. Other miscellaneous pages were also updated, and the [http://www.moonlightdesign.org/dirlist/ DirList] project was started originally as a web directory for Bryant.||{{Tech:JavaScript}}, {{Tech:HTML}}||small||1998-1999<br />
|}<br />
<br><br />
Lines of code were computed using [http://www.dwheeler.com/sloccount/ SLOCCount] and, for extensions not supported by SLOCCount, <code>find . -iname \*\\.js -print0 -or -iname \*\\.bs2 -print0 -or -iname \*\\.idl -print0 -or -iname \*\\.asp -print0 -or -iname \*\\.clp -print0 -or -iname \*\\.xul -print0 -or -iname \*\\.bas -print0 -or -iname \*\\.exc -print0| xargs -0 -Ixxx cat xxx| grep "[a-zA-Z0-9]"|wc -l</code>. SLOC counts that relate to San Francisco AIDS Foundation software that has not been made open-source were computed during my final months of employment; Carnegie Mellon University asked for those numbers as part of the admission process. Generated code is excluded from the SLOC counts. With generated code, such as the [[Reggie/CIS]] code generated from [http://java.sun.com/j2se/1.4.2/docs/guide/rmi-iiop/toJavaPortableUG.html idlj], the SLOC counts balloon significantly.<br />
<br />
==Employment History==<br />
<br />
===[http://www.salesforce.com/ Salesforce.com]===<br />
*'''Senior Member of the Technical Staff: [http://developer.force.com/sites Force.com Sites], Core Infrastructure, Security, and [http://wiki.developerforce.com/index.php/Web_Services_API API] Teams'''<br />
*January 2007 to present<br />
*'''Accomplishments'''<br />
**Brought attention to specific [http://en.wikipedia.org/wiki/Cross-site_scripting cross-site scripting (XSS)] vulnerabilities by writing a Firefox Firebug extension that looked for improper string escaping in a test org that had been specially populated with attack strings by another tool and having quality engineers from every functional team test the system with the Firebug extension running. This led to the identification and resolution of a large number of vulnerabilities, thus making Salesforce.com even more secure. A security research firm later commended Salesforce.com's security, saying that they couldn't find any XSS or cross site request forgery (CSRF) vulnerabilities, despite looking for them over the course of several days.<br />
**Championed an improvement to an anti-phishing feature's design successfully, and that improvement is patent-pending<br />
**Resolved customer cases related to the [http://wiki.apexdevnet.com/index.php/Web_Services_API application programming interface] (API) and [http://en.wikipedia.org/wiki/Secure_Sockets_Layer secure sockets layer] (SSL), quickly becoming a go-to person for HTTPS and SSL<br />
**Improved an internal production testing tool's scheduling of tests by adding prerequisite expressions to increase test parallelization<br />
**Built the initial security testing framework for [http://wiki.apexdevnet.com/index.php/Partner_Access_Controls package access controls], which helped quickly bring that feature to market with confidence in its quality and security<br />
**Designed and began to implement a Thunderbird add-on for Salesforce.com: [https://www.moonlightdesign.org/thunderforce Thunderforce]<br />
**Enhanced the user interface of, added Apache Ant build files to, significantly improved the configuration system of, and added multiple-window browser screenshots to an internal production testing tool that is used by multiple teams<br />
**Created and automated anti-phishing and security test scenarios<br />
**Automated HTTPS troubleshooting with an internal utility for support representatives that substantially reduced the number of escalated HTTPS cases<br />
**Ensured that new releases of the core product did not break older API versions through gold files and automated testing<br />
**Established a methodology for determining equivalence partition coverage in the test cases for the [http://www.salesforce.com/us/developer/docs/api/Content/sforce_api_calls_soql.htm Salesforce.com object query language (SOQL)]<br />
**Assisted developers and quality engineers with installing and maintaining [http://www.opensuse.org/ Novell openSUSE Linux] on their primary desktops<br />
<br />
===[http://www.sfaf.org/ San Francisco AIDS Foundation]===<br />
*'''Database Administrator and Software Engineer'''<br />
*September 2000 to July 2005<br />
*'''Accomplishments'''<br />
**Maintained a [[Reggie/CIS|large 200-user multi-tenant three-tiered system]] used by all Ryan White CARE-funded AIDS service organizations in San Francisco in collaboration with the Department of Public Health AIDS Office of San Francisco and two direct partners. That involved all aspects of the software development lifecycle as well as server and client deployments, network maintenance, and top-tier user support.<br />
**Gathered requirements for new features collaboratively with stakeholders, designed those features, coded them, tested them, and deployed them<br />
**Assisted the other database administrator with the foundation's customized [[SFAF CRM|customer relationship management]] (CRM) and [[DonorPerfect Online|donor relationship management]] systems<br />
**Implemented large parts of the data conversion and customization of the Foundation's purchased donor relationship management system<br />
**Secured the Internet-facing presence of the donor relationship management system using a locked-down Apache configuration and strict URL regular expressions<br />
**Obviated a need for Crystal Reports by implementing web-based [[PDF Access Reports|PDF reports]] using Microsoft Access, a customized PHP build to run as a COM server, and a custom-built COM object for use by ASP on the reporting server, saving a significant amount of money<br />
**Migrated client operating system data during the Windows XP transition using a [[Home Profiler|multi-platform profile migration tool]] that I wrote<br />
**Planned, deployed, and provided training for Mozilla Firefox as the default web browser to all foundation users and created [https://www.moonlightdesign.org/urllock IE URL Lock] for business-related sites that only worked in Internet Explorer<br />
**Evaluated, purchased, and managed the licenses of software related to Reggie/CIS<br />
**Maintained the Cisco network equipment, including the PIX firewall's access control lists (ACLs) and routers' virtual local area network (VLAN) ACLs<br />
**Cut unsolicited commercial email (UCE or SPAM) drastically and added virtual private networking (VPN) using Astaro Secure Linux (ASL) in the demilitarized zone (DMZ) behing the Cisco PIX firewall<br />
**Administered databases, servers, and the organization's backup system<br />
<br />
===[http://www.ariesnet.com/ Ariesnet]===<br />
*'''Intranet Developer'''<br />
*May 1999 to August 1999 and May 2000 to July 2000<br />
*'''Accomplishments'''<br />
**Developed specifications for a statistical employee rating system to help Ariesnet move towards building teams of virtual at−home employees<br />
**Helped Ariesnet build their secure intranet system using PHP and MySQL<br />
**Administered the intranet system's Linux server as well as the development test server using the CVS versioning software<br />
<br />
===[http://www.bryant.edu/ Bryant University]===<br />
*'''ResNet Consultant'''<br />
**January 1999 to May 2000<br />
**'''Accomplishments'''<br />
***Shortened residence hall computer registration port activation turnaround times from two weeks to one second with a [[ResNet Online|custom-written Linux-based PHP web site]]<br />
***Provided in-person network and computer support to students living in the university's residence halls<br />
*'''Internet Developer'''<br />
**January 1998 to May 1998 and September 1998 to May 1999<br />
**'''Accomplishments'''<br />
***Implemented the university’s first web-based faculty and student directory using the common gateway interface (CGI)<br />
***Wrote an ODBC driver and Microsoft Access database for its administration. This lives on as the [https://www.moonlightdesign.org/dirlist/ DirList2] open-source project<br />
<br />
===[http://www.gcisd-k12.org/ Grapevine-Colleyville Independent School District]===<br />
*'''Student Intern'''<br />
*January 1996 to August 1997<br />
*'''Accomplishments'''<br />
**Provided hardware and software support, winning an employee award for exceptional service<br />
**Worked with wide-area network configurations<br />
**Wrote a [[LPD|networked printer driver]] to save thousands of dollars in licenses by allowing printing from their AS/400s to local printers<br />
<br />
==Education and Training==<br />
<br />
===[http://www.cmu.edu Carnegie Mellon University]===<br />
*'''[http://www.mse.cs.cmu.edu/ Master of Software Engineering]''', [http://www.isri.cmu.edu/index.jsp Institute of Software Research]<br />
*[http://en.wikipedia.org/wiki/Pittsburgh%2C_Pennsylvania Pittsburgh, Pennsylvania]<br />
*'''Graduation:''' December 2006<br />
*'''Masters group project:''' [[Serendipity|Bosch Security Configuration Assistant]], which is an [http://www.eclipse.org/ Eclipse-based] application that generates three-dimensional security plans for buildings using the [http://en.wikipedia.org/wiki/Jess_programming_language Jess] [http://en.wikipedia.org/wiki/Rule_engine rule engine] and three-dimensional visualization<br />
*'''Project roles:''' Technology support manager and, via rotation, planning manager, software process manager, project risk manager, and quality manager<br />
*'''Focus areas studied:''' Fault tolerant, distributed, real-time systems; software project management; formal models and analysis of software systems; software architecture; and software requirements elicitation methods<br />
*'''Accomplishments'''<br />
**As a team, we met and exceeded our client's original picture of success by the end of the project's one-year time frame.<br />
**I reduced the status meeting data collection time to less than 30 minutes through automation and used historical data to reduce our estimation error.<br />
**As the support manager, I kept our [http://fedoraproject.org/ RedHat Fedora Core] server and software available, secure, usable, and backed up using only one hour per week of my time on average throughout the project.<br />
*'''[http://www.cmu.edu/hub/reg/grading.html Quality point average]:''' Graduated with 4.03 out of 4.00, which is a weighted grade point average (GPA), due to earning several A+ grades<br />
<br />
===[http://www.bryant.edu/ Bryant University]===<br />
*'''[http://www.bryant.edu/wps/wcm/connect/Bryant/Academics/Undergraduate%20Programs/ Bachelor of Science in Business Administration]'''<br />
*[http://en.wikipedia.org/wiki/Smithfield%2C_Rhode_Island Smithfield, Rhode Island]<br />
*'''Graduation:''' May 2000<br />
*[http://www.aacsb.edu/ AACSB] [http://www.aacsb.edu/members/Omd/Profile_page2.asp?LinkId=38588&CallingPage=InstLists Accredited]<br />
*'''Focus areas studied:''' [http://www.bryant.edu/wps/wcm/connect/Bryant/Academics/Areas%20of%20Study/Computer%20Information%20Systems Computer information systems] with a minor in [http://www.bryant.edu/wps/wcm/connect/Bryant/Academics/Areas%20of%20Study/Applied%20Statistics applied business statistics]<br />
*'''[http://en.wikipedia.org/wiki/GPA#United_States Grade point average]:''' Graduated [http://en.wikipedia.org/wiki/Summa_cum_laude summa cum laude] with a GPA of 3.96 out of 4.00<br />
*'''Leadership:''' Served as president of [http://web.bryant.edu/~pride Bryant PRIDE] for more than a year and conducted a [http://en.wikipedia.org/wiki/Linux Linux] installation event<br />
<br />
===Certification===<br />
*'''[https://www.redhat.com/training/rhce/courses/ RedHat Certified Engineer]''' (RHCE for 6.2): [https://www.redhat.com/training/certification/verify/ 806200565301847]</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=Main_Page&diff=2282Main Page2015-03-07T17:01:18Z<p>Stevenlawrance: /* Steven Lawrance */</p>
<hr />
<div>{|<br />
|valign="top"|<br />
Welcome to Moonlight Design -- the personal web site of [[Henry Lamb]] and [[Steven Lawrance]]<br />
<br />
==Henry Lamb==<br />
[[Henry Lamb]] is a professional [http://en.wikipedia.org/wiki/Restaurant restaurateur] trained in both [http://www.baychef.com/programs/hospitality_and_restaurant.asp restaurant management] and [http://www.baychef.com/programs/culinary_arts.asp culinary arts] at the [http://www.baychef.com/ California Culinary Academy]. For a few years from the late 1990s to the early 2000s, Henry was a [http://en.wikipedia.org/wiki/Graphic_designer graphic designer] trained at the [http://www.artinstitutes.edu/sanfrancisco/ Art Institute of San Francisco] and the [http://www.academyart.edu/ Academy of Art University]<br />
<br />
Visit Henry's new wine site: [http://glassofgrape.com/ Glass of Grape]<br />
<br />
==Steven Lawrance==<br />
[[Steven Lawrance]] is an active practitioner of [http://en.wikipedia.org/wiki/Software_engineering software engineering] and [http://en.wikipedia.org/wiki/Open-source_software open-source software enthusiast] trained in [http://www.mse.cs.cmu.edu/ software engineering] at [http://www.mse.cs.cmu.edu/ Carnegie Mellon University] and [http://www.bryant.edu/wps/wcm/connect/Bryant/Academics/Undergraduate%20Programs/ business administration] with [http://www.bryant.edu/wps/wcm/connect/Bryant/Academics/Areas%20of%20Study/Computer%20Information%20Systems computer information systems] at [http://www.bryant.edu/ Bryant University]<br />
<br />
[[Steven Lawrance#Software Project Experience|Check out the list of software that Steven has either written or contributed to]]<br />
<br />
|valign="top" width="25%"|<br />
{|border="1"<br />
|<br />
<font size="5">[https://www.moonlightdesign.org/urllock/ IE URL Lock]</font> <font size="5">[http://gnucashtoqif.sourceforge.net/ GnuCashToQIF]</font> <font size="4">[[TLS-SSL-Protocols|TLS/SSL Protocol Group Policy Template]]</font> <font size="3">[https://www.moonlightdesign.org/dirlist DirList] [[CompactOnDelete]]</font> <font size="3">[[PortProxy]]</font> <font size="2">[[Serendipity|Team Serendipity]]</font> <font size="2">[[Disk Imager]]</font> <font size="1">[[ScreenWindowX]]</font><br />
|}<br />
<small>[https://www.moonlightdesign.org/wireless/ Guest wireless network sign-up] (local network only)</small><br />
|}</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=Main_Page&diff=2281Main Page2014-10-31T14:10:34Z<p>Stevenlawrance: </p>
<hr />
<div>{|<br />
|valign="top"|<br />
Welcome to Moonlight Design -- the personal web site of [[Henry Lamb]] and [[Steven Lawrance]]<br />
<br />
==Henry Lamb==<br />
[[Henry Lamb]] is a professional [http://en.wikipedia.org/wiki/Restaurant restaurateur] trained in both [http://www.baychef.com/programs/hospitality_and_restaurant.asp restaurant management] and [http://www.baychef.com/programs/culinary_arts.asp culinary arts] at the [http://www.baychef.com/ California Culinary Academy]. For a few years from the late 1990s to the early 2000s, Henry was a [http://en.wikipedia.org/wiki/Graphic_designer graphic designer] trained at the [http://www.artinstitutes.edu/sanfrancisco/ Art Institute of San Francisco] and the [http://www.academyart.edu/ Academy of Art University]<br />
<br />
Visit Henry's new wine site: [http://glassofgrape.com/ Glass of Grape]<br />
<br />
==Steven Lawrance==<br />
[[Steven Lawrance]] is an active practitioner of [http://en.wikipedia.org/wiki/Software_engineering software engineering] and [http://en.wikipedia.org/wiki/Open-source_software open-source software enthusiast] trained in [http://www.mse.cs.cmu.edu/ software engineering] at [http://www.mse.cs.cmu.edu/ Carnegie Mellon University] and [http://www.bryant.edu/wps/wcm/connect/Bryant/Academics/Undergraduate%20Programs/ business administration] with [http://www.bryant.edu/wps/wcm/connect/Bryant/Academics/Areas%20of%20Study/Computer%20Information%20Systems computer information systems] at [http://www.bryant.edu/ Bryant University]<br />
<br />
[[Steven Lawrance#Software Project Experience|Check out the list of software that Steve has either written or contributed to]]<br />
<br />
|valign="top" width="25%"|<br />
{|border="1"<br />
|<br />
<font size="5">[https://www.moonlightdesign.org/urllock/ IE URL Lock]</font> <font size="5">[http://gnucashtoqif.sourceforge.net/ GnuCashToQIF]</font> <font size="4">[[TLS-SSL-Protocols|TLS/SSL Protocol Group Policy Template]]</font> <font size="3">[https://www.moonlightdesign.org/dirlist DirList] [[CompactOnDelete]]</font> <font size="3">[[PortProxy]]</font> <font size="2">[[Serendipity|Team Serendipity]]</font> <font size="2">[[Disk Imager]]</font> <font size="1">[[ScreenWindowX]]</font><br />
|}<br />
<small>[https://www.moonlightdesign.org/wireless/ Guest wireless network sign-up] (local network only)</small><br />
|}</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=Main_Page&diff=2280Main Page2014-10-31T14:09:40Z<p>Stevenlawrance: </p>
<hr />
<div>{|<br />
|valign="top"|<br />
Welcome to Moonlight Design -- the personal web site of [[Henry Lamb]] and [[Steven Lawrance]]<br />
<br />
==Henry Lamb==<br />
[[Henry Lamb]] is a professional [http://en.wikipedia.org/wiki/Restaurant restaurateur] trained in both [http://www.baychef.com/programs/hospitality_and_restaurant.asp restaurant management] and [http://www.baychef.com/programs/culinary_arts.asp culinary arts] at the [http://www.baychef.com/ California Culinary Academy]. For a few years from the late 1990s to the early 2000s, Henry was a [http://en.wikipedia.org/wiki/Graphic_designer graphic designer] trained at the [http://www.artinstitutes.edu/sanfrancisco/ Art Institute of San Francisco] and the [http://www.academyart.edu/ Academy of Art University]<br />
<br />
Visit Henry's new wine site: [http://glassofgrape.com/ Glass of Grape]<br />
<br />
==Steven Lawrance==<br />
[[Steven Lawrance]] is an active practitioner of [http://en.wikipedia.org/wiki/Software_engineering software engineering] and [http://en.wikipedia.org/wiki/Open-source_software open-source software enthusiast] trained in [http://www.mse.cs.cmu.edu/ software engineering] at [http://www.mse.cs.cmu.edu/ Carnegie Mellon University] and [http://www.bryant.edu/wps/wcm/connect/Bryant/Academics/Undergraduate%20Programs/ business administration] with [http://www.bryant.edu/wps/wcm/connect/Bryant/Academics/Areas%20of%20Study/Computer%20Information%20Systems computer information systems] at [http://www.bryant.edu/ Bryant University]<br />
<br />
[[Steven Lawrance#Software Project Experience|Check out the list of software that Steve has either written or contributed to]]<br />
<br />
|valign="top" width="25%"|<br />
{|border="1"<br />
|<br />
<font size="5">[https://www.moonlightdesign.org/urllock/ IE URL Lock]</font> <font size="5">[http://gnucashtoqif.sourceforge.net/ GnuCashToQIF]</font> <font size="4">[[TLS-SSL-Protocols|TLS/SSL Protocol Group Policy Template]]</font> <font size="3">[https://www.moonlightdesign.org/dirlist DirList] [[CompactOnDelete]]</font> <font size="3">[[PortProxy]]</font> <font size="2">[[Serendipity|Team Serendipity]]</font> <font size="2">[[Disk Imager]]</font> <font size="1">[[ScreenWindowX]]</font><br />
|}<br />
<small>[https://www.moonlightdesign.org/wireless/ Guest wireless network sign-up] (local network only)</small><br />
|}<br />
[https://www.moonlightdesign.org/msy.pdf test]</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=TLS-SSL-Protocols&diff=2279TLS-SSL-Protocols2014-10-20T13:40:49Z<p>Stevenlawrance: /* Configure Without Group Policies */</p>
<hr />
<div>As a way to mitigate the [https://www.openssl.org/~bodo/ssl-poodle.pdf Padding Oracle On Downgraded Legacy Encryption (POODLE) attack], information technology (IT) administrators can disable all protocols older than TLSv1 via ActiveDirectory group policies. This page describes how to do that.<br />
<br />
Using the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] with the group policy editor allows IT administrators to deploy computer-level policies that disable legacy protocols within Windows Schannel and deploy user-level policies that disable legacy protocols within Internet Explorer. Note that a computer-level disable policy for a protocol overrides Internet Explorer's configuration for that protocol.<br />
<br />
This template implements [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommended registry settings to disable SSLv3].<br />
<br />
Please note that Microsoft has a group policy setting for disabling TLS/SSL protocols in Internet Explorer, as described in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 their recommendations], but it doesn't work reliably with Internet Explorer 6 or 7. As a result, Microsoft noted in their policy template that it works only with Internet Explorer 8 and higher. If you run Internet Explorer 6 or 7, then the group policy template described on this page is a tenable option for you. The computer policies in this policy template are also useful to IT administrators whom are targeting only Internet Explorer 8 or higher.<br />
<br />
To handle systems that are not covered by group policies, this page also includes registry merge files for convenience.<br />
<br />
==Configure With Group Policies==<br />
To use the group policies, you'll need to install the policy template file. The policy template includes two group policy targets for configuration: Computer and User.<br />
<br />
===Installation===<br />
Save the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] as TLS-SSL-Protocols.adm within your Windows INF folder. This is typically <code>C:\Windows\INF</code>.<br />
<br />
===Computer Policies===<br />
The Computer policies configure the Windows Schannel protocol support, which impacts client software and server software with dedicated settings for each. Internet Explorer, email software, and any program that connects to the local network or Internet and uses Windows Schannel for securing its connections are affected by the client policies. Internet Information Server, .NET server software, and any program that listens for and accepts secure connections from the local network or Internet and uses Windows Schannel for securing connections are affected by the server policies.<br />
<br />
Mozilla Firefox, Google Chrome, and Java, however, use their own software for securing connections and aren't affected by the client policies. Similarly, Java and software that uses OpenSSL (Apache, etc) or other non-Schannel software aren't affected by the server policies.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of computers. The computer policy won't have an effect if it applies only to users and not to computers.<br />
<br />
====Add the Policy Template====<br />
Right-click on the Computer Configuration | Administrative Templates folder. Alternatively, right-clicking on the User Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
====Show All Policy Settings====<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the Computer Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-Computer.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
====TLS/SSL Protocols====<br />
Open the TLS/SSL Protocols folder within the Computer Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-Computer.png|650px]]<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then enable TLS 1.0 for client and server use while disabling PCT 1.0, SSL 2.0, and SSL 3.0 for client and server use. The screenshot above shows what this configuration looks like.<br />
<br />
The Group Policy Editor makes configuration convenient with the Next Setting button, as shown in the screenshot below. Starting with the first setting, position the dialog box such that the recommendation for that setting at the top of the "Description:" line is visible. Apply that recommendation to every setting in this list, clicking Next Setting to navigate to the next setting. Click OK when done. After clicking OK, this group policy is ready to get picked up by computers upon their next application of the computer group policies to their local computer. Running gpupdate.exe on the computers that have this group policy assigned to them will cause them to pick up the change before gpupdate.exe returns.<br />
<br />
[[File:Policies-Computer-SSLv3Client.png|650px]]<br />
<br />
If your network is comprised entirely of Windows Server 2008 R2, Windows 7, or newer operating systems, then disabling TLS 1.0 can theoretically improve security further, but when this was tested in Windows 8 with Internet Explorer 11, Internet Explorer 11 wouldn't start up successfully until TLS 1.0 was enabled in Schannel. As a result, TLS 1.0 will need to be left enabled in Windows Schannel, even if it's disabled in Internet Explorer.<br />
<br />
===User Policy===<br />
The User policy configures Internet Explorer and has been tested with versions 6 and higher. If you are targeting only Internet Explorer 8 or higher, it is recommended that you instead use the group policy for disabling TLS/SSL protocols as documented in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommendations for mitigating the POODLE attack]. Microsoft's built-in group policy, however, doesn't work reliably with Internet Explorer 6 and 7.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of users. The user policy won't have an effect if it applies only to computers and not to users.<br />
<br />
====Add the Policy Template====<br />
Right-click on the User Configuration | Administrative Templates folder. Alternatively, right-clicking on the Computer Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
====Show All Policy Settings====<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the User Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-User.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
====TLS/SSL Protocols====<br />
Open the TLS/SSL Protocols folder within the User Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-User.png|650px]]<br />
<br />
Edit the policy setting and choose the Enabled radio button.<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then choose the Recommended item. Although those operating systems don't implement TLS 1.1 and 1.2, enabling TLS 1.1 and 1.2 is properly ignored by those older operating systems while being enabled on Windows 7, Windows Server 2008 R2, and newer operating systems.<br />
<br />
If all systems on your network run Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier, then the Windows Vista/XP option is feasible as that enables only TLS 1.0, but it's typically best to choose Recommended as that will allow upgraded systems to prefer TLS 1.1 and 1.2.<br />
<br />
If all systems on your network run Windows 7, Windows Server 2008 R2, or newer operating systems, then the Recommended setting works, but the Windows 7 Best Security and Windows 7 Good Security items provide stronger security. If you choose Windows 7 Best Security, then only TLS 1.2 will be used, and that will give your secure connections maximum protection against known attacks. If some web sites that your organization use support TLS 1.1 as their highest protocol, then the Windows 7 Good Security item enables TLS 1.1 while preferring TLS 1.2. Some web sites may support only TLS 1.0 as their strongest option, and working with such web sites requires choosing the Recommended item.<br />
<br />
The Insecure and Highly Insecure items should never be used for medium or long term production use. They are present primarily for testing and as a short-term fallback if needed. Don't use them unless if it's absolutely necessary for a short time period. While enabled, your secure connections will effectively be as secure as using no encryption at all, even if Internet Explorer is using TLS 1.0 or higher. It's possible for a downgrade attack to cause Internet Explorer or the remote server to drop down to SSL 3.0, and disabling SSL 3.0 entirely is an effective mitigation against a downgrade attack to SSL 3.0.<br />
<br />
[[File:Policies-User-IE.png|375px]]<br />
<br />
Click OK when done. After clicking OK, this group policy is ready to get picked up by users upon their next application of the user group policies. Having the users log out and back in or having the users run gpupdate.exe will cause them to pick up the change.<br />
<br />
Please note that users can update this setting within Internet Explorer's configuration options. This policy won't overwrite their customizations unless if this policy is changed to another value or if all policies are reapplied to that user, such as with 'gpupdate /force'.<br />
<br />
==Configure Without Group Policies==<br />
To quickly configure a computer that doesn't have group policies, it is possible to use a registry merge file. The following files implement their stated configuration scenarios:<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Recommended.reg Recommended: TLS 1.2, 1.1, and 1.0]<br />
**Compatible with all versions of Windows that implement TLS 1.0, including those that don't implement TLS 1.1 and 1.2.<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Windows-7-Best.reg Windows 7 Best Security: TLS 1.2 only]<br />
**A significant number of web sites on the Internet won't work at this time with this configuration.<br />
**TLS 1.0 remains enabled in Windows Schannel, but it's off in Internet Explorer with this file. Internet Explorer 11 doesn't start in Windows 8 when TLS 1.0 is disabled in Schannel.<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Windows-7-Good.reg Windows 7 Good Security: TLS 1.2 and 1.1]<br />
**A significant number of web sites on the Internet won't work at this time with this configuration.<br />
**TLS 1.0 remains enabled in Windows Schannel, but it's off in Internet Explorer with this file. Internet Explorer 11 doesn't start in Windows 8 when TLS 1.0 is disabled in Schannel.<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Windows-Vista-XP.reg Windows Vista/XP: TLS 1.0 Only]<br />
**Don't use this on Windows 7, Windows Server 2008 R2, or newer as it disables TLS 1.1 and TLS 1.2 in Internet Explorer.<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Insecure.reg Insecure: SSL 3.0 and TLS 1.0]<br />
**Don't use this unless if absolutely necessary. This configuration opens up your https connections to attack and should be considered equivalent to having no encryption.<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Highly-Insecure.reg Highly Insecure: SSL 3.0 only]<br />
**Don't use this unless if absolutely necessary. This configuration opens up your https connections to attack and should be considered equivalent to having no encryption.<br />
**TLS 1.0 remains enabled in Windows Schannel, but it's off in Internet Explorer with this file.</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=TLS-SSL-Protocols&diff=2278TLS-SSL-Protocols2014-10-20T13:39:45Z<p>Stevenlawrance: /* Configure Without Group Policies */</p>
<hr />
<div>As a way to mitigate the [https://www.openssl.org/~bodo/ssl-poodle.pdf Padding Oracle On Downgraded Legacy Encryption (POODLE) attack], information technology (IT) administrators can disable all protocols older than TLSv1 via ActiveDirectory group policies. This page describes how to do that.<br />
<br />
Using the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] with the group policy editor allows IT administrators to deploy computer-level policies that disable legacy protocols within Windows Schannel and deploy user-level policies that disable legacy protocols within Internet Explorer. Note that a computer-level disable policy for a protocol overrides Internet Explorer's configuration for that protocol.<br />
<br />
This template implements [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommended registry settings to disable SSLv3].<br />
<br />
Please note that Microsoft has a group policy setting for disabling TLS/SSL protocols in Internet Explorer, as described in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 their recommendations], but it doesn't work reliably with Internet Explorer 6 or 7. As a result, Microsoft noted in their policy template that it works only with Internet Explorer 8 and higher. If you run Internet Explorer 6 or 7, then the group policy template described on this page is a tenable option for you. The computer policies in this policy template are also useful to IT administrators whom are targeting only Internet Explorer 8 or higher.<br />
<br />
To handle systems that are not covered by group policies, this page also includes registry merge files for convenience.<br />
<br />
==Configure With Group Policies==<br />
To use the group policies, you'll need to install the policy template file. The policy template includes two group policy targets for configuration: Computer and User.<br />
<br />
===Installation===<br />
Save the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] as TLS-SSL-Protocols.adm within your Windows INF folder. This is typically <code>C:\Windows\INF</code>.<br />
<br />
===Computer Policies===<br />
The Computer policies configure the Windows Schannel protocol support, which impacts client software and server software with dedicated settings for each. Internet Explorer, email software, and any program that connects to the local network or Internet and uses Windows Schannel for securing its connections are affected by the client policies. Internet Information Server, .NET server software, and any program that listens for and accepts secure connections from the local network or Internet and uses Windows Schannel for securing connections are affected by the server policies.<br />
<br />
Mozilla Firefox, Google Chrome, and Java, however, use their own software for securing connections and aren't affected by the client policies. Similarly, Java and software that uses OpenSSL (Apache, etc) or other non-Schannel software aren't affected by the server policies.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of computers. The computer policy won't have an effect if it applies only to users and not to computers.<br />
<br />
====Add the Policy Template====<br />
Right-click on the Computer Configuration | Administrative Templates folder. Alternatively, right-clicking on the User Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
====Show All Policy Settings====<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the Computer Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-Computer.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
====TLS/SSL Protocols====<br />
Open the TLS/SSL Protocols folder within the Computer Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-Computer.png|650px]]<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then enable TLS 1.0 for client and server use while disabling PCT 1.0, SSL 2.0, and SSL 3.0 for client and server use. The screenshot above shows what this configuration looks like.<br />
<br />
The Group Policy Editor makes configuration convenient with the Next Setting button, as shown in the screenshot below. Starting with the first setting, position the dialog box such that the recommendation for that setting at the top of the "Description:" line is visible. Apply that recommendation to every setting in this list, clicking Next Setting to navigate to the next setting. Click OK when done. After clicking OK, this group policy is ready to get picked up by computers upon their next application of the computer group policies to their local computer. Running gpupdate.exe on the computers that have this group policy assigned to them will cause them to pick up the change before gpupdate.exe returns.<br />
<br />
[[File:Policies-Computer-SSLv3Client.png|650px]]<br />
<br />
If your network is comprised entirely of Windows Server 2008 R2, Windows 7, or newer operating systems, then disabling TLS 1.0 can theoretically improve security further, but when this was tested in Windows 8 with Internet Explorer 11, Internet Explorer 11 wouldn't start up successfully until TLS 1.0 was enabled in Schannel. As a result, TLS 1.0 will need to be left enabled in Windows Schannel, even if it's disabled in Internet Explorer.<br />
<br />
===User Policy===<br />
The User policy configures Internet Explorer and has been tested with versions 6 and higher. If you are targeting only Internet Explorer 8 or higher, it is recommended that you instead use the group policy for disabling TLS/SSL protocols as documented in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommendations for mitigating the POODLE attack]. Microsoft's built-in group policy, however, doesn't work reliably with Internet Explorer 6 and 7.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of users. The user policy won't have an effect if it applies only to computers and not to users.<br />
<br />
====Add the Policy Template====<br />
Right-click on the User Configuration | Administrative Templates folder. Alternatively, right-clicking on the Computer Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
====Show All Policy Settings====<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the User Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-User.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
====TLS/SSL Protocols====<br />
Open the TLS/SSL Protocols folder within the User Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-User.png|650px]]<br />
<br />
Edit the policy setting and choose the Enabled radio button.<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then choose the Recommended item. Although those operating systems don't implement TLS 1.1 and 1.2, enabling TLS 1.1 and 1.2 is properly ignored by those older operating systems while being enabled on Windows 7, Windows Server 2008 R2, and newer operating systems.<br />
<br />
If all systems on your network run Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier, then the Windows Vista/XP option is feasible as that enables only TLS 1.0, but it's typically best to choose Recommended as that will allow upgraded systems to prefer TLS 1.1 and 1.2.<br />
<br />
If all systems on your network run Windows 7, Windows Server 2008 R2, or newer operating systems, then the Recommended setting works, but the Windows 7 Best Security and Windows 7 Good Security items provide stronger security. If you choose Windows 7 Best Security, then only TLS 1.2 will be used, and that will give your secure connections maximum protection against known attacks. If some web sites that your organization use support TLS 1.1 as their highest protocol, then the Windows 7 Good Security item enables TLS 1.1 while preferring TLS 1.2. Some web sites may support only TLS 1.0 as their strongest option, and working with such web sites requires choosing the Recommended item.<br />
<br />
The Insecure and Highly Insecure items should never be used for medium or long term production use. They are present primarily for testing and as a short-term fallback if needed. Don't use them unless if it's absolutely necessary for a short time period. While enabled, your secure connections will effectively be as secure as using no encryption at all, even if Internet Explorer is using TLS 1.0 or higher. It's possible for a downgrade attack to cause Internet Explorer or the remote server to drop down to SSL 3.0, and disabling SSL 3.0 entirely is an effective mitigation against a downgrade attack to SSL 3.0.<br />
<br />
[[File:Policies-User-IE.png|375px]]<br />
<br />
Click OK when done. After clicking OK, this group policy is ready to get picked up by users upon their next application of the user group policies. Having the users log out and back in or having the users run gpupdate.exe will cause them to pick up the change.<br />
<br />
Please note that users can update this setting within Internet Explorer's configuration options. This policy won't overwrite their customizations unless if this policy is changed to another value or if all policies are reapplied to that user, such as with 'gpupdate /force'.<br />
<br />
==Configure Without Group Policies==<br />
To quickly configure a computer that doesn't have group policies, it is possible to use a registry merge file. The following files implement their stated configuration scenarios:<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Recommended.reg Recommended: TLS 1.2, 1.1, and 1.0]<br />
**Compatible with all versions of Windows that implement TLS 1.0, including those that don't implement TLS 1.1 and 1.2.<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Windows-7-Best.reg Windows 7 Best Security: TLS 1.2 only]<br />
**A significant number of web sites on the Internet won't work at this time with this configuration.<br />
**TLS 1.0 remains enabled in Windows Schannel, but it's off in Internet Explorer with this file. Internet Explorer 11 doesn't start in Windows 8 when TLS 1.0 is disabled in Schannel.<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Windows-7-Good.reg Windows 7 Good Security: TLS 1.2 and 1.1]<br />
**A significant number of web sites on the Internet won't work at this time with this configuration.<br />
**TLS 1.0 remains enabled in Windows Schannel, but it's off in Internet Explorer with this file. Internet Explorer 11 doesn't start in Windows 8 when TLS 1.0 is disabled in Schannel.<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Windows-Vista-XP.reg Windows Vista/XP: TLS 1.0 Only]<br />
**Don't use this on Windows 7, Windows Server 2008 R2, or newer as it disables TLS 1.1 and TLS 1.2 in Internet Explorer.<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Insecure.reg Insecure: SSL 3.0 and TLS 1.0]<br />
**Don't use this unless if absolutely necessary. This configuration opens up your https connections to attack and should be equivalent to having no encryption.<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Highly-Insecure.reg Highly Insecure: SSL 3.0 only]<br />
**Don't use this unless if absolutely necessary. This configuration opens up your https connections to attack and should be equivalent to having no encryption.<br />
**TLS 1.0 remains enabled in Windows Schannel, but it's off in Internet Explorer with this file.</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=TLS-SSL-Protocols&diff=2277TLS-SSL-Protocols2014-10-18T22:54:09Z<p>Stevenlawrance: /* Configure With Group Policies */</p>
<hr />
<div>As a way to mitigate the [https://www.openssl.org/~bodo/ssl-poodle.pdf Padding Oracle On Downgraded Legacy Encryption (POODLE) attack], information technology (IT) administrators can disable all protocols older than TLSv1 via ActiveDirectory group policies. This page describes how to do that.<br />
<br />
Using the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] with the group policy editor allows IT administrators to deploy computer-level policies that disable legacy protocols within Windows Schannel and deploy user-level policies that disable legacy protocols within Internet Explorer. Note that a computer-level disable policy for a protocol overrides Internet Explorer's configuration for that protocol.<br />
<br />
This template implements [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommended registry settings to disable SSLv3].<br />
<br />
Please note that Microsoft has a group policy setting for disabling TLS/SSL protocols in Internet Explorer, as described in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 their recommendations], but it doesn't work reliably with Internet Explorer 6 or 7. As a result, Microsoft noted in their policy template that it works only with Internet Explorer 8 and higher. If you run Internet Explorer 6 or 7, then the group policy template described on this page is a tenable option for you. The computer policies in this policy template are also useful to IT administrators whom are targeting only Internet Explorer 8 or higher.<br />
<br />
To handle systems that are not covered by group policies, this page also includes registry merge files for convenience.<br />
<br />
==Configure With Group Policies==<br />
To use the group policies, you'll need to install the policy template file. The policy template includes two group policy targets for configuration: Computer and User.<br />
<br />
===Installation===<br />
Save the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] as TLS-SSL-Protocols.adm within your Windows INF folder. This is typically <code>C:\Windows\INF</code>.<br />
<br />
===Computer Policies===<br />
The Computer policies configure the Windows Schannel protocol support, which impacts client software and server software with dedicated settings for each. Internet Explorer, email software, and any program that connects to the local network or Internet and uses Windows Schannel for securing its connections are affected by the client policies. Internet Information Server, .NET server software, and any program that listens for and accepts secure connections from the local network or Internet and uses Windows Schannel for securing connections are affected by the server policies.<br />
<br />
Mozilla Firefox, Google Chrome, and Java, however, use their own software for securing connections and aren't affected by the client policies. Similarly, Java and software that uses OpenSSL (Apache, etc) or other non-Schannel software aren't affected by the server policies.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of computers. The computer policy won't have an effect if it applies only to users and not to computers.<br />
<br />
====Add the Policy Template====<br />
Right-click on the Computer Configuration | Administrative Templates folder. Alternatively, right-clicking on the User Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
====Show All Policy Settings====<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the Computer Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-Computer.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
====TLS/SSL Protocols====<br />
Open the TLS/SSL Protocols folder within the Computer Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-Computer.png|650px]]<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then enable TLS 1.0 for client and server use while disabling PCT 1.0, SSL 2.0, and SSL 3.0 for client and server use. The screenshot above shows what this configuration looks like.<br />
<br />
The Group Policy Editor makes configuration convenient with the Next Setting button, as shown in the screenshot below. Starting with the first setting, position the dialog box such that the recommendation for that setting at the top of the "Description:" line is visible. Apply that recommendation to every setting in this list, clicking Next Setting to navigate to the next setting. Click OK when done. After clicking OK, this group policy is ready to get picked up by computers upon their next application of the computer group policies to their local computer. Running gpupdate.exe on the computers that have this group policy assigned to them will cause them to pick up the change before gpupdate.exe returns.<br />
<br />
[[File:Policies-Computer-SSLv3Client.png|650px]]<br />
<br />
If your network is comprised entirely of Windows Server 2008 R2, Windows 7, or newer operating systems, then disabling TLS 1.0 can theoretically improve security further, but when this was tested in Windows 8 with Internet Explorer 11, Internet Explorer 11 wouldn't start up successfully until TLS 1.0 was enabled in Schannel. As a result, TLS 1.0 will need to be left enabled in Windows Schannel, even if it's disabled in Internet Explorer.<br />
<br />
===User Policy===<br />
The User policy configures Internet Explorer and has been tested with versions 6 and higher. If you are targeting only Internet Explorer 8 or higher, it is recommended that you instead use the group policy for disabling TLS/SSL protocols as documented in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommendations for mitigating the POODLE attack]. Microsoft's built-in group policy, however, doesn't work reliably with Internet Explorer 6 and 7.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of users. The user policy won't have an effect if it applies only to computers and not to users.<br />
<br />
====Add the Policy Template====<br />
Right-click on the User Configuration | Administrative Templates folder. Alternatively, right-clicking on the Computer Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
====Show All Policy Settings====<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the User Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-User.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
====TLS/SSL Protocols====<br />
Open the TLS/SSL Protocols folder within the User Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-User.png|650px]]<br />
<br />
Edit the policy setting and choose the Enabled radio button.<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then choose the Recommended item. Although those operating systems don't implement TLS 1.1 and 1.2, enabling TLS 1.1 and 1.2 is properly ignored by those older operating systems while being enabled on Windows 7, Windows Server 2008 R2, and newer operating systems.<br />
<br />
If all systems on your network run Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier, then the Windows Vista/XP option is feasible as that enables only TLS 1.0, but it's typically best to choose Recommended as that will allow upgraded systems to prefer TLS 1.1 and 1.2.<br />
<br />
If all systems on your network run Windows 7, Windows Server 2008 R2, or newer operating systems, then the Recommended setting works, but the Windows 7 Best Security and Windows 7 Good Security items provide stronger security. If you choose Windows 7 Best Security, then only TLS 1.2 will be used, and that will give your secure connections maximum protection against known attacks. If some web sites that your organization use support TLS 1.1 as their highest protocol, then the Windows 7 Good Security item enables TLS 1.1 while preferring TLS 1.2. Some web sites may support only TLS 1.0 as their strongest option, and working with such web sites requires choosing the Recommended item.<br />
<br />
The Insecure and Highly Insecure items should never be used for medium or long term production use. They are present primarily for testing and as a short-term fallback if needed. Don't use them unless if it's absolutely necessary for a short time period. While enabled, your secure connections will effectively be as secure as using no encryption at all, even if Internet Explorer is using TLS 1.0 or higher. It's possible for a downgrade attack to cause Internet Explorer or the remote server to drop down to SSL 3.0, and disabling SSL 3.0 entirely is an effective mitigation against a downgrade attack to SSL 3.0.<br />
<br />
[[File:Policies-User-IE.png|375px]]<br />
<br />
Click OK when done. After clicking OK, this group policy is ready to get picked up by users upon their next application of the user group policies. Having the users log out and back in or having the users run gpupdate.exe will cause them to pick up the change.<br />
<br />
Please note that users can update this setting within Internet Explorer's configuration options. This policy won't overwrite their customizations unless if this policy is changed to another value or if all policies are reapplied to that user, such as with 'gpupdate /force'.<br />
<br />
==Configure Without Group Policies==<br />
To quickly configure a computer that doesn't have group policies, it is possible to use a registry merge file. The following files implement their stated configuration scenarios:<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Recommended.reg Recommended: TLS 1.2, 1.1, and 1.0]<br />
**Compatible with all versions of Windows that implement TLS 1.0, including those that don't implement TLS 1.1 and 1.2.<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Windows-7-Best.reg Windows 7 Best Security: TLS 1.2 only]<br />
**TLS 1.0 remains enabled in Windows Schannel, but it's off in Internet Explorer with this file. Internet Explorer 11 doesn't start in Windows 8 when TLS 1.0 is disabled in Schannel.<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Windows-7-Good.reg Windows 7 Good Security: TLS 1.2 and 1.1]<br />
**TLS 1.0 remains enabled in Windows Schannel, but it's off in Internet Explorer with this file. Internet Explorer 11 doesn't start in Windows 8 when TLS 1.0 is disabled in Schannel.<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Windows-Vista-XP.reg Windows Vista/XP: TLS 1.0 Only]<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Insecure.reg Insecure: SSL 3.0 and TLS 1.0]<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Highly-Insecure.reg Highly Insecure: SSL 3.0 only]<br />
**TLS 1.0 remains enabled in Windows Schannel, but it's off in Internet Explorer with this file.</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=TLS-SSL-Protocols&diff=2276TLS-SSL-Protocols2014-10-18T22:47:18Z<p>Stevenlawrance: /* Configure Without Group Policies */</p>
<hr />
<div>As a way to mitigate the [https://www.openssl.org/~bodo/ssl-poodle.pdf Padding Oracle On Downgraded Legacy Encryption (POODLE) attack], information technology (IT) administrators can disable all protocols older than TLSv1 via ActiveDirectory group policies. This page describes how to do that.<br />
<br />
Using the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] with the group policy editor allows IT administrators to deploy computer-level policies that disable legacy protocols within Windows Schannel and deploy user-level policies that disable legacy protocols within Internet Explorer. Note that a computer-level disable policy for a protocol overrides Internet Explorer's configuration for that protocol.<br />
<br />
This template implements [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommended registry settings to disable SSLv3].<br />
<br />
Please note that Microsoft has a group policy setting for disabling TLS/SSL protocols in Internet Explorer, as described in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 their recommendations], but it doesn't work reliably with Internet Explorer 6 or 7. As a result, Microsoft noted in their policy template that it works only with Internet Explorer 8 and higher. If you run Internet Explorer 6 or 7, then the group policy template described on this page is a tenable option for you. The computer policies in this policy template are also useful to IT administrators whom are targeting only Internet Explorer 8 or higher.<br />
<br />
To handle systems that are not covered by group policies, this page also includes registry merge files for convenience.<br />
<br />
==Configure With Group Policies==<br />
To use the group policies, you'll need to install the policy template file. The policy template includes two group policy targets for configuration: Computer and User.<br />
<br />
===Installation===<br />
Save the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] as TLS-SSL-Protocols.adm within your Windows INF folder. This is typically <code>C:\Windows\INF</code>.<br />
<br />
===Computer Policies===<br />
The Computer policies configure the Windows Schannel protocol support, which impacts client software and server software with dedicated settings for each. Internet Explorer, email software, and any program that connects to the local network or Internet and uses Windows Schannel for securing its connections are affected by the client policies. Internet Information Server, .NET server software, and any program that listens for and accepts secure connections from the local network or Internet and uses Windows Schannel for securing connections are affected by the server policies.<br />
<br />
Mozilla Firefox, Google Chrome, and Java, however, use their own software for securing connections and aren't affected by the client policies. Similarly, Java and software that uses OpenSSL (Apache, etc) or other non-Schannel software aren't affected by the server policies.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of computers. The computer policy won't have an effect if it applies only to users and not to computers.<br />
<br />
====Add the Policy Template====<br />
Right-click on the Computer Configuration | Administrative Templates folder. Alternatively, right-clicking on the User Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
====Show All Policy Settings====<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the Computer Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-Computer.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
====TLS/SSL Protocols====<br />
Open the TLS/SSL Protocols folder within the Computer Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-Computer.png|650px]]<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then enable TLS 1.0 for client and server use while disabling PCT 1.0, SSL 2.0, and SSL 3.0 for client and server use. The screenshot above shows what this configuration looks like.<br />
<br />
The Group Policy Editor makes configuration convenient with the Next Setting button, as shown in the screenshot below. Starting with the first setting, position the dialog box such that the recommendation for that setting at the top of the "Description:" line is visible. Apply that recommendation to every setting in this list, clicking Next Setting to navigate to the next setting. Click OK when done. After clicking OK, this group policy is ready to get picked up by computers upon their next application of the computer group policies to their local computer. Running gpupdate.exe on the computers that have this group policy assigned to them will cause them to pick up the change before gpupdate.exe returns.<br />
<br />
[[File:Policies-Computer-SSLv3Client.png|650px]]<br />
<br />
If your network is comprised entirely of Windows Server 2008 R2, Windows 7, or newer operating systems, then disabling TLS 1.0 can improve security further, though the author of this template hasn't yet tried disabling TLS 1.0 at the computer level in such a network.<br />
<br />
===User Policy===<br />
The User policy configures Internet Explorer and has been tested with versions 6 and higher. If you are targeting only Internet Explorer 8 or higher, it is recommended that you instead use the group policy for disabling TLS/SSL protocols as documented in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommendations for mitigating the POODLE attack]. Microsoft's built-in group policy, however, doesn't work reliably with Internet Explorer 6 and 7.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of users. The user policy won't have an effect if it applies only to computers and not to users.<br />
<br />
====Add the Policy Template====<br />
Right-click on the User Configuration | Administrative Templates folder. Alternatively, right-clicking on the Computer Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
====Show All Policy Settings====<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the User Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-User.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
====TLS/SSL Protocols====<br />
Open the TLS/SSL Protocols folder within the User Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-User.png|650px]]<br />
<br />
Edit the policy setting and choose the Enabled radio button.<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then choose the Recommended item. Although those operating systems don't implement TLS 1.1 and 1.2, enabling TLS 1.1 and 1.2 is properly ignored by those older operating systems while being enabled on Windows 7, Windows Server 2008 R2, and newer operating systems.<br />
<br />
If all systems on your network run Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier, then the Windows Vista/XP option is feasible as that enables only TLS 1.0, but it's typically best to choose Recommended as that will allow upgraded systems to prefer TLS 1.1 and 1.2.<br />
<br />
If all systems on your network run Windows 7, Windows Server 2008 R2, or newer operating systems, then the Recommended setting works, but the Windows 7 Best Security and Windows 7 Good Security items provide stronger security. If you choose Windows 7 Best Security, then only TLS 1.2 will be used, and that will give your secure connections maximum protection against known attacks. If some web sites that your organization use support TLS 1.1 as their highest protocol, then the Windows 7 Good Security item enables TLS 1.1 while preferring TLS 1.2. Some web sites may support only TLS 1.0 as their strongest option, and working with such web sites requires choosing the Recommended item.<br />
<br />
The Insecure and Highly Insecure items should never be used for medium or long term production use. They are present primarily for testing and as a short-term fallback if needed. Don't use them unless if it's absolutely necessary for a short time period. While enabled, your secure connections will effectively be as secure as using no encryption at all, even if Internet Explorer is using TLS 1.0 or higher. It's possible for a downgrade attack to cause Internet Explorer or the remote server to drop down to SSL 3.0, and disabling SSL 3.0 entirely is an effective mitigation against a downgrade attack to SSL 3.0.<br />
<br />
[[File:Policies-User-IE.png|375px]]<br />
<br />
Click OK when done. After clicking OK, this group policy is ready to get picked up by users upon their next application of the user group policies. Having the users log out and back in or having the users run gpupdate.exe will cause them to pick up the change.<br />
<br />
Please note that users can update this setting within Internet Explorer's configuration options. This policy won't overwrite their customizations unless if this policy is changed to another value or if all policies are reapplied to that user, such as with 'gpupdate /force'.<br />
<br />
==Configure Without Group Policies==<br />
To quickly configure a computer that doesn't have group policies, it is possible to use a registry merge file. The following files implement their stated configuration scenarios:<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Recommended.reg Recommended: TLS 1.2, 1.1, and 1.0]<br />
**Compatible with all versions of Windows that implement TLS 1.0, including those that don't implement TLS 1.1 and 1.2.<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Windows-7-Best.reg Windows 7 Best Security: TLS 1.2 only]<br />
**TLS 1.0 remains enabled in Windows Schannel, but it's off in Internet Explorer with this file. Internet Explorer 11 doesn't start in Windows 8 when TLS 1.0 is disabled in Schannel.<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Windows-7-Good.reg Windows 7 Good Security: TLS 1.2 and 1.1]<br />
**TLS 1.0 remains enabled in Windows Schannel, but it's off in Internet Explorer with this file. Internet Explorer 11 doesn't start in Windows 8 when TLS 1.0 is disabled in Schannel.<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Windows-Vista-XP.reg Windows Vista/XP: TLS 1.0 Only]<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Insecure.reg Insecure: SSL 3.0 and TLS 1.0]<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Highly-Insecure.reg Highly Insecure: SSL 3.0 only]<br />
**TLS 1.0 remains enabled in Windows Schannel, but it's off in Internet Explorer with this file.</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=TLS-SSL-Protocols&diff=2275TLS-SSL-Protocols2014-10-18T22:23:37Z<p>Stevenlawrance: /* Configure Without Group Policies */</p>
<hr />
<div>As a way to mitigate the [https://www.openssl.org/~bodo/ssl-poodle.pdf Padding Oracle On Downgraded Legacy Encryption (POODLE) attack], information technology (IT) administrators can disable all protocols older than TLSv1 via ActiveDirectory group policies. This page describes how to do that.<br />
<br />
Using the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] with the group policy editor allows IT administrators to deploy computer-level policies that disable legacy protocols within Windows Schannel and deploy user-level policies that disable legacy protocols within Internet Explorer. Note that a computer-level disable policy for a protocol overrides Internet Explorer's configuration for that protocol.<br />
<br />
This template implements [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommended registry settings to disable SSLv3].<br />
<br />
Please note that Microsoft has a group policy setting for disabling TLS/SSL protocols in Internet Explorer, as described in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 their recommendations], but it doesn't work reliably with Internet Explorer 6 or 7. As a result, Microsoft noted in their policy template that it works only with Internet Explorer 8 and higher. If you run Internet Explorer 6 or 7, then the group policy template described on this page is a tenable option for you. The computer policies in this policy template are also useful to IT administrators whom are targeting only Internet Explorer 8 or higher.<br />
<br />
To handle systems that are not covered by group policies, this page also includes registry merge files for convenience.<br />
<br />
==Configure With Group Policies==<br />
To use the group policies, you'll need to install the policy template file. The policy template includes two group policy targets for configuration: Computer and User.<br />
<br />
===Installation===<br />
Save the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] as TLS-SSL-Protocols.adm within your Windows INF folder. This is typically <code>C:\Windows\INF</code>.<br />
<br />
===Computer Policies===<br />
The Computer policies configure the Windows Schannel protocol support, which impacts client software and server software with dedicated settings for each. Internet Explorer, email software, and any program that connects to the local network or Internet and uses Windows Schannel for securing its connections are affected by the client policies. Internet Information Server, .NET server software, and any program that listens for and accepts secure connections from the local network or Internet and uses Windows Schannel for securing connections are affected by the server policies.<br />
<br />
Mozilla Firefox, Google Chrome, and Java, however, use their own software for securing connections and aren't affected by the client policies. Similarly, Java and software that uses OpenSSL (Apache, etc) or other non-Schannel software aren't affected by the server policies.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of computers. The computer policy won't have an effect if it applies only to users and not to computers.<br />
<br />
====Add the Policy Template====<br />
Right-click on the Computer Configuration | Administrative Templates folder. Alternatively, right-clicking on the User Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
====Show All Policy Settings====<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the Computer Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-Computer.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
====TLS/SSL Protocols====<br />
Open the TLS/SSL Protocols folder within the Computer Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-Computer.png|650px]]<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then enable TLS 1.0 for client and server use while disabling PCT 1.0, SSL 2.0, and SSL 3.0 for client and server use. The screenshot above shows what this configuration looks like.<br />
<br />
The Group Policy Editor makes configuration convenient with the Next Setting button, as shown in the screenshot below. Starting with the first setting, position the dialog box such that the recommendation for that setting at the top of the "Description:" line is visible. Apply that recommendation to every setting in this list, clicking Next Setting to navigate to the next setting. Click OK when done. After clicking OK, this group policy is ready to get picked up by computers upon their next application of the computer group policies to their local computer. Running gpupdate.exe on the computers that have this group policy assigned to them will cause them to pick up the change before gpupdate.exe returns.<br />
<br />
[[File:Policies-Computer-SSLv3Client.png|650px]]<br />
<br />
If your network is comprised entirely of Windows Server 2008 R2, Windows 7, or newer operating systems, then disabling TLS 1.0 can improve security further, though the author of this template hasn't yet tried disabling TLS 1.0 at the computer level in such a network.<br />
<br />
===User Policy===<br />
The User policy configures Internet Explorer and has been tested with versions 6 and higher. If you are targeting only Internet Explorer 8 or higher, it is recommended that you instead use the group policy for disabling TLS/SSL protocols as documented in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommendations for mitigating the POODLE attack]. Microsoft's built-in group policy, however, doesn't work reliably with Internet Explorer 6 and 7.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of users. The user policy won't have an effect if it applies only to computers and not to users.<br />
<br />
====Add the Policy Template====<br />
Right-click on the User Configuration | Administrative Templates folder. Alternatively, right-clicking on the Computer Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
====Show All Policy Settings====<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the User Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-User.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
====TLS/SSL Protocols====<br />
Open the TLS/SSL Protocols folder within the User Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-User.png|650px]]<br />
<br />
Edit the policy setting and choose the Enabled radio button.<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then choose the Recommended item. Although those operating systems don't implement TLS 1.1 and 1.2, enabling TLS 1.1 and 1.2 is properly ignored by those older operating systems while being enabled on Windows 7, Windows Server 2008 R2, and newer operating systems.<br />
<br />
If all systems on your network run Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier, then the Windows Vista/XP option is feasible as that enables only TLS 1.0, but it's typically best to choose Recommended as that will allow upgraded systems to prefer TLS 1.1 and 1.2.<br />
<br />
If all systems on your network run Windows 7, Windows Server 2008 R2, or newer operating systems, then the Recommended setting works, but the Windows 7 Best Security and Windows 7 Good Security items provide stronger security. If you choose Windows 7 Best Security, then only TLS 1.2 will be used, and that will give your secure connections maximum protection against known attacks. If some web sites that your organization use support TLS 1.1 as their highest protocol, then the Windows 7 Good Security item enables TLS 1.1 while preferring TLS 1.2. Some web sites may support only TLS 1.0 as their strongest option, and working with such web sites requires choosing the Recommended item.<br />
<br />
The Insecure and Highly Insecure items should never be used for medium or long term production use. They are present primarily for testing and as a short-term fallback if needed. Don't use them unless if it's absolutely necessary for a short time period. While enabled, your secure connections will effectively be as secure as using no encryption at all, even if Internet Explorer is using TLS 1.0 or higher. It's possible for a downgrade attack to cause Internet Explorer or the remote server to drop down to SSL 3.0, and disabling SSL 3.0 entirely is an effective mitigation against a downgrade attack to SSL 3.0.<br />
<br />
[[File:Policies-User-IE.png|375px]]<br />
<br />
Click OK when done. After clicking OK, this group policy is ready to get picked up by users upon their next application of the user group policies. Having the users log out and back in or having the users run gpupdate.exe will cause them to pick up the change.<br />
<br />
Please note that users can update this setting within Internet Explorer's configuration options. This policy won't overwrite their customizations unless if this policy is changed to another value or if all policies are reapplied to that user, such as with 'gpupdate /force'.<br />
<br />
==Configure Without Group Policies==<br />
To quickly configure a computer that doesn't have group policies, it is possible to use a registry merge file. The following files implement their stated configuration scenarios:<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Recommended.reg Recommended: TLS 1.2, 1.1, and 1.0]<br />
**Compatible with all versions of Windows that implement TLS 1.0, including those that don't implement TLS 1.1 and 1.2.<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Windows-7-Best.reg Windows 7 Best Security: TLS 1.2 only]<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Windows-7-Good.reg Windows 7 Good Security: TLS 1.2 and 1.1]<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Windows-Vista-XP.reg Windows Vista/XP: TLS 1.0 Only]<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Insecure.reg Insecure: SSL 3.0 and TLS 1.0]<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Highly-Insecure.reg Highly Insecure: SSL 3.0 only]<br />
**TLS 1.0 remains enabled in Windows Schannel, but it's off in Internet Explorer with this file.</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=TLS-SSL-Protocols&diff=2274TLS-SSL-Protocols2014-10-18T22:23:17Z<p>Stevenlawrance: </p>
<hr />
<div>As a way to mitigate the [https://www.openssl.org/~bodo/ssl-poodle.pdf Padding Oracle On Downgraded Legacy Encryption (POODLE) attack], information technology (IT) administrators can disable all protocols older than TLSv1 via ActiveDirectory group policies. This page describes how to do that.<br />
<br />
Using the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] with the group policy editor allows IT administrators to deploy computer-level policies that disable legacy protocols within Windows Schannel and deploy user-level policies that disable legacy protocols within Internet Explorer. Note that a computer-level disable policy for a protocol overrides Internet Explorer's configuration for that protocol.<br />
<br />
This template implements [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommended registry settings to disable SSLv3].<br />
<br />
Please note that Microsoft has a group policy setting for disabling TLS/SSL protocols in Internet Explorer, as described in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 their recommendations], but it doesn't work reliably with Internet Explorer 6 or 7. As a result, Microsoft noted in their policy template that it works only with Internet Explorer 8 and higher. If you run Internet Explorer 6 or 7, then the group policy template described on this page is a tenable option for you. The computer policies in this policy template are also useful to IT administrators whom are targeting only Internet Explorer 8 or higher.<br />
<br />
To handle systems that are not covered by group policies, this page also includes registry merge files for convenience.<br />
<br />
==Configure With Group Policies==<br />
To use the group policies, you'll need to install the policy template file. The policy template includes two group policy targets for configuration: Computer and User.<br />
<br />
===Installation===<br />
Save the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] as TLS-SSL-Protocols.adm within your Windows INF folder. This is typically <code>C:\Windows\INF</code>.<br />
<br />
===Computer Policies===<br />
The Computer policies configure the Windows Schannel protocol support, which impacts client software and server software with dedicated settings for each. Internet Explorer, email software, and any program that connects to the local network or Internet and uses Windows Schannel for securing its connections are affected by the client policies. Internet Information Server, .NET server software, and any program that listens for and accepts secure connections from the local network or Internet and uses Windows Schannel for securing connections are affected by the server policies.<br />
<br />
Mozilla Firefox, Google Chrome, and Java, however, use their own software for securing connections and aren't affected by the client policies. Similarly, Java and software that uses OpenSSL (Apache, etc) or other non-Schannel software aren't affected by the server policies.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of computers. The computer policy won't have an effect if it applies only to users and not to computers.<br />
<br />
====Add the Policy Template====<br />
Right-click on the Computer Configuration | Administrative Templates folder. Alternatively, right-clicking on the User Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
====Show All Policy Settings====<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the Computer Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-Computer.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
====TLS/SSL Protocols====<br />
Open the TLS/SSL Protocols folder within the Computer Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-Computer.png|650px]]<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then enable TLS 1.0 for client and server use while disabling PCT 1.0, SSL 2.0, and SSL 3.0 for client and server use. The screenshot above shows what this configuration looks like.<br />
<br />
The Group Policy Editor makes configuration convenient with the Next Setting button, as shown in the screenshot below. Starting with the first setting, position the dialog box such that the recommendation for that setting at the top of the "Description:" line is visible. Apply that recommendation to every setting in this list, clicking Next Setting to navigate to the next setting. Click OK when done. After clicking OK, this group policy is ready to get picked up by computers upon their next application of the computer group policies to their local computer. Running gpupdate.exe on the computers that have this group policy assigned to them will cause them to pick up the change before gpupdate.exe returns.<br />
<br />
[[File:Policies-Computer-SSLv3Client.png|650px]]<br />
<br />
If your network is comprised entirely of Windows Server 2008 R2, Windows 7, or newer operating systems, then disabling TLS 1.0 can improve security further, though the author of this template hasn't yet tried disabling TLS 1.0 at the computer level in such a network.<br />
<br />
===User Policy===<br />
The User policy configures Internet Explorer and has been tested with versions 6 and higher. If you are targeting only Internet Explorer 8 or higher, it is recommended that you instead use the group policy for disabling TLS/SSL protocols as documented in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommendations for mitigating the POODLE attack]. Microsoft's built-in group policy, however, doesn't work reliably with Internet Explorer 6 and 7.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of users. The user policy won't have an effect if it applies only to computers and not to users.<br />
<br />
====Add the Policy Template====<br />
Right-click on the User Configuration | Administrative Templates folder. Alternatively, right-clicking on the Computer Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
====Show All Policy Settings====<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the User Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-User.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
====TLS/SSL Protocols====<br />
Open the TLS/SSL Protocols folder within the User Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-User.png|650px]]<br />
<br />
Edit the policy setting and choose the Enabled radio button.<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then choose the Recommended item. Although those operating systems don't implement TLS 1.1 and 1.2, enabling TLS 1.1 and 1.2 is properly ignored by those older operating systems while being enabled on Windows 7, Windows Server 2008 R2, and newer operating systems.<br />
<br />
If all systems on your network run Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier, then the Windows Vista/XP option is feasible as that enables only TLS 1.0, but it's typically best to choose Recommended as that will allow upgraded systems to prefer TLS 1.1 and 1.2.<br />
<br />
If all systems on your network run Windows 7, Windows Server 2008 R2, or newer operating systems, then the Recommended setting works, but the Windows 7 Best Security and Windows 7 Good Security items provide stronger security. If you choose Windows 7 Best Security, then only TLS 1.2 will be used, and that will give your secure connections maximum protection against known attacks. If some web sites that your organization use support TLS 1.1 as their highest protocol, then the Windows 7 Good Security item enables TLS 1.1 while preferring TLS 1.2. Some web sites may support only TLS 1.0 as their strongest option, and working with such web sites requires choosing the Recommended item.<br />
<br />
The Insecure and Highly Insecure items should never be used for medium or long term production use. They are present primarily for testing and as a short-term fallback if needed. Don't use them unless if it's absolutely necessary for a short time period. While enabled, your secure connections will effectively be as secure as using no encryption at all, even if Internet Explorer is using TLS 1.0 or higher. It's possible for a downgrade attack to cause Internet Explorer or the remote server to drop down to SSL 3.0, and disabling SSL 3.0 entirely is an effective mitigation against a downgrade attack to SSL 3.0.<br />
<br />
[[File:Policies-User-IE.png|375px]]<br />
<br />
Click OK when done. After clicking OK, this group policy is ready to get picked up by users upon their next application of the user group policies. Having the users log out and back in or having the users run gpupdate.exe will cause them to pick up the change.<br />
<br />
Please note that users can update this setting within Internet Explorer's configuration options. This policy won't overwrite their customizations unless if this policy is changed to another value or if all policies are reapplied to that user, such as with 'gpupdate /force'.<br />
<br />
==Configure Without Group Policies==<br />
To quickly configure a computer that doesn't have group policies, it is possible to use a registry merge file. The following files implement their stated configuration scenarios:<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Recommended.reg Recommended: TLS 1.2, 1.1, and 1.0]<br />
**Compatible with all versions of Windows that implement TLS 1.0, including those that don't implement TLS 1.1 and 1.2.<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Windows-7-Best.reg Windows 7 Best Security: TLS 1.2 only]<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Windows-7-Good.reg Windows 7 Good Security: TLS 1.2 and 1.1]<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Windows-Vista-XP.reg Windows Vista/XP: TLS 1.0 Only]<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Insecure.reg Insecure: SSL 3.0 and TLS 1.0]<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Highly-Insecure.reg Highly Insecure: SSL 3.0 only]<br />
**TLS 1.0 remains enabled in Windows Schannel, but it's off in Internet Explorer in this file.</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=TLS-SSL-Protocols&diff=2273TLS-SSL-Protocols2014-10-18T22:15:02Z<p>Stevenlawrance: </p>
<hr />
<div>As a way to mitigate the [https://www.openssl.org/~bodo/ssl-poodle.pdf Padding Oracle On Downgraded Legacy Encryption (POODLE) attack], information technology (IT) administrators can disable all protocols older than TLSv1 via ActiveDirectory group policies. This page describes how to do that.<br />
<br />
Using the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] with the group policy editor allows IT administrators to deploy computer-level policies that disable legacy protocols within Windows Schannel and deploy user-level policies that disable legacy protocols within Internet Explorer. Note that a computer-level disable policy for a protocol overrides Internet Explorer's configuration for that protocol.<br />
<br />
This template implements [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommended registry settings to disable SSLv3].<br />
<br />
Please note that Microsoft has a group policy setting for disabling TLS/SSL protocols in Internet Explorer, as described in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 their recommendations], but it doesn't work reliably with Internet Explorer 6 or 7. As a result, Microsoft noted in their policy template that it works only with Internet Explorer 8 and higher. If you run Internet Explorer 6 or 7, then the group policy template described on this page is a tenable option for you. The computer policies in this policy template are also useful to IT administrators whom are targeting only Internet Explorer 8 or higher.<br />
<br />
To handle systems that are not covered by group policies, this page also includes registry merge files for convenience.<br />
<br />
==Configure With Group Policies==<br />
To use the group policies, you'll need to install the policy template file. The policy template includes two group policy targets for configuration: Computer and User.<br />
<br />
===Installation===<br />
Save the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] as TLS-SSL-Protocols.adm within your Windows INF folder. This is typically <code>C:\Windows\INF</code>.<br />
<br />
===Computer Policies===<br />
The Computer policies configure the Windows Schannel protocol support, which impacts client software and server software with dedicated settings for each. Internet Explorer, email software, and any program that connects to the local network or Internet and uses Windows Schannel for securing its connections are affected by the client policies. Internet Information Server, .NET server software, and any program that listens for and accepts secure connections from the local network or Internet and uses Windows Schannel for securing connections are affected by the server policies.<br />
<br />
Mozilla Firefox, Google Chrome, and Java, however, use their own software for securing connections and aren't affected by the client policies. Similarly, Java and software that uses OpenSSL (Apache, etc) or other non-Schannel software aren't affected by the server policies.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of computers. The computer policy won't have an effect if it applies only to users and not to computers.<br />
<br />
====Add the Policy Template====<br />
Right-click on the Computer Configuration | Administrative Templates folder. Alternatively, right-clicking on the User Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
====Show All Policy Settings====<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the Computer Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-Computer.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
====TLS/SSL Protocols====<br />
Open the TLS/SSL Protocols folder within the Computer Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-Computer.png|650px]]<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then enable TLS 1.0 for client and server use while disabling PCT 1.0, SSL 2.0, and SSL 3.0 for client and server use. The screenshot above shows what this configuration looks like.<br />
<br />
The Group Policy Editor makes configuration convenient with the Next Setting button, as shown in the screenshot below. Starting with the first setting, position the dialog box such that the recommendation for that setting at the top of the "Description:" line is visible. Apply that recommendation to every setting in this list, clicking Next Setting to navigate to the next setting. Click OK when done. After clicking OK, this group policy is ready to get picked up by computers upon their next application of the computer group policies to their local computer. Running gpupdate.exe on the computers that have this group policy assigned to them will cause them to pick up the change before gpupdate.exe returns.<br />
<br />
[[File:Policies-Computer-SSLv3Client.png|650px]]<br />
<br />
If your network is comprised entirely of Windows Server 2008 R2, Windows 7, or newer operating systems, then disabling TLS 1.0 can improve security further, though the author of this template hasn't yet tried disabling TLS 1.0 at the computer level in such a network.<br />
<br />
===User Policy===<br />
The User policy configures Internet Explorer and has been tested with versions 6 and higher. If you are targeting only Internet Explorer 8 or higher, it is recommended that you instead use the group policy for disabling TLS/SSL protocols as documented in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommendations for mitigating the POODLE attack]. Microsoft's built-in group policy, however, doesn't work reliably with Internet Explorer 6 and 7.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of users. The user policy won't have an effect if it applies only to computers and not to users.<br />
<br />
====Add the Policy Template====<br />
Right-click on the User Configuration | Administrative Templates folder. Alternatively, right-clicking on the Computer Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
====Show All Policy Settings====<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the User Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-User.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
====TLS/SSL Protocols====<br />
Open the TLS/SSL Protocols folder within the User Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-User.png|650px]]<br />
<br />
Edit the policy setting and choose the Enabled radio button.<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then choose the Recommended item. Although those operating systems don't implement TLS 1.1 and 1.2, enabling TLS 1.1 and 1.2 is properly ignored by those older operating systems while being enabled on Windows 7, Windows Server 2008 R2, and newer operating systems.<br />
<br />
If all systems on your network run Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier, then the Windows Vista/XP option is feasible as that enables only TLS 1.0, but it's typically best to choose Recommended as that will allow upgraded systems to prefer TLS 1.1 and 1.2.<br />
<br />
If all systems on your network run Windows 7, Windows Server 2008 R2, or newer operating systems, then the Recommended setting works, but the Windows 7 Best Security and Windows 7 Good Security items provide stronger security. If you choose Windows 7 Best Security, then only TLS 1.2 will be used, and that will give your secure connections maximum protection against known attacks. If some web sites that your organization use support TLS 1.1 as their highest protocol, then the Windows 7 Good Security item enables TLS 1.1 while preferring TLS 1.2. Some web sites may support only TLS 1.0 as their strongest option, and working with such web sites requires choosing the Recommended item.<br />
<br />
The Insecure and Highly Insecure items should never be used for medium or long term production use. They are present primarily for testing and as a short-term fallback if needed. Don't use them unless if it's absolutely necessary for a short time period. While enabled, your secure connections will effectively be as secure as using no encryption at all, even if Internet Explorer is using TLS 1.0 or higher. It's possible for a downgrade attack to cause Internet Explorer or the remote server to drop down to SSL 3.0, and disabling SSL 3.0 entirely is an effective mitigation against a downgrade attack to SSL 3.0.<br />
<br />
[[File:Policies-User-IE.png|375px]]<br />
<br />
Click OK when done. After clicking OK, this group policy is ready to get picked up by users upon their next application of the user group policies. Having the users log out and back in or having the users run gpupdate.exe will cause them to pick up the change.<br />
<br />
Please note that users can update this setting within Internet Explorer's configuration options. This policy won't overwrite their customizations unless if this policy is changed to another value or if all policies are reapplied to that user, such as with 'gpupdate /force'.<br />
<br />
==Configure Without Group Policies==<br />
To quickly configure a computer that doesn't have group policies, it is possible to use a registry merge file. The following files implement their stated configuration scenarios:<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Recommended.reg Recommended: TLS 1.2, 1.1, and 1.0]<br />
**Compatible with all versions of Windows that implement TLS 1.0, including those that don't implement TLS 1.1 and 1.2.<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Windows-7-Best.reg Windows 7 Best Security: TLS 1.2 only]<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Windows-7-Good.reg Windows 7 Good Security: TLS 1.2 and 1.1]<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Windows-Vista-XP.reg Windows Vista/XP: TLS 1.0 Only]<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Insecure.reg Insecure: SSL 3.0 and TLS 1.0]<br />
*[https://www.moonlightdesign.org/dl/TLS-SSL-Highly-Insecure.reg Highly Insecure: SSL 3.0 only]</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=TLS-SSL-Protocols&diff=2272TLS-SSL-Protocols2014-10-18T22:03:48Z<p>Stevenlawrance: </p>
<hr />
<div>As a way to mitigate the [https://www.openssl.org/~bodo/ssl-poodle.pdf Padding Oracle On Downgraded Legacy Encryption (POODLE) attack], information technology (IT) administrators can disable all protocols older than TLSv1 via ActiveDirectory group policies. This page describes how to do that.<br />
<br />
Using the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] with the group policy editor allows IT administrators to deploy computer-level policies that disable legacy protocols within Windows Schannel and deploy user-level policies that disable legacy protocols within Internet Explorer. Note that a computer-level disable policy for a protocol overrides Internet Explorer's configuration for that protocol.<br />
<br />
This template implements [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommended registry settings to disable SSLv3].<br />
<br />
Please note that Microsoft has a group policy setting for disabling TLS/SSL protocols in Internet Explorer, as described in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 their recommendations], but it doesn't work reliably with Internet Explorer 6 or 7. As a result, Microsoft noted in their policy template that it works only with Internet Explorer 8 and higher. If you run Internet Explorer 6 or 7, then the group policy template described on this page is a tenable option for you. The computer policies in this policy template are also useful to IT administrators whom are targeting only Internet Explorer 8 or higher.<br />
<br />
To handle systems that are not covered by group policies, this page includes registry merge files.<br />
<br />
==Configure With Group Policies==<br />
To use the group policies, you'll need to install the policy template file. The policy template includes two group policy targets for configuration: Computer and User.<br />
<br />
===Installation===<br />
Save the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] as TLS-SSL-Protocols.adm within your Windows INF folder. This is typically <code>C:\Windows\INF</code>.<br />
<br />
===Computer Policies===<br />
The Computer policies configure the Windows Schannel protocol support, which impacts client software and server software with dedicated settings for each. Internet Explorer, email software, and any program that connects to the local network or Internet and uses Windows Schannel for securing its connections are affected by the client policies. Internet Information Server, .NET server software, and any program that listens for and accepts secure connections from the local network or Internet and uses Windows Schannel for securing connections are affected by the server policies.<br />
<br />
Mozilla Firefox, Google Chrome, and Java, however, use their own software for securing connections and aren't affected by the client policies. Similarly, Java and software that uses OpenSSL (Apache, etc) or other non-Schannel software aren't affected by the server policies.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of computers. The computer policy won't have an effect if it applies only to users and not to computers.<br />
<br />
====Add the Policy Template====<br />
Right-click on the Computer Configuration | Administrative Templates folder. Alternatively, right-clicking on the User Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
====Show All Policy Settings====<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the Computer Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-Computer.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
====TLS/SSL Protocols====<br />
Open the TLS/SSL Protocols folder within the Computer Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-Computer.png|650px]]<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then enable TLS 1.0 for client and server use while disabling PCT 1.0, SSL 2.0, and SSL 3.0 for client and server use. The screenshot above shows what this configuration looks like.<br />
<br />
The Group Policy Editor makes configuration convenient with the Next Setting button, as shown in the screenshot below. Starting with the first setting, position the dialog box such that the recommendation for that setting at the top of the "Description:" line is visible. Apply that recommendation to every setting in this list, clicking Next Setting to navigate to the next setting. Click OK when done. After clicking OK, this group policy is ready to get picked up by computers upon their next application of the computer group policies to their local computer. Running gpupdate.exe on the computers that have this group policy assigned to them will cause them to pick up the change before gpupdate.exe returns.<br />
<br />
[[File:Policies-Computer-SSLv3Client.png|650px]]<br />
<br />
If your network is comprised entirely of Windows Server 2008 R2, Windows 7, or newer operating systems, then disabling TLS 1.0 can improve security further, though the author of this template hasn't yet tried disabling TLS 1.0 at the computer level in such a network.<br />
<br />
===User Policy===<br />
The User policy configures Internet Explorer and has been tested with versions 6 and higher. If you are targeting only Internet Explorer 8 or higher, it is recommended that you instead use the group policy for disabling TLS/SSL protocols as documented in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommendations for mitigating the POODLE attack]. Microsoft's built-in group policy, however, doesn't work reliably with Internet Explorer 6 and 7.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of users. The user policy won't have an effect if it applies only to computers and not to users.<br />
<br />
====Add the Policy Template====<br />
Right-click on the User Configuration | Administrative Templates folder. Alternatively, right-clicking on the Computer Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
====Show All Policy Settings====<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the User Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-User.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
====TLS/SSL Protocols====<br />
Open the TLS/SSL Protocols folder within the User Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-User.png|650px]]<br />
<br />
Edit the policy setting and choose the Enabled radio button.<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then choose the Recommended item. Although those operating systems don't implement TLS 1.1 and 1.2, enabling TLS 1.1 and 1.2 is properly ignored by those older operating systems while being enabled on Windows 7, Windows Server 2008 R2, and newer operating systems.<br />
<br />
If all systems on your network run Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier, then the Windows Vista/XP option is feasible as that enables only TLS 1.0, but it's typically best to choose Recommended as that will allow upgraded systems to prefer TLS 1.1 and 1.2.<br />
<br />
If all systems on your network run Windows 7, Windows Server 2008 R2, or newer operating systems, then the Recommended setting works, but the Windows 7 Best Security and Windows 7 Good Security items provide stronger security. If you choose Windows 7 Best Security, then only TLS 1.2 will be used, and that will give your secure connections maximum protection against known attacks. If some web sites that your organization use support TLS 1.1 as their highest protocol, then the Windows 7 Good Security item enables TLS 1.1 while preferring TLS 1.2. Some web sites may support only TLS 1.0 as their strongest option, and working with such web sites requires choosing the Recommended item.<br />
<br />
The Insecure and Highly Insecure items should never be used for medium or long term production use. They are present primarily for testing and as a short-term fallback if needed. Don't use them unless if it's absolutely necessary for a short time period. While enabled, your secure connections will effectively be as secure as using no encryption at all, even if Internet Explorer is using TLS 1.0 or higher. It's possible for a downgrade attack to cause Internet Explorer or the remote server to drop down to SSL 3.0, and disabling SSL 3.0 entirely is an effective mitigation against a downgrade attack to SSL 3.0.<br />
<br />
[[File:Policies-User-IE.png|375px]]<br />
<br />
Click OK when done. After clicking OK, this group policy is ready to get picked up by users upon their next application of the user group policies. Having the users log out and back in or having the users run gpupdate.exe will cause them to pick up the change.<br />
<br />
Please note that users can update this setting within Internet Explorer's configuration options. This policy won't overwrite their customizations unless if this policy is changed to another value or if all policies are reapplied to that user, such as with 'gpupdate /force'.<br />
<br />
==Configure Without Group Policies==<br />
To quickly configure a computer that doesn't have group policies, it is possible to use a registry merge file. The following files implement their stated configuration scenarios:<br />
*Recommended: TLS 1.2, 1.1, and 1.0<br />
**Compatible with all versions of Windows that implement TLS 1.0, including those that don't implement TLS 1.1 and 1.2.<br />
*Windows 7 Best Security: TLS 1.2 only<br />
*Windows 7 Good Security: TLS 1.2 and 1.1<br />
*Windows Vista/XP: TLS 1.0 Only<br />
*Insecure: SSL 3.0 and TLS 1.0<br />
*Highly Insecure: SSL 3.0 only</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=TLS-SSL-Protocols&diff=2271TLS-SSL-Protocols2014-10-18T22:03:23Z<p>Stevenlawrance: </p>
<hr />
<div>As a way to mitigate the [https://www.openssl.org/~bodo/ssl-poodle.pdf Padding Oracle On Downgraded Legacy Encryption (POODLE) attack], information technology (IT) administrators can disable all protocols older than TLSv1 via ActiveDirectory group policies. This page describes how to do that.<br />
<br />
Using the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] with the group policy editor allows IT administrators to deploy computer-level policies that disable legacy protocols within Windows Schannel and deploy user-level policies that disable legacy protocols within Internet Explorer. Note that a computer-level disable policy for a protocol overrides Internet Explorer's configuration for that protocol.<br />
<br />
This template implements [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommended registry settings to disable SSLv3].<br />
<br />
Please note that Microsoft has a group policy setting for disabling TLS/SSL protocols in Internet Explorer, as described in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 their recommendations], but it doesn't work reliably with Internet Explorer 6 or 7. As a result, Microsoft noted in their policy template that it works only with Internet Explorer 8 and higher. If you run Internet Explorer 6 or 7, then the group policy template described on this page is a tenable option for you. The computer policies in this policy template are also useful to IT administrators whom are targeting only Internet Explorer 8 or higher.<br />
<br />
To handle systems that are not covered by group policies, this page includes registry merge files.<br />
<br />
==Include in a Group Policy==<br />
To use the group policies, you'll need to install the policy template file. The policy template includes two group policy targets for configuration: Computer and User.<br />
<br />
===Installation===<br />
Save the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] as TLS-SSL-Protocols.adm within your Windows INF folder. This is typically <code>C:\Windows\INF</code>.<br />
<br />
===Computer Policies===<br />
The Computer policies configure the Windows Schannel protocol support, which impacts client software and server software with dedicated settings for each. Internet Explorer, email software, and any program that connects to the local network or Internet and uses Windows Schannel for securing its connections are affected by the client policies. Internet Information Server, .NET server software, and any program that listens for and accepts secure connections from the local network or Internet and uses Windows Schannel for securing connections are affected by the server policies.<br />
<br />
Mozilla Firefox, Google Chrome, and Java, however, use their own software for securing connections and aren't affected by the client policies. Similarly, Java and software that uses OpenSSL (Apache, etc) or other non-Schannel software aren't affected by the server policies.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of computers. The computer policy won't have an effect if it applies only to users and not to computers.<br />
<br />
====Add the Policy Template====<br />
Right-click on the Computer Configuration | Administrative Templates folder. Alternatively, right-clicking on the User Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
====Show All Policy Settings====<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the Computer Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-Computer.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
====TLS/SSL Protocols====<br />
Open the TLS/SSL Protocols folder within the Computer Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-Computer.png|650px]]<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then enable TLS 1.0 for client and server use while disabling PCT 1.0, SSL 2.0, and SSL 3.0 for client and server use. The screenshot above shows what this configuration looks like.<br />
<br />
The Group Policy Editor makes configuration convenient with the Next Setting button, as shown in the screenshot below. Starting with the first setting, position the dialog box such that the recommendation for that setting at the top of the "Description:" line is visible. Apply that recommendation to every setting in this list, clicking Next Setting to navigate to the next setting. Click OK when done. After clicking OK, this group policy is ready to get picked up by computers upon their next application of the computer group policies to their local computer. Running gpupdate.exe on the computers that have this group policy assigned to them will cause them to pick up the change before gpupdate.exe returns.<br />
<br />
[[File:Policies-Computer-SSLv3Client.png|650px]]<br />
<br />
If your network is comprised entirely of Windows Server 2008 R2, Windows 7, or newer operating systems, then disabling TLS 1.0 can improve security further, though the author of this template hasn't yet tried disabling TLS 1.0 at the computer level in such a network.<br />
<br />
===User Policy===<br />
The User policy configures Internet Explorer and has been tested with versions 6 and higher. If you are targeting only Internet Explorer 8 or higher, it is recommended that you instead use the group policy for disabling TLS/SSL protocols as documented in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommendations for mitigating the POODLE attack]. Microsoft's built-in group policy, however, doesn't work reliably with Internet Explorer 6 and 7.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of users. The user policy won't have an effect if it applies only to computers and not to users.<br />
<br />
====Add the Policy Template====<br />
Right-click on the User Configuration | Administrative Templates folder. Alternatively, right-clicking on the Computer Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
====Show All Policy Settings====<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the User Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-User.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
====TLS/SSL Protocols====<br />
Open the TLS/SSL Protocols folder within the User Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-User.png|650px]]<br />
<br />
Edit the policy setting and choose the Enabled radio button.<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then choose the Recommended item. Although those operating systems don't implement TLS 1.1 and 1.2, enabling TLS 1.1 and 1.2 is properly ignored by those older operating systems while being enabled on Windows 7, Windows Server 2008 R2, and newer operating systems.<br />
<br />
If all systems on your network run Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier, then the Windows Vista/XP option is feasible as that enables only TLS 1.0, but it's typically best to choose Recommended as that will allow upgraded systems to prefer TLS 1.1 and 1.2.<br />
<br />
If all systems on your network run Windows 7, Windows Server 2008 R2, or newer operating systems, then the Recommended setting works, but the Windows 7 Best Security and Windows 7 Good Security items provide stronger security. If you choose Windows 7 Best Security, then only TLS 1.2 will be used, and that will give your secure connections maximum protection against known attacks. If some web sites that your organization use support TLS 1.1 as their highest protocol, then the Windows 7 Good Security item enables TLS 1.1 while preferring TLS 1.2. Some web sites may support only TLS 1.0 as their strongest option, and working with such web sites requires choosing the Recommended item.<br />
<br />
The Insecure and Highly Insecure items should never be used for medium or long term production use. They are present primarily for testing and as a short-term fallback if needed. Don't use them unless if it's absolutely necessary for a short time period. While enabled, your secure connections will effectively be as secure as using no encryption at all, even if Internet Explorer is using TLS 1.0 or higher. It's possible for a downgrade attack to cause Internet Explorer or the remote server to drop down to SSL 3.0, and disabling SSL 3.0 entirely is an effective mitigation against a downgrade attack to SSL 3.0.<br />
<br />
[[File:Policies-User-IE.png|375px]]<br />
<br />
Click OK when done. After clicking OK, this group policy is ready to get picked up by users upon their next application of the user group policies. Having the users log out and back in or having the users run gpupdate.exe will cause them to pick up the change.<br />
<br />
Please note that users can update this setting within Internet Explorer's configuration options. This policy won't overwrite their customizations unless if this policy is changed to another value or if all policies are reapplied to that user, such as with 'gpupdate /force'.<br />
<br />
==Configure Without Group Policies==<br />
To quickly configure a computer that doesn't have group policies, it is possible to use a registry merge file. The following files implement their stated configuration scenarios:<br />
*Recommended: TLS 1.2, 1.1, and 1.0<br />
**Compatible with all versions of Windows that implement TLS 1.0, including those that don't implement TLS 1.1 and 1.2.<br />
*Windows 7 Best Security: TLS 1.2 only<br />
*Windows 7 Good Security: TLS 1.2 and 1.1<br />
*Windows Vista/XP: TLS 1.0 Only<br />
*Insecure: SSL 3.0 and TLS 1.0<br />
*Highly Insecure: SSL 3.0 only</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=TLS-SSL-Protocols&diff=2270TLS-SSL-Protocols2014-10-18T18:42:57Z<p>Stevenlawrance: /* TLS/SSL Protocols */</p>
<hr />
<div>As a way to mitigate the [https://www.openssl.org/~bodo/ssl-poodle.pdf Padding Oracle On Downgraded Legacy Encryption (POODLE) attack], information technology (IT) administrators can disable all protocols older than TLSv1 via ActiveDirectory group policies. This page describes how to do that.<br />
<br />
Using the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] with the group policy editor allows IT administrators to deploy computer-level policies that disable legacy protocols within Windows Schannel and deploy user-level policies that disable legacy protocols within Internet Explorer. Note that a computer-level disable policy for a protocol overrides Internet Explorer's configuration for that protocol.<br />
<br />
This template implements [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommended registry settings to disable SSLv3].<br />
<br />
Please note that Microsoft has a group policy setting for disabling TLS/SSL protocols in Internet Explorer, as described in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 their recommendations], but it doesn't work reliably with Internet Explorer 6 or 7. As a result, Microsoft noted in their policy template that it works only with Internet Explorer 8 and higher. If you run Internet Explorer 6 or 7, then the group policy template described on this page is a tenable option for you. The computer policies in this policy template are also useful to IT administrators whom are targeting only Internet Explorer 8 or higher.<br />
<br />
==Installation==<br />
Save the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] as TLS-SSL-Protocols.adm within your Windows INF folder. This is typically <code>C:\Windows\INF</code>.<br />
<br />
==Include in a Group Policy==<br />
This policy template includes two group policy targets: Computer and User.<br />
<br />
===Computer Policies===<br />
The Computer policies configure the Windows Schannel protocol support, which impacts client software and server software with dedicated settings for each. Internet Explorer, email software, and any program that connects to the local network or Internet and uses Windows Schannel for securing its connections are affected by the client policies. Internet Information Server, .NET server software, and any program that listens for and accepts secure connections from the local network or Internet and uses Windows Schannel for securing connections are affected by the server policies.<br />
<br />
Mozilla Firefox, Google Chrome, and Java, however, use their own software for securing connections and aren't affected by the client policies. Similarly, Java and software that uses OpenSSL (Apache, etc) or other non-Schannel software aren't affected by the server policies.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of computers. The computer policy won't have an effect if it applies only to users and not to computers.<br />
<br />
====Add the Policy Template====<br />
Right-click on the Computer Configuration | Administrative Templates folder. Alternatively, right-clicking on the User Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
====Show All Policy Settings====<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the Computer Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-Computer.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
====TLS/SSL Protocols====<br />
Open the TLS/SSL Protocols folder within the Computer Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-Computer.png|650px]]<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then enable TLS 1.0 for client and server use while disabling PCT 1.0, SSL 2.0, and SSL 3.0 for client and server use. The screenshot above shows what this configuration looks like.<br />
<br />
The Group Policy Editor makes configuration convenient with the Next Setting button, as shown in the screenshot below. Starting with the first setting, position the dialog box such that the recommendation for that setting at the top of the "Description:" line is visible. Apply that recommendation to every setting in this list, clicking Next Setting to navigate to the next setting. Click OK when done. After clicking OK, this group policy is ready to get picked up by computers upon their next application of the computer group policies to their local computer. Running gpupdate.exe on the computers that have this group policy assigned to them will cause them to pick up the change before gpupdate.exe returns.<br />
<br />
[[File:Policies-Computer-SSLv3Client.png|650px]]<br />
<br />
If your network is comprised entirely of Windows Server 2008 R2, Windows 7, or newer operating systems, then disabling TLS 1.0 can improve security further, though the author of this template hasn't yet tried disabling TLS 1.0 at the computer level in such a network.<br />
<br />
===User Policy===<br />
The User policy configures Internet Explorer and has been tested with versions 6 and higher. If you are targeting only Internet Explorer 8 or higher, it is recommended that you instead use the group policy for disabling TLS/SSL protocols as documented in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommendations for mitigating the POODLE attack]. Microsoft's built-in group policy, however, doesn't work reliably with Internet Explorer 6 and 7.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of users. The user policy won't have an effect if it applies only to computers and not to users.<br />
<br />
====Add the Policy Template====<br />
Right-click on the User Configuration | Administrative Templates folder. Alternatively, right-clicking on the Computer Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
====Show All Policy Settings====<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the User Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-User.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
====TLS/SSL Protocols====<br />
Open the TLS/SSL Protocols folder within the User Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-User.png|650px]]<br />
<br />
Edit the policy setting and choose the Enabled radio button.<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then choose the Recommended item. Although those operating systems don't implement TLS 1.1 and 1.2, enabling TLS 1.1 and 1.2 is properly ignored by those older operating systems while being enabled on Windows 7, Windows Server 2008 R2, and newer operating systems.<br />
<br />
If all systems on your network run Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier, then the Windows Vista/XP option is feasible as that enables only TLS 1.0, but it's typically best to choose Recommended as that will allow upgraded systems to prefer TLS 1.1 and 1.2.<br />
<br />
If all systems on your network run Windows 7, Windows Server 2008 R2, or newer operating systems, then the Recommended setting works, but the Windows 7 Best Security and Windows 7 Good Security items provide stronger security. If you choose Windows 7 Best Security, then only TLS 1.2 will be used, and that will give your secure connections maximum protection against known attacks. If some web sites that your organization use support TLS 1.1 as their highest protocol, then the Windows 7 Good Security item enables TLS 1.1 while preferring TLS 1.2. Some web sites may support only TLS 1.0 as their strongest option, and working with such web sites requires choosing the Recommended item.<br />
<br />
The Insecure and Highly Insecure items should never be used for medium or long term production use. They are present primarily for testing and as a short-term fallback if needed. Don't use them unless if it's absolutely necessary for a short time period. While enabled, your secure connections will effectively be as secure as using no encryption at all, even if Internet Explorer is using TLS 1.0 or higher. It's possible for a downgrade attack to cause Internet Explorer or the remote server to drop down to SSL 3.0, and disabling SSL 3.0 entirely is an effective mitigation against a downgrade attack to SSL 3.0.<br />
<br />
[[File:Policies-User-IE.png|375px]]<br />
<br />
Click OK when done. After clicking OK, this group policy is ready to get picked up by users upon their next application of the user group policies. Having the users log out and back in or having the users run gpupdate.exe will cause them to pick up the change.<br />
<br />
Please note that users can update this setting within Internet Explorer's configuration options. This policy won't overwrite their customizations unless if this policy is changed to another value or if all policies are reapplied to that user, such as with 'gpupdate /force'.</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=TLS-SSL-Protocols&diff=2269TLS-SSL-Protocols2014-10-18T18:42:31Z<p>Stevenlawrance: /* TLS/SSL Protocols */</p>
<hr />
<div>As a way to mitigate the [https://www.openssl.org/~bodo/ssl-poodle.pdf Padding Oracle On Downgraded Legacy Encryption (POODLE) attack], information technology (IT) administrators can disable all protocols older than TLSv1 via ActiveDirectory group policies. This page describes how to do that.<br />
<br />
Using the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] with the group policy editor allows IT administrators to deploy computer-level policies that disable legacy protocols within Windows Schannel and deploy user-level policies that disable legacy protocols within Internet Explorer. Note that a computer-level disable policy for a protocol overrides Internet Explorer's configuration for that protocol.<br />
<br />
This template implements [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommended registry settings to disable SSLv3].<br />
<br />
Please note that Microsoft has a group policy setting for disabling TLS/SSL protocols in Internet Explorer, as described in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 their recommendations], but it doesn't work reliably with Internet Explorer 6 or 7. As a result, Microsoft noted in their policy template that it works only with Internet Explorer 8 and higher. If you run Internet Explorer 6 or 7, then the group policy template described on this page is a tenable option for you. The computer policies in this policy template are also useful to IT administrators whom are targeting only Internet Explorer 8 or higher.<br />
<br />
==Installation==<br />
Save the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] as TLS-SSL-Protocols.adm within your Windows INF folder. This is typically <code>C:\Windows\INF</code>.<br />
<br />
==Include in a Group Policy==<br />
This policy template includes two group policy targets: Computer and User.<br />
<br />
===Computer Policies===<br />
The Computer policies configure the Windows Schannel protocol support, which impacts client software and server software with dedicated settings for each. Internet Explorer, email software, and any program that connects to the local network or Internet and uses Windows Schannel for securing its connections are affected by the client policies. Internet Information Server, .NET server software, and any program that listens for and accepts secure connections from the local network or Internet and uses Windows Schannel for securing connections are affected by the server policies.<br />
<br />
Mozilla Firefox, Google Chrome, and Java, however, use their own software for securing connections and aren't affected by the client policies. Similarly, Java and software that uses OpenSSL (Apache, etc) or other non-Schannel software aren't affected by the server policies.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of computers. The computer policy won't have an effect if it applies only to users and not to computers.<br />
<br />
====Add the Policy Template====<br />
Right-click on the Computer Configuration | Administrative Templates folder. Alternatively, right-clicking on the User Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
====Show All Policy Settings====<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the Computer Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-Computer.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
====TLS/SSL Protocols====<br />
Open the TLS/SSL Protocols folder within the Computer Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-Computer.png|650px]]<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then enable TLS 1.0 for client and server use while disabling PCT 1.0, SSL 2.0, and SSL 3.0 for client and server use. The screenshot above shows what this configuration looks like.<br />
<br />
The Group Policy Editor makes configuration convenient with the Next Setting button. Starting with the first setting, position the dialog box such that the recommendation for that setting at the top of the "Description:" line is visible. Apply that recommendation to every setting in this list, clicking Next Setting to navigate to the next setting. Click OK when done. After clicking OK, this group policy is ready to get picked up by computers upon their next application of the computer group policies to their local computer. Running gpupdate.exe on the computers that have this group policy assigned to them will cause them to pick up the change before gpupdate.exe returns.<br />
<br />
[[File:Policies-Computer-SSLv3Client.png|650px]]<br />
<br />
If your network is comprised entirely of Windows Server 2008 R2, Windows 7, or newer operating systems, then disabling TLS 1.0 can improve security further, though the author of this template hasn't yet tried disabling TLS 1.0 at the computer level in such a network.<br />
<br />
===User Policy===<br />
The User policy configures Internet Explorer and has been tested with versions 6 and higher. If you are targeting only Internet Explorer 8 or higher, it is recommended that you instead use the group policy for disabling TLS/SSL protocols as documented in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommendations for mitigating the POODLE attack]. Microsoft's built-in group policy, however, doesn't work reliably with Internet Explorer 6 and 7.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of users. The user policy won't have an effect if it applies only to computers and not to users.<br />
<br />
====Add the Policy Template====<br />
Right-click on the User Configuration | Administrative Templates folder. Alternatively, right-clicking on the Computer Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
====Show All Policy Settings====<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the User Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-User.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
====TLS/SSL Protocols====<br />
Open the TLS/SSL Protocols folder within the User Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-User.png|650px]]<br />
<br />
Edit the policy setting and choose the Enabled radio button.<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then choose the Recommended item. Although those operating systems don't implement TLS 1.1 and 1.2, enabling TLS 1.1 and 1.2 is properly ignored by those older operating systems while being enabled on Windows 7, Windows Server 2008 R2, and newer operating systems.<br />
<br />
If all systems on your network run Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier, then the Windows Vista/XP option is feasible as that enables only TLS 1.0, but it's typically best to choose Recommended as that will allow upgraded systems to prefer TLS 1.1 and 1.2.<br />
<br />
If all systems on your network run Windows 7, Windows Server 2008 R2, or newer operating systems, then the Recommended setting works, but the Windows 7 Best Security and Windows 7 Good Security items provide stronger security. If you choose Windows 7 Best Security, then only TLS 1.2 will be used, and that will give your secure connections maximum protection against known attacks. If some web sites that your organization use support TLS 1.1 as their highest protocol, then the Windows 7 Good Security item enables TLS 1.1 while preferring TLS 1.2. Some web sites may support only TLS 1.0 as their strongest option, and working with such web sites requires choosing the Recommended item.<br />
<br />
The Insecure and Highly Insecure items should never be used for medium or long term production use. They are present primarily for testing and as a short-term fallback if needed. Don't use them unless if it's absolutely necessary for a short time period. While enabled, your secure connections will effectively be as secure as using no encryption at all, even if Internet Explorer is using TLS 1.0 or higher. It's possible for a downgrade attack to cause Internet Explorer or the remote server to drop down to SSL 3.0, and disabling SSL 3.0 entirely is an effective mitigation against a downgrade attack to SSL 3.0.<br />
<br />
[[File:Policies-User-IE.png|375px]]<br />
<br />
Click OK when done. After clicking OK, this group policy is ready to get picked up by users upon their next application of the user group policies. Having the users log out and back in or having the users run gpupdate.exe will cause them to pick up the change.<br />
<br />
Please note that users can update this setting within Internet Explorer's configuration options. This policy won't overwrite their customizations unless if this policy is changed to another value or if all policies are reapplied to that user, such as with 'gpupdate /force'.</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=TLS-SSL-Protocols&diff=2268TLS-SSL-Protocols2014-10-18T18:42:00Z<p>Stevenlawrance: /* TLS/SSL Protocols */</p>
<hr />
<div>As a way to mitigate the [https://www.openssl.org/~bodo/ssl-poodle.pdf Padding Oracle On Downgraded Legacy Encryption (POODLE) attack], information technology (IT) administrators can disable all protocols older than TLSv1 via ActiveDirectory group policies. This page describes how to do that.<br />
<br />
Using the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] with the group policy editor allows IT administrators to deploy computer-level policies that disable legacy protocols within Windows Schannel and deploy user-level policies that disable legacy protocols within Internet Explorer. Note that a computer-level disable policy for a protocol overrides Internet Explorer's configuration for that protocol.<br />
<br />
This template implements [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommended registry settings to disable SSLv3].<br />
<br />
Please note that Microsoft has a group policy setting for disabling TLS/SSL protocols in Internet Explorer, as described in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 their recommendations], but it doesn't work reliably with Internet Explorer 6 or 7. As a result, Microsoft noted in their policy template that it works only with Internet Explorer 8 and higher. If you run Internet Explorer 6 or 7, then the group policy template described on this page is a tenable option for you. The computer policies in this policy template are also useful to IT administrators whom are targeting only Internet Explorer 8 or higher.<br />
<br />
==Installation==<br />
Save the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] as TLS-SSL-Protocols.adm within your Windows INF folder. This is typically <code>C:\Windows\INF</code>.<br />
<br />
==Include in a Group Policy==<br />
This policy template includes two group policy targets: Computer and User.<br />
<br />
===Computer Policies===<br />
The Computer policies configure the Windows Schannel protocol support, which impacts client software and server software with dedicated settings for each. Internet Explorer, email software, and any program that connects to the local network or Internet and uses Windows Schannel for securing its connections are affected by the client policies. Internet Information Server, .NET server software, and any program that listens for and accepts secure connections from the local network or Internet and uses Windows Schannel for securing connections are affected by the server policies.<br />
<br />
Mozilla Firefox, Google Chrome, and Java, however, use their own software for securing connections and aren't affected by the client policies. Similarly, Java and software that uses OpenSSL (Apache, etc) or other non-Schannel software aren't affected by the server policies.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of computers. The computer policy won't have an effect if it applies only to users and not to computers.<br />
<br />
====Add the Policy Template====<br />
Right-click on the Computer Configuration | Administrative Templates folder. Alternatively, right-clicking on the User Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
====Show All Policy Settings====<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the Computer Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-Computer.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
====TLS/SSL Protocols====<br />
Open the TLS/SSL Protocols folder within the Computer Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-Computer.png|650px]]<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then enable TLS 1.0 for client and server use while disabling PCT 1.0, SSL 2.0, and SSL 3.0 for client and server use. The screenshot above shows what this configuration looks like.<br />
<br />
[[File:Policies-Computer-SSLv3Client.png|650px]]<br />
<br />
The Group Policy Editor makes configuration convenient with the Next Setting button. Starting with the first setting, position the dialog box such that the recommendation for that setting at the top of the "Description:" line is visible. Apply that recommendation to every setting in this list, clicking Next Setting to navigate to the next setting. Click OK when done. After clicking OK, this group policy is ready to get picked up by computers upon their next application of the computer group policies to their local computer. Running gpupdate.exe on the computers that have this group policy assigned to them will cause them to pick up the change before gpupdate.exe returns.<br />
<br />
If your network is comprised entirely of Windows Server 2008 R2, Windows 7, or newer operating systems, then disabling TLS 1.0 can improve security further, though the author of this template hasn't yet tried disabling TLS 1.0 at the computer level in such a network.<br />
<br />
===User Policy===<br />
The User policy configures Internet Explorer and has been tested with versions 6 and higher. If you are targeting only Internet Explorer 8 or higher, it is recommended that you instead use the group policy for disabling TLS/SSL protocols as documented in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommendations for mitigating the POODLE attack]. Microsoft's built-in group policy, however, doesn't work reliably with Internet Explorer 6 and 7.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of users. The user policy won't have an effect if it applies only to computers and not to users.<br />
<br />
====Add the Policy Template====<br />
Right-click on the User Configuration | Administrative Templates folder. Alternatively, right-clicking on the Computer Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
====Show All Policy Settings====<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the User Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-User.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
====TLS/SSL Protocols====<br />
Open the TLS/SSL Protocols folder within the User Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-User.png|650px]]<br />
<br />
Edit the policy setting and choose the Enabled radio button.<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then choose the Recommended item. Although those operating systems don't implement TLS 1.1 and 1.2, enabling TLS 1.1 and 1.2 is properly ignored by those older operating systems while being enabled on Windows 7, Windows Server 2008 R2, and newer operating systems.<br />
<br />
If all systems on your network run Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier, then the Windows Vista/XP option is feasible as that enables only TLS 1.0, but it's typically best to choose Recommended as that will allow upgraded systems to prefer TLS 1.1 and 1.2.<br />
<br />
If all systems on your network run Windows 7, Windows Server 2008 R2, or newer operating systems, then the Recommended setting works, but the Windows 7 Best Security and Windows 7 Good Security items provide stronger security. If you choose Windows 7 Best Security, then only TLS 1.2 will be used, and that will give your secure connections maximum protection against known attacks. If some web sites that your organization use support TLS 1.1 as their highest protocol, then the Windows 7 Good Security item enables TLS 1.1 while preferring TLS 1.2. Some web sites may support only TLS 1.0 as their strongest option, and working with such web sites requires choosing the Recommended item.<br />
<br />
The Insecure and Highly Insecure items should never be used for medium or long term production use. They are present primarily for testing and as a short-term fallback if needed. Don't use them unless if it's absolutely necessary for a short time period. While enabled, your secure connections will effectively be as secure as using no encryption at all, even if Internet Explorer is using TLS 1.0 or higher. It's possible for a downgrade attack to cause Internet Explorer or the remote server to drop down to SSL 3.0, and disabling SSL 3.0 entirely is an effective mitigation against a downgrade attack to SSL 3.0.<br />
<br />
[[File:Policies-User-IE.png|375px]]<br />
<br />
Click OK when done. After clicking OK, this group policy is ready to get picked up by users upon their next application of the user group policies. Having the users log out and back in or having the users run gpupdate.exe will cause them to pick up the change.<br />
<br />
Please note that users can update this setting within Internet Explorer's configuration options. This policy won't overwrite their customizations unless if this policy is changed to another value or if all policies are reapplied to that user, such as with 'gpupdate /force'.</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=TLS-SSL-Protocols&diff=2267TLS-SSL-Protocols2014-10-18T18:02:51Z<p>Stevenlawrance: </p>
<hr />
<div>As a way to mitigate the [https://www.openssl.org/~bodo/ssl-poodle.pdf Padding Oracle On Downgraded Legacy Encryption (POODLE) attack], information technology (IT) administrators can disable all protocols older than TLSv1 via ActiveDirectory group policies. This page describes how to do that.<br />
<br />
Using the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] with the group policy editor allows IT administrators to deploy computer-level policies that disable legacy protocols within Windows Schannel and deploy user-level policies that disable legacy protocols within Internet Explorer. Note that a computer-level disable policy for a protocol overrides Internet Explorer's configuration for that protocol.<br />
<br />
This template implements [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommended registry settings to disable SSLv3].<br />
<br />
Please note that Microsoft has a group policy setting for disabling TLS/SSL protocols in Internet Explorer, as described in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 their recommendations], but it doesn't work reliably with Internet Explorer 6 or 7. As a result, Microsoft noted in their policy template that it works only with Internet Explorer 8 and higher. If you run Internet Explorer 6 or 7, then the group policy template described on this page is a tenable option for you. The computer policies in this policy template are also useful to IT administrators whom are targeting only Internet Explorer 8 or higher.<br />
<br />
==Installation==<br />
Save the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] as TLS-SSL-Protocols.adm within your Windows INF folder. This is typically <code>C:\Windows\INF</code>.<br />
<br />
==Include in a Group Policy==<br />
This policy template includes two group policy targets: Computer and User.<br />
<br />
===Computer Policies===<br />
The Computer policies configure the Windows Schannel protocol support, which impacts client software and server software with dedicated settings for each. Internet Explorer, email software, and any program that connects to the local network or Internet and uses Windows Schannel for securing its connections are affected by the client policies. Internet Information Server, .NET server software, and any program that listens for and accepts secure connections from the local network or Internet and uses Windows Schannel for securing connections are affected by the server policies.<br />
<br />
Mozilla Firefox, Google Chrome, and Java, however, use their own software for securing connections and aren't affected by the client policies. Similarly, Java and software that uses OpenSSL (Apache, etc) or other non-Schannel software aren't affected by the server policies.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of computers. The computer policy won't have an effect if it applies only to users and not to computers.<br />
<br />
====Add the Policy Template====<br />
Right-click on the Computer Configuration | Administrative Templates folder. Alternatively, right-clicking on the User Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
====Show All Policy Settings====<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the Computer Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-Computer.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
====TLS/SSL Protocols====<br />
Open the TLS/SSL Protocols folder within the Computer Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-Computer.png|650px]]<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then enable TLS 1.0 for client and server use while disabling PCT 1.0, SSL 2.0, and SSL 3.0 for client and server use. The screenshot above shows what this configuration looks like.<br />
<br />
The Group Policy Editor makes configuration convenient with the Next Setting button. Starting with the first setting, position the dialog box such that the recommendation for that setting at the top of the "Description:" line is visible. Apply that recommendation to every setting in this list, clicking Next Setting to navigate to the next setting. Click OK when done. After clicking OK, this group policy is ready to get picked up by computers upon their next application of the computer group policies to their local computer. Running gpupdate.exe on the computers that have this group policy assigned to them will cause them to pick up the change before gpupdate.exe returns.<br />
<br />
If your network is comprised entirely of Windows Server 2008 R2, Windows 7, or newer operating systems, then disabling TLS 1.0 can improve security further, though the author of this template hasn't yet tried disabling TLS 1.0 at the computer level in such a network.<br />
<br />
===User Policy===<br />
The User policy configures Internet Explorer and has been tested with versions 6 and higher. If you are targeting only Internet Explorer 8 or higher, it is recommended that you instead use the group policy for disabling TLS/SSL protocols as documented in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommendations for mitigating the POODLE attack]. Microsoft's built-in group policy, however, doesn't work reliably with Internet Explorer 6 and 7.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of users. The user policy won't have an effect if it applies only to computers and not to users.<br />
<br />
====Add the Policy Template====<br />
Right-click on the User Configuration | Administrative Templates folder. Alternatively, right-clicking on the Computer Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
====Show All Policy Settings====<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the User Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-User.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
====TLS/SSL Protocols====<br />
Open the TLS/SSL Protocols folder within the User Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-User.png|650px]]<br />
<br />
Edit the policy setting and choose the Enabled radio button.<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then choose the Recommended item. Although those operating systems don't implement TLS 1.1 and 1.2, enabling TLS 1.1 and 1.2 is properly ignored by those older operating systems while being enabled on Windows 7, Windows Server 2008 R2, and newer operating systems.<br />
<br />
If all systems on your network run Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier, then the Windows Vista/XP option is feasible as that enables only TLS 1.0, but it's typically best to choose Recommended as that will allow upgraded systems to prefer TLS 1.1 and 1.2.<br />
<br />
If all systems on your network run Windows 7, Windows Server 2008 R2, or newer operating systems, then the Recommended setting works, but the Windows 7 Best Security and Windows 7 Good Security items provide stronger security. If you choose Windows 7 Best Security, then only TLS 1.2 will be used, and that will give your secure connections maximum protection against known attacks. If some web sites that your organization use support TLS 1.1 as their highest protocol, then the Windows 7 Good Security item enables TLS 1.1 while preferring TLS 1.2. Some web sites may support only TLS 1.0 as their strongest option, and working with such web sites requires choosing the Recommended item.<br />
<br />
The Insecure and Highly Insecure items should never be used for medium or long term production use. They are present primarily for testing and as a short-term fallback if needed. Don't use them unless if it's absolutely necessary for a short time period. While enabled, your secure connections will effectively be as secure as using no encryption at all, even if Internet Explorer is using TLS 1.0 or higher. It's possible for a downgrade attack to cause Internet Explorer or the remote server to drop down to SSL 3.0, and disabling SSL 3.0 entirely is an effective mitigation against a downgrade attack to SSL 3.0.<br />
<br />
[[File:Policies-User-IE.png|375px]]<br />
<br />
Click OK when done. After clicking OK, this group policy is ready to get picked up by users upon their next application of the user group policies. Having the users log out and back in or having the users run gpupdate.exe will cause them to pick up the change.<br />
<br />
Please note that users can update this setting within Internet Explorer's configuration options. This policy won't overwrite their customizations unless if this policy is changed to another value or if all policies are reapplied to that user, such as with 'gpupdate /force'.</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=Main_Page&diff=2266Main Page2014-10-18T18:01:03Z<p>Stevenlawrance: </p>
<hr />
<div>{|<br />
|valign="top"|<br />
Welcome to Moonlight Design -- the personal web site of [[Henry Lamb]] and [[Steven Lawrance]]<br />
<br />
==Henry Lamb==<br />
[[Henry Lamb]] is a professional [http://en.wikipedia.org/wiki/Restaurant restaurateur] trained in both [http://www.baychef.com/programs/hospitality_and_restaurant.asp restaurant management] and [http://www.baychef.com/programs/culinary_arts.asp culinary arts] at the [http://www.baychef.com/ California Culinary Academy]. For a few years from the late 1990s to the early 2000s, Henry was a [http://en.wikipedia.org/wiki/Graphic_designer graphic designer] trained at the [http://www.artinstitutes.edu/sanfrancisco/ Art Institute of San Francisco] and the [http://www.academyart.edu/ Academy of Art University]<br />
<br />
Visit Henry's new wine site: [http://glassofgrape.com/ Glass of Grape]<br />
<br />
==Steven Lawrance==<br />
[[Steven Lawrance]] is an active practitioner of [http://en.wikipedia.org/wiki/Software_engineering software engineering] and [http://en.wikipedia.org/wiki/Open-source_software open-source software enthusiast] trained in [http://www.mse.cs.cmu.edu/ software engineering] at [http://www.mse.cs.cmu.edu/ Carnegie Mellon University] and [http://www.bryant.edu/wps/wcm/connect/Bryant/Academics/Undergraduate%20Programs/ business administration] with [http://www.bryant.edu/wps/wcm/connect/Bryant/Academics/Areas%20of%20Study/Computer%20Information%20Systems computer information systems] at [http://www.bryant.edu/ Bryant University]<br />
<br />
[[Steven Lawrance#Software Project Experience|Check out the list of software that Steve has either written or contributed to]]<br />
<br />
|valign="top" width="25%"|<br />
{|border="1"<br />
|<br />
<font size="5">[https://www.moonlightdesign.org/urllock/ IE URL Lock]</font> <font size="5">[http://gnucashtoqif.sourceforge.net/ GnuCashToQIF]</font> <font size="4">[[TLS-SSL-Protocols|TLS/SSL Protocol Group Policy Template]]</font> <font size="3">[https://www.moonlightdesign.org/dirlist DirList] [[CompactOnDelete]]</font> <font size="3">[[PortProxy]]</font> <font size="2">[[Serendipity|Team Serendipity]]</font> <font size="2">[[Disk Imager]]</font> <font size="1">[[ScreenWindowX]]</font><br />
|}<br />
<small>[https://www.moonlightdesign.org/wireless/ Guest wireless network sign-up] (local network only)</small><br />
|}</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=TLS-SSL-Protocols&diff=2265TLS-SSL-Protocols2014-10-18T17:57:35Z<p>Stevenlawrance: /* TLS/SSL Protocols */</p>
<hr />
<div>As a way to mitigate the [https://www.openssl.org/~bodo/ssl-poodle.pdf Padding Oracle On Downgraded Legacy Encryption (POODLE) attack], information technology (IT) administrators can disable all protocols older than TLSv1 via ActiveDirectory group policies. This page describes how to do that.<br />
<br />
Using the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] with the group policy editor allows IT administrators to deploy computer-level policies that disable legacy protocols within Windows Schannel and deploy user-level policies that disable legacy protocols within Internet Explorer. Note that a computer-level disable policy for a protocol overrides Internet Explorer's configuration for that protocol.<br />
<br />
This template implements [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommended registry settings to disable SSLv3].<br />
<br />
Please note Microsoft has a group policy setting for disabling TLS/SSL protocols in Internet Explorer, as described in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 their recommendations], but it doesn't work reliably with Internet Explorer 6 or 7. As a result, Microsoft noted in their policy template that it works only with Internet Explorer 8 and higher. If you run Internet Explorer 6 or 7, then the group policy template described on this page is a tenable option for you. The computer policies in this policy template are also useful to IT administrators whom are targeting only Internet Explorer 8 or higher.<br />
<br />
==Installation==<br />
Save the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] as TLS-SSL-Protocols.adm within your Windows INF folder. This is typically <code>C:\Windows\INF</code>.<br />
<br />
==Include in a Group Policy==<br />
This policy template includes two group policy targets: Computer and User.<br />
<br />
===Computer Policies===<br />
The Computer policies configure the Windows Schannel protocol support, which impacts client software and server software with dedicated settings for each. Internet Explorer, email software, and any program that connects to the local network or Internet and uses Windows Schannel for securing its connections are affected by the client policies. Internet Information Server, .NET server software, and any program that listens for and accepts secure connections from the local network or Internet and uses Windows Schannel for securing connections are affected by the server policies.<br />
<br />
Mozilla Firefox, Google Chrome, and Java, however, use their own software for securing connections and aren't affected by the client policies. Similarly, Java and software that uses OpenSSL (Apache, etc) or other non-Schannel software aren't affected by the server policies.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of computers. The computer policy won't have an effect if it applies only to users and not to computers.<br />
<br />
====Add the Policy Template====<br />
Right-click on the Computer Configuration | Administrative Templates folder. Alternatively, right-clicking on the User Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
====Show All Policy Settings====<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the Computer Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-Computer.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
====TLS/SSL Protocols====<br />
Open the TLS/SSL Protocols folder within the Computer Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-Computer.png|650px]]<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then enable TLS 1.0 for client and server use while disabling PCT 1.0, SSL 2.0, and SSL 3.0 for client and server use. The screenshot above shows what this configuration looks like.<br />
<br />
The Group Policy Editor makes configuration convenient with the Next Setting button. Starting with the first setting, position the dialog box such that the recommendation for that setting at the top of the "Description:" line is visible. Apply that recommendation to every setting in this list, clicking Next Setting to navigate to the next setting. Click OK when done. After clicking OK, this group policy is ready to get picked up by computers upon their next application of the computer group policies to their local computer. Running gpupdate.exe on the computers that have this group policy assigned to them will cause them to pick up the change before gpupdate.exe returns.<br />
<br />
If your network is comprised entirely of Windows Server 2008 R2, Windows 7, or newer operating systems, then disabling TLS 1.0 can improve security further, though the author of this template hasn't yet tried disabling TLS 1.0 at the computer level in such a network.<br />
<br />
===User Policy===<br />
The User policy configures Internet Explorer and has been tested with versions 6 and higher. If you are targeting only Internet Explorer 8 or higher, it is recommended that you instead use the group policy for disabling TLS/SSL protocols as documented in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommendations for mitigating the POODLE attack]. Microsoft's built-in group policy, however, doesn't work reliably with Internet Explorer 6 and 7.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of users. The user policy won't have an effect if it applies only to computers and not to users.<br />
<br />
====Add the Policy Template====<br />
Right-click on the User Configuration | Administrative Templates folder. Alternatively, right-clicking on the Computer Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
====Show All Policy Settings====<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the User Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-User.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
====TLS/SSL Protocols====<br />
Open the TLS/SSL Protocols folder within the User Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-User.png|650px]]<br />
<br />
Edit the policy setting and choose the Enabled radio button.<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then choose the Recommended item. Although those operating systems don't implement TLS 1.1 and 1.2, enabling TLS 1.1 and 1.2 is properly ignored by those older operating systems while being enabled on Windows 7, Windows Server 2008 R2, and newer operating systems.<br />
<br />
If all systems on your network run Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier, then the Windows Vista/XP option is feasible as that enables only TLS 1.0, but it's typically best to choose Recommended as that will allow upgraded systems to prefer TLS 1.1 and 1.2.<br />
<br />
If all systems on your network run Windows 7, Windows Server 2008 R2, or newer operating systems, then the Recommended setting works, but the Windows 7 Best Security and Windows 7 Good Security items provide stronger security. If you choose Windows 7 Best Security, then only TLS 1.2 will be used, and that will give your secure connections maximum protection against known attacks. If some web sites that your organization use support TLS 1.1 as their highest protocol, then the Windows 7 Good Security item enables TLS 1.1 while preferring TLS 1.2. Some web sites may support only TLS 1.0 as their strongest option, and working with such web sites requires choosing the Recommended item.<br />
<br />
The Insecure and Highly Insecure items should never be used for medium or long term production use. They are present primarily for testing and as a short-term fallback if needed. Don't use them unless if it's absolutely necessary for a short time period. While enabled, your secure connections will effectively be as secure as using no encryption at all, even if Internet Explorer is using TLS 1.0 or higher. It's possible for a downgrade attack to cause Internet Explorer or the remote server to drop down to SSL 3.0, and disabling SSL 3.0 entirely is an effective mitigation against a downgrade attack to SSL 3.0.<br />
<br />
[[File:Policies-User-IE.png|375px]]<br />
<br />
Click OK when done. After clicking OK, this group policy is ready to get picked up by users upon their next application of the user group policies. Having the users log out and back in or having the users run gpupdate.exe will cause them to pick up the change.<br />
<br />
Please note that users can update this setting within Internet Explorer's configuration options. This policy won't overwrite their customizations unless if this policy is changed to another value or if all policies are reapplied to that user, such as with 'gpupdate /force'.</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=TLS-SSL-Protocols&diff=2264TLS-SSL-Protocols2014-10-18T17:55:34Z<p>Stevenlawrance: /* Include in a Policy */</p>
<hr />
<div>As a way to mitigate the [https://www.openssl.org/~bodo/ssl-poodle.pdf Padding Oracle On Downgraded Legacy Encryption (POODLE) attack], information technology (IT) administrators can disable all protocols older than TLSv1 via ActiveDirectory group policies. This page describes how to do that.<br />
<br />
Using the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] with the group policy editor allows IT administrators to deploy computer-level policies that disable legacy protocols within Windows Schannel and deploy user-level policies that disable legacy protocols within Internet Explorer. Note that a computer-level disable policy for a protocol overrides Internet Explorer's configuration for that protocol.<br />
<br />
This template implements [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommended registry settings to disable SSLv3].<br />
<br />
Please note Microsoft has a group policy setting for disabling TLS/SSL protocols in Internet Explorer, as described in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 their recommendations], but it doesn't work reliably with Internet Explorer 6 or 7. As a result, Microsoft noted in their policy template that it works only with Internet Explorer 8 and higher. If you run Internet Explorer 6 or 7, then the group policy template described on this page is a tenable option for you. The computer policies in this policy template are also useful to IT administrators whom are targeting only Internet Explorer 8 or higher.<br />
<br />
==Installation==<br />
Save the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] as TLS-SSL-Protocols.adm within your Windows INF folder. This is typically <code>C:\Windows\INF</code>.<br />
<br />
==Include in a Group Policy==<br />
This policy template includes two group policy targets: Computer and User.<br />
<br />
===Computer Policies===<br />
The Computer policies configure the Windows Schannel protocol support, which impacts client software and server software with dedicated settings for each. Internet Explorer, email software, and any program that connects to the local network or Internet and uses Windows Schannel for securing its connections are affected by the client policies. Internet Information Server, .NET server software, and any program that listens for and accepts secure connections from the local network or Internet and uses Windows Schannel for securing connections are affected by the server policies.<br />
<br />
Mozilla Firefox, Google Chrome, and Java, however, use their own software for securing connections and aren't affected by the client policies. Similarly, Java and software that uses OpenSSL (Apache, etc) or other non-Schannel software aren't affected by the server policies.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of computers. The computer policy won't have an effect if it applies only to users and not to computers.<br />
<br />
====Add the Policy Template====<br />
Right-click on the Computer Configuration | Administrative Templates folder. Alternatively, right-clicking on the User Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
====Show All Policy Settings====<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the Computer Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-Computer.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
====TLS/SSL Protocols====<br />
Open the TLS/SSL Protocols folder within the Computer Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-Computer.png|650px]]<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then enable TLS 1.0 for client and server use while disabling PCT 1.0, SSL 2.0, and SSL 3.0 for client and server use. The screenshot above shows what this configuration looks like.<br />
<br />
The Group Policy Editor makes configuration convenient with the Next Setting button. Starting with the first setting, position the dialog box such that the recommendation for that setting at the top of the "Description:" line is visible. Apply that recommendation to every setting in this list, clicking Next Setting to navigate to the next setting. Click OK when done. After clicking OK, this group policy is ready to get picked up by computers upon their next application of the computer group policies to their local computer. Running gpupdate.exe on the computers that have this group policy assigned to them will cause them to pick up the change before gpupdate.exe returns.<br />
<br />
If your network is comprised entirely of Windows Server 2008 R2, Windows 7, or newer operating systems, then disabling TLS 1.0 can improve security further, though the author of this template hasn't yet tried disabling TLS 1.0 at the computer level in such a network.<br />
<br />
===User Policy===<br />
The User policy configures Internet Explorer and has been tested with versions 6 and higher. If you are targeting only Internet Explorer 8 or higher, it is recommended that you instead use the group policy for disabling TLS/SSL protocols as documented in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommendations for mitigating the POODLE attack]. Microsoft's built-in group policy, however, doesn't work reliably with Internet Explorer 6 and 7.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of users. The user policy won't have an effect if it applies only to computers and not to users.<br />
<br />
====Add the Policy Template====<br />
Right-click on the User Configuration | Administrative Templates folder. Alternatively, right-clicking on the Computer Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
====Show All Policy Settings====<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the User Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-User.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
====TLS/SSL Protocols====<br />
Open the TLS/SSL Protocols folder within the User Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-User.png|650px]]<br />
<br />
Edit the policy setting and choose the Enabled radio button.<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then choose the Recommended item. Although those operating systems don't implement TLS 1.1 and 1.2, enabling TLS 1.1 and 1.2 is properly ignored by those older operating systems while being enabled on Windows 7, Windows Server 2008 R2, and newer operating systems.<br />
<br />
If all systems on your network run Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier, then the Windows Vista/XP option is feasible as that enables only TLS 1.0, but it's typically best to choose Recommended as that will allow upgraded systems to prefer TLS 1.1 and 1.2.<br />
<br />
If all systems on your network run Windows 7, Windows Server 2008 R2, or newer operating systems, then the Recommended setting works, but the Windows 7 Best Security and Windows 7 Good Security items provide stronger security. If you choose Windows 7 Best Security, then only TLS 1.2 will be used, and that will give your secure connections maximum protection against known attacks. If some web sites that your organization use support TLS 1.1 as their highest protocol, then the Windows 7 Good Security item enables TLS 1.1 while preferring TLS 1.2. Some web sites may support only TLS 1.0 as their strongest option, and working with such web sites requires choosing the Recommended item.<br />
<br />
The Insecure and Highly Insecure items should never be used for medium or long term production use. They are present primarily for testing and as a short-term fallback if needed. Don't use them unless if it's absolutely necessary for a short time period. While enabled, your secure connections will effectively be as secure as using no encryption at all, even if Internet Explorer is using TLS 1.0 or higher. It's possible for a downgrade attack to cause Internet Explorer or the remote server to drop down to SSL 3.0, and disabling SSL 3.0 entirely is an effective mitigation against a downgrade attack to SSL 3.0.<br />
<br />
[[File:Policies-User-IE.png|375px]]<br />
<br />
Click OK when done. After clicking OK, this group policy is ready to get picked up by users upon their next application of the user group policies. Having the users log out and back in or having the users run gpupdate.exe will cause them to pick up the change.</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=TLS-SSL-Protocols&diff=2263TLS-SSL-Protocols2014-10-18T17:55:20Z<p>Stevenlawrance: </p>
<hr />
<div>As a way to mitigate the [https://www.openssl.org/~bodo/ssl-poodle.pdf Padding Oracle On Downgraded Legacy Encryption (POODLE) attack], information technology (IT) administrators can disable all protocols older than TLSv1 via ActiveDirectory group policies. This page describes how to do that.<br />
<br />
Using the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] with the group policy editor allows IT administrators to deploy computer-level policies that disable legacy protocols within Windows Schannel and deploy user-level policies that disable legacy protocols within Internet Explorer. Note that a computer-level disable policy for a protocol overrides Internet Explorer's configuration for that protocol.<br />
<br />
This template implements [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommended registry settings to disable SSLv3].<br />
<br />
Please note Microsoft has a group policy setting for disabling TLS/SSL protocols in Internet Explorer, as described in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 their recommendations], but it doesn't work reliably with Internet Explorer 6 or 7. As a result, Microsoft noted in their policy template that it works only with Internet Explorer 8 and higher. If you run Internet Explorer 6 or 7, then the group policy template described on this page is a tenable option for you. The computer policies in this policy template are also useful to IT administrators whom are targeting only Internet Explorer 8 or higher.<br />
<br />
==Installation==<br />
Save the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] as TLS-SSL-Protocols.adm within your Windows INF folder. This is typically <code>C:\Windows\INF</code>.<br />
<br />
==Include in a Policy==<br />
This policy template includes two group policy targets: Computer and User.<br />
<br />
===Computer Policies===<br />
The Computer policies configure the Windows Schannel protocol support, which impacts client software and server software with dedicated settings for each. Internet Explorer, email software, and any program that connects to the local network or Internet and uses Windows Schannel for securing its connections are affected by the client policies. Internet Information Server, .NET server software, and any program that listens for and accepts secure connections from the local network or Internet and uses Windows Schannel for securing connections are affected by the server policies.<br />
<br />
Mozilla Firefox, Google Chrome, and Java, however, use their own software for securing connections and aren't affected by the client policies. Similarly, Java and software that uses OpenSSL (Apache, etc) or other non-Schannel software aren't affected by the server policies.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of computers. The computer policy won't have an effect if it applies only to users and not to computers.<br />
<br />
====Add the Policy Template====<br />
Right-click on the Computer Configuration | Administrative Templates folder. Alternatively, right-clicking on the User Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
====Show All Policy Settings====<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the Computer Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-Computer.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
====TLS/SSL Protocols====<br />
Open the TLS/SSL Protocols folder within the Computer Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-Computer.png|650px]]<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then enable TLS 1.0 for client and server use while disabling PCT 1.0, SSL 2.0, and SSL 3.0 for client and server use. The screenshot above shows what this configuration looks like.<br />
<br />
The Group Policy Editor makes configuration convenient with the Next Setting button. Starting with the first setting, position the dialog box such that the recommendation for that setting at the top of the "Description:" line is visible. Apply that recommendation to every setting in this list, clicking Next Setting to navigate to the next setting. Click OK when done. After clicking OK, this group policy is ready to get picked up by computers upon their next application of the computer group policies to their local computer. Running gpupdate.exe on the computers that have this group policy assigned to them will cause them to pick up the change before gpupdate.exe returns.<br />
<br />
If your network is comprised entirely of Windows Server 2008 R2, Windows 7, or newer operating systems, then disabling TLS 1.0 can improve security further, though the author of this template hasn't yet tried disabling TLS 1.0 at the computer level in such a network.<br />
<br />
===User Policy===<br />
The User policy configures Internet Explorer and has been tested with versions 6 and higher. If you are targeting only Internet Explorer 8 or higher, it is recommended that you instead use the group policy for disabling TLS/SSL protocols as documented in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommendations for mitigating the POODLE attack]. Microsoft's built-in group policy, however, doesn't work reliably with Internet Explorer 6 and 7.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of users. The user policy won't have an effect if it applies only to computers and not to users.<br />
<br />
====Add the Policy Template====<br />
Right-click on the User Configuration | Administrative Templates folder. Alternatively, right-clicking on the Computer Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
====Show All Policy Settings====<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the User Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-User.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
====TLS/SSL Protocols====<br />
Open the TLS/SSL Protocols folder within the User Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-User.png|650px]]<br />
<br />
Edit the policy setting and choose the Enabled radio button.<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then choose the Recommended item. Although those operating systems don't implement TLS 1.1 and 1.2, enabling TLS 1.1 and 1.2 is properly ignored by those older operating systems while being enabled on Windows 7, Windows Server 2008 R2, and newer operating systems.<br />
<br />
If all systems on your network run Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier, then the Windows Vista/XP option is feasible as that enables only TLS 1.0, but it's typically best to choose Recommended as that will allow upgraded systems to prefer TLS 1.1 and 1.2.<br />
<br />
If all systems on your network run Windows 7, Windows Server 2008 R2, or newer operating systems, then the Recommended setting works, but the Windows 7 Best Security and Windows 7 Good Security items provide stronger security. If you choose Windows 7 Best Security, then only TLS 1.2 will be used, and that will give your secure connections maximum protection against known attacks. If some web sites that your organization use support TLS 1.1 as their highest protocol, then the Windows 7 Good Security item enables TLS 1.1 while preferring TLS 1.2. Some web sites may support only TLS 1.0 as their strongest option, and working with such web sites requires choosing the Recommended item.<br />
<br />
The Insecure and Highly Insecure items should never be used for medium or long term production use. They are present primarily for testing and as a short-term fallback if needed. Don't use them unless if it's absolutely necessary for a short time period. While enabled, your secure connections will effectively be as secure as using no encryption at all, even if Internet Explorer is using TLS 1.0 or higher. It's possible for a downgrade attack to cause Internet Explorer or the remote server to drop down to SSL 3.0, and disabling SSL 3.0 entirely is an effective mitigation against a downgrade attack to SSL 3.0.<br />
<br />
[[File:Policies-User-IE.png|375px]]<br />
<br />
Click OK when done. After clicking OK, this group policy is ready to get picked up by users upon their next application of the user group policies. Having the users log out and back in or having the users run gpupdate.exe will cause them to pick up the change.</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=TLS-SSL-Protocols&diff=2262TLS-SSL-Protocols2014-10-18T17:52:34Z<p>Stevenlawrance: /* User Policy */</p>
<hr />
<div>As a way to mitigate the [https://www.openssl.org/~bodo/ssl-poodle.pdf Padding Oracle On Downgraded Legacy Encryption (POODLE) attack], information technology (IT) administrators can disable all protocols older than TLSv1 via ActiveDirectory group policies. This page describes how to do that.<br />
<br />
Using the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] with the group policy editor allows IT administrators to deploy computer-level policies that disable legacy protocols within Windows Schannel and deploy user-level policies that disable legacy protocols within Internet Explorer. Note that a computer-level disable policy for a protocol overrides Internet Explorer's configuration for that protocol.<br />
<br />
This template implements [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommended registry settings to disable SSLv3].<br />
<br />
Please note Microsoft has a group policy setting for disabling TLS/SSL protocols in Internet Explorer, as described in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 their recommendations], but it doesn't work reliably with Internet Explorer 6 or 7. As a result, Microsoft noted in their policy template that it works only with Internet Explorer 8 and higher. If you run Internet Explorer 6 or 7, then the group policy template described on this page is a tenable option for you. The computer policies in this policy template are also useful to IT administrators whom are targeting only Internet Explorer 8 or higher.<br />
<br />
==Installation==<br />
Save the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] as TLS-SSL-Protocols.adm within your Windows INF folder. This is typically <code>C:\Windows\INF</code>.<br />
<br />
==Include in a Policy==<br />
This policy template includes two group policy targets: Computer and User.<br />
<br />
===Computer Policies===<br />
The Computer policies configure the Windows Schannel protocol support, which impacts client software and server software with dedicated settings for each. Internet Explorer, email software, and any program that connects to the local network or Internet and uses Windows Schannel for securing its connections are affected by the client policies. Internet Information Server, .NET server software, and any program that listens for and accepts secure connections from the local network or Internet and uses Windows Schannel for securing connections are affected by the server policies.<br />
<br />
Mozilla Firefox, Google Chrome, and Java, however, use their own software for securing connections and aren't affected by the client policies. Similarly, Java and software that uses OpenSSL (Apache, etc) or other non-Schannel software aren't affected by the server policies.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of computers. The computer policy won't have an effect if it applies only to users and not to computers.<br />
<br />
Right-click on the Computer Configuration | Administrative Templates folder. Alternatively, right-clicking on the User Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the Computer Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-Computer.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
Open the TLS/SSL Protocols folder within the Computer Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-Computer.png|650px]]<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then enable TLS 1.0 for client and server use while disabling PCT 1.0, SSL 2.0, and SSL 3.0 for client and server use. The screenshot above shows what this configuration looks like.<br />
<br />
The Group Policy Editor makes configuration convenient with the Next Setting button. Starting with the first setting, position the dialog box such that the recommendation for that setting at the top of the "Description:" line is visible. Apply that recommendation to every setting in this list, clicking Next Setting to navigate to the next setting. Click OK when done. After clicking OK, this group policy is ready to get picked up by computers upon their next application of the computer group policies to their local computer. Running gpupdate.exe on the computers that have this group policy assigned to them will cause them to pick up the change before gpupdate.exe returns.<br />
<br />
If your network is comprised entirely of Windows Server 2008 R2, Windows 7, or newer operating systems, then disabling TLS 1.0 can improve security further, though the author of this template hasn't yet tried disabling TLS 1.0 at the computer level in such a network.<br />
<br />
===User Policy===<br />
The User policy configures Internet Explorer and has been tested with versions 6 and higher. If you are targeting only Internet Explorer 8 or higher, it is recommended that you instead use the group policy for disabling TLS/SSL protocols as documented in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommendations for mitigating the POODLE attack]. Microsoft's built-in group policy, however, doesn't work reliably with Internet Explorer 6 and 7.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of users. The user policy won't have an effect if it applies only to computers and not to users.<br />
<br />
Right-click on the User Configuration | Administrative Templates folder. Alternatively, right-clicking on the Computer Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the User Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-User.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
Open the TLS/SSL Protocols folder within the User Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-User.png|650px]]<br />
<br />
Edit the policy setting and choose the Enabled radio button.<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then choose the Recommended item. Although those operating systems don't implement TLS 1.1 and 1.2, enabling TLS 1.1 and 1.2 is properly ignored by those older operating systems while being enabled on Windows 7, Windows Server 2008 R2, and newer operating systems.<br />
<br />
If all systems on your network run Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier, then the Windows Vista/XP option is feasible as that enables only TLS 1.0, but it's typically best to choose Recommended as that will allow upgraded systems to prefer TLS 1.1 and 1.2.<br />
<br />
If all systems on your network run Windows 7, Windows Server 2008 R2, or newer operating systems, then the Recommended setting works, but the Windows 7 Best Security and Windows 7 Good Security items provide stronger security. If you choose Windows 7 Best Security, then only TLS 1.2 will be used, and that will give your secure connections maximum protection against known attacks. If some web sites that your organization use support TLS 1.1 as their highest protocol, then the Windows 7 Good Security item enables TLS 1.1 while preferring TLS 1.2. Some web sites may support only TLS 1.0 as their strongest option, and working with such web sites requires choosing the Recommended item.<br />
<br />
The Insecure and Highly Insecure items should never be used for medium or long term production use. They are present primarily for testing and as a short-term fallback if needed. Don't use them unless if it's absolutely necessary for a short time period. While enabled, your secure connections will effectively be as secure as using no encryption at all, even if Internet Explorer is using TLS 1.0 or higher. It's possible for a downgrade attack to cause Internet Explorer or the remote server to drop down to SSL 3.0, and disabling SSL 3.0 entirely is an effective mitigation against a downgrade attack to SSL 3.0.<br />
<br />
[[File:Policies-User-IE.png|375px]]<br />
<br />
Click OK when done. After clicking OK, this group policy is ready to get picked up by users upon their next application of the user group policies. Having the users log out and back in or having the users run gpupdate.exe will cause them to pick up the change.</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=TLS-SSL-Protocols&diff=2261TLS-SSL-Protocols2014-10-18T17:45:18Z<p>Stevenlawrance: </p>
<hr />
<div>As a way to mitigate the [https://www.openssl.org/~bodo/ssl-poodle.pdf Padding Oracle On Downgraded Legacy Encryption (POODLE) attack], information technology (IT) administrators can disable all protocols older than TLSv1 via ActiveDirectory group policies. This page describes how to do that.<br />
<br />
Using the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] with the group policy editor allows IT administrators to deploy computer-level policies that disable legacy protocols within Windows Schannel and deploy user-level policies that disable legacy protocols within Internet Explorer. Note that a computer-level disable policy for a protocol overrides Internet Explorer's configuration for that protocol.<br />
<br />
This template implements [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommended registry settings to disable SSLv3].<br />
<br />
Please note Microsoft has a group policy setting for disabling TLS/SSL protocols in Internet Explorer, as described in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 their recommendations], but it doesn't work reliably with Internet Explorer 6 or 7. As a result, Microsoft noted in their policy template that it works only with Internet Explorer 8 and higher. If you run Internet Explorer 6 or 7, then the group policy template described on this page is a tenable option for you. The computer policies in this policy template are also useful to IT administrators whom are targeting only Internet Explorer 8 or higher.<br />
<br />
==Installation==<br />
Save the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] as TLS-SSL-Protocols.adm within your Windows INF folder. This is typically <code>C:\Windows\INF</code>.<br />
<br />
==Include in a Policy==<br />
This policy template includes two group policy targets: Computer and User.<br />
<br />
===Computer Policies===<br />
The Computer policies configure the Windows Schannel protocol support, which impacts client software and server software with dedicated settings for each. Internet Explorer, email software, and any program that connects to the local network or Internet and uses Windows Schannel for securing its connections are affected by the client policies. Internet Information Server, .NET server software, and any program that listens for and accepts secure connections from the local network or Internet and uses Windows Schannel for securing connections are affected by the server policies.<br />
<br />
Mozilla Firefox, Google Chrome, and Java, however, use their own software for securing connections and aren't affected by the client policies. Similarly, Java and software that uses OpenSSL (Apache, etc) or other non-Schannel software aren't affected by the server policies.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of computers. The computer policy won't have an effect if it applies only to users and not to computers.<br />
<br />
Right-click on the Computer Configuration | Administrative Templates folder. Alternatively, right-clicking on the User Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the Computer Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-Computer.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
Open the TLS/SSL Protocols folder within the Computer Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-Computer.png|650px]]<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then enable TLS 1.0 for client and server use while disabling PCT 1.0, SSL 2.0, and SSL 3.0 for client and server use. The screenshot above shows what this configuration looks like.<br />
<br />
The Group Policy Editor makes configuration convenient with the Next Setting button. Starting with the first setting, position the dialog box such that the recommendation for that setting at the top of the "Description:" line is visible. Apply that recommendation to every setting in this list, clicking Next Setting to navigate to the next setting. Click OK when done. After clicking OK, this group policy is ready to get picked up by computers upon their next application of the computer group policies to their local computer. Running gpupdate.exe on the computers that have this group policy assigned to them will cause them to pick up the change before gpupdate.exe returns.<br />
<br />
If your network is comprised entirely of Windows Server 2008 R2, Windows 7, or newer operating systems, then disabling TLS 1.0 can improve security further, though the author of this template hasn't yet tried disabling TLS 1.0 at the computer level in such a network.<br />
<br />
===User Policy===<br />
The User policy configures Internet Explorer and has been tested with versions 6 and higher. If you are targeting only Internet Explorer 8 or higher, it is recommended that you instead use the group policy for disabling TLS/SSL protocols as documented in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommendations for mitigating the POODLE attack]. Microsoft's built-in group policy, however, doesn't work reliably with Internet Explorer 6 and 7.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of users. The user policy won't have an effect if it applies only to computers and not to users.<br />
<br />
Right-click on the User Configuration | Administrative Templates folder. Alternatively, right-clicking on the Computer Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the User Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-User.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
Open the TLS/SSL Protocols folder within the User Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-User.png|650px]]<br />
<br />
Edit the policy setting and choose the Enabled radio button.<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then choose the Recommended item. Although those operating systems don't implement TLS 1.1 and 1.2, enabling TLS 1.1 and 1.2 is properly ignored by those older operating systems while being enabled on Windows 7, Windows Server 2008 R2, and newer operating systems.<br />
<br />
If all systems on your network run Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier, then the Windows Vista/XP option is feasible as that enables only TLS 1.0, but it's typically best to choose Recommended as that will allow upgraded systems to prefer TLS 1.1 and 1.2.<br />
<br />
If all systems on your network run Windows 7, Windows Server 2008 R2, or newer operating systems, then the Recommended setting also works, but the Windows 7 Best Security and Windows 7 Good Security items provide stronger security. If you choose Windows 7 Best Security, then only TLS 1.2 will be used, and that will give your secure connections maximum protection against known attacks. If some web sites that your organization use support TLS 1.1 as their highest protocol, then the Windows 7 Good Security item enables TLS 1.1 while preferring TLS 1.2. Some web sites may support only TLS 1.0 as their strongest option, and working with such web sites requires choosing the Recommended item.<br />
<br />
The Insecure and Highly Insecure items should never be used for medium or long term production use. They are present primarily for testing and as a short-term fallback if needed. Don't use them unless if it's absolutely necessary for a short time period. While enabled, your secure connections will effectively be as secure as using no encryption at all, even if Internet Explorer is using TLS 1.0 or higher. It's possible for a downgrade attack to cause Internet Explorer or the remote server to drop down to SSL 3.0, and disabling SSL 3.0 entirely is an effective mitigation against a downgrade attack to SSL 3.0.<br />
<br />
[[File:Policies-User-IE.png|375px]]<br />
<br />
Click OK when done. After clicking OK, this group policy is ready to get picked up by users upon their next application of the user group policies. Having the users log out and back in or having the users run gpupdate.exe will cause them to pick up the change.</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=TLS-SSL-Protocols&diff=2260TLS-SSL-Protocols2014-10-18T17:38:18Z<p>Stevenlawrance: </p>
<hr />
<div>As a way to mitigate the [https://www.openssl.org/~bodo/ssl-poodle.pdf Padding Oracle On Downgraded Legacy Encryption (POODLE) attack], information technology (IT) administrators can disable all protocols older than TLSv1 via ActiveDirectory group policies. This page describes how to do that.<br />
<br />
Using the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] with the group policy editor allows IT administrators to deploy computer-level policies that disable legacy protocols within Windows Schannel and deploy user-level policies that disable legacy protocols within Internet Explorer. Note that a computer-level disable policy for a protocol overrides Internet Explorer's configuration for that protocol.<br />
<br />
This template implements [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommended registry settings to disable SSLv3].<br />
<br />
Please note Microsoft has a group policy setting for disabling TLS/SSL protocols in Internet Explorer, as described in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 their recommendations], but it doesn't work reliably with Internet Explorer 6 or 7. As a result, Microsoft noted in their policy template that it works only with Internet Explorer 8 and higher. If you run Internet Explorer 6 or 7, then the group policy template described on this page is a tenable option for you. The computer policies in this policy template are also useful to IT administrators whom are targeting Internet Explorer 8.<br />
<br />
==Installation==<br />
Save the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] as TLS-SSL-Protocols.adm within your Windows INF folder. This is typically <code>C:\Windows\INF</code>.<br />
<br />
==Include in a Policy==<br />
This policy template includes two group policy targets: Computer and User.<br />
<br />
===Computer Policies===<br />
The Computer policies configure the Windows Schannel protocol support, which impacts client software and server software with dedicated settings for each. Internet Explorer, email software, and any program that connects to the local network or Internet and uses Windows Schannel for securing its connections are affected by the client policies. Internet Information Server, .NET server software, and any program that listens for and accepts secure connections from the local network or Internet and uses Windows Schannel for securing connections are affected by the server policies.<br />
<br />
Mozilla Firefox, Google Chrome, and Java, however, use their own software for securing connections and aren't affected by the client policies. Similarly, Java and software that uses OpenSSL (Apache, etc) or other non-Schannel software aren't affected by the server policies.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of computers. The computer policy won't have an effect if it applies only to users and not to computers.<br />
<br />
Right-click on the Computer Configuration | Administrative Templates folder. Alternatively, right-clicking on the User Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the Computer Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-Computer.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
Open the TLS/SSL Protocols folder within the Computer Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-Computer.png|650px]]<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then enable TLS 1.0 for client and server use while disabling PCT 1.0, SSL 2.0, and SSL 3.0 for client and server use. The screenshot above shows what this configuration looks like.<br />
<br />
The Group Policy Editor makes configuration convenient with the Next Setting button. Starting with the first setting, position the dialog box such that the recommendation for that setting at the top of the "Description:" line is visible. Apply that recommendation to every setting in this list, clicking Next Setting to navigate to the next setting. Click OK when done. After clicking OK, this group policy is ready to get picked up by computers upon their next application of the computer group policies to their local computer. Running gpupdate.exe on the computers that have this group policy assigned to them will cause them to pick up the change before gpupdate.exe returns.<br />
<br />
If your network is comprised entirely of Windows Server 2008 R2, Windows 7, or newer operating systems, then disabling TLS 1.0 can improve security further, though the author of this template hasn't yet tried disabling TLS 1.0 at the computer level in such a network.<br />
<br />
===User Policy===<br />
The User policy configures Internet Explorer and has been tested with versions 6 and higher. If you are targeting only Internet Explorer 8 or higher, it is recommended that you instead use the group policy for disabling TLS/SSL protocols as documented in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommendations for mitigating the POODLE attack]. Microsoft's built-in group policy, however, doesn't work reliably with Internet Explorer 6 and 7.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of users. The user policy won't have an effect if it applies only to computers and not to users.<br />
<br />
Right-click on the User Configuration | Administrative Templates folder. Alternatively, right-clicking on the Computer Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|370px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|370px]]<br />
<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the User Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-User.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
Open the TLS/SSL Protocols folder within the User Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-User.png|650px]]<br />
<br />
Edit the policy setting and choose the Enabled radio button.<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then choose the Recommended item. Although those operating systems don't implement TLS 1.1 and 1.2, enabling TLS 1.1 and 1.2 is properly ignored by those older operating systems while being enabled on Windows 7, Windows Server 2008 R2, and newer operating systems.<br />
<br />
If all systems on your network run Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier, then the Windows Vista/XP option is feasible as that enables only TLS 1.0, but it's typically best to choose Recommended as that will allow upgraded systems to prefer TLS 1.1 and 1.2.<br />
<br />
If all systems on your network run Windows 7, Windows Server 2008 R2, or newer operating systems, then the Recommended setting also works, but the Windows 7 Best Security and Windows 7 Good Security items provide stronger security. If you choose Windows 7 Best Security, then only TLS 1.2 will be used, and that will give your secure connections maximum protection against known attacks. If some web sites that your organization use support TLS 1.1 as their highest protocol, then the Windows 7 Good Security item enables TLS 1.1 while preferring TLS 1.2. Some web sites may support only TLS 1.0 as their strongest option, and working with such web sites requires choosing the Recommended item.<br />
<br />
The Insecure and Highly Insecure items should never be used for medium or long term production use. They are present primarily for testing and as a short-term fallback if needed. Don't use them unless if it's absolutely necessary for a short time period. While enabled, your secure connections will effectively be as secure as using no encryption at all, even if Internet Explorer is using TLS 1.0 or higher. It's possible for a downgrade attack to cause Internet Explorer or the remote server to drop down to SSL 3.0, and disabling SSL 3.0 entirely is an effective mitigation against a downgrade attack to SSL 3.0.<br />
<br />
[[File:Policies-User-IE.png|375px]]<br />
<br />
Click OK when done. After clicking OK, this group policy is ready to get picked up by users upon their next application of the user group policies. Having the users log out and back in or having the users run gpupdate.exe will cause them to pick up the change.</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=TLS-SSL-Protocols&diff=2259TLS-SSL-Protocols2014-10-18T17:36:17Z<p>Stevenlawrance: </p>
<hr />
<div>As a way to mitigate the [https://www.openssl.org/~bodo/ssl-poodle.pdf Padding Oracle On Downgraded Legacy Encryption (POODLE) attack], information technology (IT) administrators can disable all protocols older than TLSv1 via ActiveDirectory group policies. This page describes how to do that.<br />
<br />
Using the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] with the group policy editor allows IT administrators to deploy computer-level policies that disable legacy protocols within Windows Schannel and deploy user-level policies that disable legacy protocols within Internet Explorer. Note that a computer-level disable policy for a protocol overrides Internet Explorer's configuration for that protocol.<br />
<br />
This template implements [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommended registry settings to disable SSLv3].<br />
<br />
Please note Microsoft has a group policy setting for disabling TLS/SSL protocols in Internet Explorer, as described in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 their recommendations], but it doesn't work reliably with Internet Explorer 6 or 7. As a result, Microsoft noted in their policy template that it works only with Internet Explorer 8 and higher. If you run Internet Explorer 6 or 7, then the group policy template described on this page is a tenable option for you. The computer policies in this policy template are also useful to IT administrators whom are targeting Internet Explorer 8.<br />
<br />
==Installation==<br />
Save the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] as TLS-SSL-Protocols.adm within your Windows INF folder. This is typically <code>C:\Windows\INF</code>.<br />
<br />
==Include in a Policy==<br />
This policy template includes two group policy targets: Computer and User.<br />
<br />
===Computer Policies===<br />
The Computer policies configure the Windows Schannel protocol support, which impacts client software and server software with dedicated settings for each. Internet Explorer, email software, and any program that connects to the local network or Internet and uses Windows Schannel for securing its connections are affected by the client policies. Internet Information Server, .NET server software, and any program that listens for and accepts secure connections from the local network or Internet and uses Windows Schannel for securing connections are affected by the server policies.<br />
<br />
Mozilla Firefox, Google Chrome, and Java, however, use their own software for securing connections and aren't affected by the client policies. Similarly, Java and software that uses OpenSSL (Apache, etc) or other non-Schannel software aren't affected by the server policies.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of computers. The computer policy won't have an effect if it applies only to users and not to computers.<br />
<br />
Right-click on the Computer Configuration | Administrative Templates folder. Alternatively, right-clicking on the User Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|400px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|400px]]<br />
<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the Computer Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-Computer.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
Open the TLS/SSL Protocols folder within the Computer Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-Computer.png|650px]]<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then enable TLS 1.0 for client and server use while disabling PCT 1.0, SSL 2.0, and SSL 3.0 for client and server use. The screenshot above shows what this configuration looks like.<br />
<br />
The Group Policy Editor makes configuration convenient with the Next Setting button. Starting with the first setting, position the dialog box such that the recommendation for that setting at the top of the "Description:" line is visible. Apply that recommendation to every setting in this list, clicking Next Setting to navigate to the next setting. Click OK when done. After clicking OK, this group policy is ready to get picked up by computers upon their next application of the computer group policies to their local computer. Running gpupdate.exe on the computers that have this group policy assigned to them will cause them to pick up the change before gpupdate.exe returns.<br />
<br />
If your network is comprised entirely of Windows Server 2008 R2, Windows 7, or newer operating systems, then disabling TLS 1.0 can improve security further, though the author of this template hasn't yet tried disabling TLS 1.0 at the computer level in such a network.<br />
<br />
===User Policy===<br />
The User policy configures Internet Explorer and has been tested with versions 6 and higher. If you are targeting only Internet Explorer 8 or higher, it is recommended that you instead use the group policy for disabling TLS/SSL protocols as documented in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommendations for mitigating the POODLE attack]. Microsoft's built-in group policy, however, doesn't work reliably with Internet Explorer 6 and 7.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of users. The user policy won't have an effect if it applies only to computers and not to users.<br />
<br />
Right-click on the User Configuration | Administrative Templates folder. Alternatively, right-clicking on the Computer Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|650px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|400px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|475px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|400px]]<br />
<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the User Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-User.png|650px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|350px]]<br />
<br />
Open the TLS/SSL Protocols folder within the User Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-User.png|650px]]<br />
<br />
Edit the policy setting and choose the Enabled radio button.<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then choose the Recommended item. Although those operating systems don't implement TLS 1.1 and 1.2, enabling TLS 1.1 and 1.2 is properly ignored by those older operating systems while being enabled on Windows 7, Windows Server 2008 R2, and newer operating systems.<br />
<br />
If all systems on your network run Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier, then the Windows Vista/XP option is feasible as that enables only TLS 1.0, but it's typically best to choose Recommended as that will allow upgraded systems to prefer TLS 1.1 and 1.2.<br />
<br />
If all systems on your network run Windows 7, Windows Server 2008 R2, or newer operating systems, then the Recommended setting also works, but the Windows 7 Best Security and Windows 7 Good Security items provide stronger security. If you choose Windows 7 Best Security, then only TLS 1.2 will be used, and that will give your secure connections maximum protection against known attacks. If some web sites that your organization use support TLS 1.1 as their highest protocol, then the Windows 7 Good Security item enables TLS 1.1 while preferring TLS 1.2. Some web sites may support only TLS 1.0 as their strongest option, and working with such web sites requires choosing the Recommended item.<br />
<br />
The Insecure and Highly Insecure items should never be used for medium or long term production use. They are present primarily for testing and as a short-term fallback if needed. Don't use them unless if it's absolutely necessary for a short time period. While enabled, your secure connections will effectively be as secure as using no encryption at all, even if Internet Explorer is using TLS 1.0 or higher. It's possible for a downgrade attack to cause Internet Explorer or the remote server to drop down to SSL 3.0, and disabling SSL 3.0 entirely is an effective mitigation against a downgrade attack to SSL 3.0.<br />
<br />
[[File:Policies-User-IE.png|400px]]<br />
<br />
Click OK when done. After clicking OK, this group policy is ready to get picked up by users upon their next application of the user group policies. Having the users log out and back in or having the users run gpupdate.exe will cause them to pick up the change.</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=TLS-SSL-Protocols&diff=2258TLS-SSL-Protocols2014-10-18T17:34:46Z<p>Stevenlawrance: </p>
<hr />
<div>As a way to mitigate the [https://www.openssl.org/~bodo/ssl-poodle.pdf Padding Oracle On Downgraded Legacy Encryption (POODLE) attack], information technology (IT) administrators can disable all protocols older than TLSv1 via ActiveDirectory group policies. This page describes how to do that.<br />
<br />
Using the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] with the group policy editor allows IT administrators to deploy computer-level policies that disable legacy protocols within Windows Schannel and deploy user-level policies that disable legacy protocols within Internet Explorer. Note that a computer-level disable policy for a protocol overrides Internet Explorer's configuration for that protocol.<br />
<br />
This template implements [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommended registry settings to disable SSLv3].<br />
<br />
Please note Microsoft has a group policy setting for disabling TLS/SSL protocols in Internet Explorer, as described in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 their recommendations], but it doesn't work reliably with Internet Explorer 6 or 7. As a result, Microsoft noted in their policy template that it works only with Internet Explorer 8 and higher. If you run Internet Explorer 6 or 7, then the group policy template described on this page is a tenable option for you. The computer policies in this policy template are also useful to IT administrators whom are targeting Internet Explorer 8.<br />
<br />
==Installation==<br />
Save the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] as TLS-SSL-Protocols.adm within your Windows INF folder. This is typically <code>C:\Windows\INF</code>.<br />
<br />
==Include in a Policy==<br />
This policy template includes two group policy targets: Computer and User.<br />
<br />
===Computer Policies===<br />
The Computer policies configure the Windows Schannel protocol support, which impacts client software and server software with dedicated settings for each. Internet Explorer, email software, and any program that connects to the local network or Internet and uses Windows Schannel for securing its connections are affected by the client policies. Internet Information Server, .NET server software, and any program that listens for and accepts secure connections from the local network or Internet and uses Windows Schannel for securing connections are affected by the server policies.<br />
<br />
Mozilla Firefox, Google Chrome, and Java, however, use their own software for securing connections and aren't affected by the client policies. Similarly, Java and software that uses OpenSSL (Apache, etc) or other non-Schannel software aren't affected by the server policies.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of computers. The computer policy won't have an effect if it applies only to users and not to computers.<br />
<br />
Right-click on the Computer Configuration | Administrative Templates folder. Alternatively, right-clicking on the User Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|600px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|350px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|425px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|350px]]<br />
<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the Computer Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-Computer.png|600px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|300px]]<br />
<br />
Open the TLS/SSL Protocols folder within the Computer Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-Computer.png|600px]]<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then enable TLS 1.0 for client and server use while disabling PCT 1.0, SSL 2.0, and SSL 3.0 for client and server use. The screenshot above shows what this configuration looks like.<br />
<br />
The Group Policy Editor makes configuration convenient with the Next Setting button. Starting with the first setting, position the dialog box such that the recommendation for that setting at the top of the "Description:" line is visible. Apply that recommendation to every setting in this list, clicking Next Setting to navigate to the next setting. Click OK when done. After clicking OK, this group policy is ready to get picked up by computers upon their next application of the computer group policies to their local computer. Running gpupdate.exe on the computers that have this group policy assigned to them will cause them to pick up the change before gpupdate.exe returns.<br />
<br />
If your network is comprised entirely of Windows Server 2008 R2, Windows 7, or newer operating systems, then disabling TLS 1.0 can improve security further, though the author of this template hasn't yet tried disabling TLS 1.0 at the computer level in such a network.<br />
<br />
===User Policy===<br />
The User policy configures Internet Explorer and has been tested with versions 6 and higher. If you are targeting only Internet Explorer 8 or higher, it is recommended that you instead use the group policy for disabling TLS/SSL protocols as documented in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommendations for mitigating the POODLE attack]. Microsoft's built-in group policy, however, doesn't work reliably with Internet Explorer 6 and 7.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of users. The user policy won't have an effect if it applies only to computers and not to users.<br />
<br />
Right-click on the User Configuration | Administrative Templates folder. Alternatively, right-clicking on the Computer Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|600px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|350px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|425px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|350px]]<br />
<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the User Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-User.png|600px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|300px]]<br />
<br />
Open the TLS/SSL Protocols folder within the User Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-User.png|600px]]<br />
<br />
Edit the policy setting and choose the Enabled radio button.<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then choose the Recommended item. Although those operating systems don't implement TLS 1.1 and 1.2, enabling TLS 1.1 and 1.2 is properly ignored by those older operating systems while being enabled on Windows 7, Windows Server 2008 R2, and newer operating systems.<br />
<br />
If all systems on your network run Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier, then the Windows Vista/XP option is feasible as that enables only TLS 1.0, but it's typically best to choose Recommended as that will allow upgraded systems to prefer TLS 1.1 and 1.2.<br />
<br />
If all systems on your network run Windows 7, Windows Server 2008 R2, or newer operating systems, then the Recommended setting also works, but the Windows 7 Best Security and Windows 7 Good Security items provide stronger security. If you choose Windows 7 Best Security, then only TLS 1.2 will be used, and that will give your secure connections maximum protection against known attacks. If some web sites that your organization use support TLS 1.1 as their highest protocol, then the Windows 7 Good Security item enables TLS 1.1 while preferring TLS 1.2. Some web sites may support only TLS 1.0 as their strongest option, and working with such web sites requires choosing the Recommended item.<br />
<br />
The Insecure and Highly Insecure items should never be used for medium or long term production use. They are present primarily for testing and as a short-term fallback if needed. Don't use them unless if it's absolutely necessary for a short time period. While enabled, your secure connections will effectively be as secure as using no encryption at all, even if Internet Explorer is using TLS 1.0 or higher. It's possible for a downgrade attack to cause Internet Explorer or the remote server to drop down to SSL 3.0, and disabling SSL 3.0 entirely is an effective mitigation against a downgrade attack to SSL 3.0.<br />
<br />
[[File:Policies-User-IE.png|350px]]<br />
<br />
Click OK when done. After clicking OK, this group policy is ready to get picked up by users upon their next application of the user group policies. Having the users log out and back in or having the users run gpupdate.exe will cause them to pick up the change.</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=TLS-SSL-Protocols&diff=2257TLS-SSL-Protocols2014-10-18T17:15:57Z<p>Stevenlawrance: </p>
<hr />
<div>As a way to mitigate the [https://www.openssl.org/~bodo/ssl-poodle.pdf Padding Oracle On Downgraded Legacy Encryption (POODLE) attack], information technology (IT) administrators can disable all protocols older than TLSv1 via ActiveDirectory group policies. This page describes how to do that.<br />
<br />
Using the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] with the group policy editor allows IT administrators to deploy computer-level policies that disable legacy protocols within Windows Schannel and deploy user-level policies that disable legacy protocols within Internet Explorer. Note that a computer-level disable policy for a protocol overrides Internet Explorer's configuration for that protocol.<br />
<br />
This template implements [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommended registry settings to disable SSLv3].<br />
<br />
Please note Microsoft has a group policy setting for disabling TLS/SSL protocols in Internet Explorer, as described in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 their recommendations], but it doesn't work reliably with Internet Explorer 6 or 7. As a result, Microsoft noted in their policy template that it works only with Internet Explorer 8 and higher. If you run Internet Explorer 6 or 7, then the group policy template described on this page is a tenable option for you.<br />
<br />
==Installation==<br />
Save the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] as TLS-SSL-Protocols.adm within your Windows INF folder. This is typically <code>C:\Windows\INF</code>.<br />
<br />
==Include in a Policy==<br />
This policy template includes two group policy targets: Computer and User.<br />
<br />
===Computer Policies===<br />
The Computer policies configure the Windows Schannel protocol support, which impacts client software and server software with dedicated settings for each. Internet Explorer, email software, and any program that connects to the local network or Internet and uses Windows Schannel for securing its connections are affected by the client policies. Internet Information Server, .NET server software, and any program that listens for and accepts secure connections from the local network or Internet and uses Windows Schannel for securing connections are affected by the server policies.<br />
<br />
Mozilla Firefox, Google Chrome, and Java, however, use their own software for securing connections and aren't affected by the client policies. Similarly, Java and software that uses OpenSSL (Apache, etc) or other non-Schannel software aren't affected by the server policies.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of computers. The computer policy won't have an effect if it applies only to users and not to computers.<br />
<br />
Right-click on the Computer Configuration | Administrative Templates folder. Alternatively, right-clicking on the User Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|600px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|350px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|425px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|350px]]<br />
<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the Computer Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-Computer.png|600px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|300px]]<br />
<br />
Open the TLS/SSL Protocols folder within the Computer Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-Computer.png|600px]]<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then enable TLS 1.0 for client and server use while disabling PCT 1.0, SSL 2.0, and SSL 3.0 for client and server use. The screenshot above shows what this configuration looks like.<br />
<br />
The Group Policy Editor makes configuration convenient with the Next Setting button. Starting with the first setting, position the dialog box such that the recommendation for that setting at the top of the "Description:" line is visible. Apply that recommendation to every setting in this list, clicking Next Setting to navigate to the next setting. Click OK when done. After clicking OK, this group policy is ready to get picked up by computers upon their next application of the computer group policies to their local computer. Running gpupdate.exe on the computers that have this group policy assigned to them will cause them to pick up the change before gpupdate.exe returns.<br />
<br />
If your network is comprised entirely of Windows Server 2008 R2, Windows 7, or newer operating systems, then disabling TLS 1.0 can improve security further, though the author of this template hasn't yet tried disabling TLS 1.0 at the computer level in such a network.<br />
<br />
===User Policy===<br />
The User policy configures Internet Explorer and has been tested with versions 6 and higher. If you are targeting only Internet Explorer 8 or higher, it is recommended that you instead use the group policy for disabling TLS/SSL protocols as documented in the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommendations for mitigating the POODLE attack]. Microsoft's built-in group policy, however, doesn't work reliably with Internet Explorer 6 and 7.</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=TLS-SSL-Protocols&diff=2256TLS-SSL-Protocols2014-10-18T17:06:14Z<p>Stevenlawrance: </p>
<hr />
<div>As a way to mitigate the [https://www.openssl.org/~bodo/ssl-poodle.pdf Padding Oracle On Downgraded Legacy Encryption (POODLE) attack], information technology (IT) administrators can disable all protocols older than TLSv1 via ActiveDirectory group policies. This page describes how to do this.<br />
<br />
Using the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] with the group policy editor allows IT administrators to deploy computer-level policies that disable legacy protocols within Windows Schannel and deploy user-level policies that disable legacy protocols within Internet Explorer. Note that a computer-level disable policy for a protocol overrides Internet Explorer's configuration for that protocol.<br />
<br />
This template implements [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommended registry settings to disable SSLv3].<br />
<br />
==Installation==<br />
Save the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] as TLS-SSL-Protocols.adm within your Windows INF folder. This is typically <code>C:\Windows\INF</code>.<br />
<br />
==Include in a Policy==<br />
This policy template includes two group policy targets: Computer and User.<br />
<br />
===Computer Policies===<br />
The Computer policies configure the Windows Schannel protocol support, which impacts client software and server software with dedicated settings for each. Internet Explorer, email software, and any program that connects to the local network or Internet and uses Windows Schannel for securing its connections are affected by the client policies. Internet Information Server, .NET server software, and any program that listens for and accepts secure connections from the local network or Internet and uses Windows Schannel for securing connections are affected by the server policies.<br />
<br />
Mozilla Firefox, Google Chrome, and Java, however, use their own software for securing connections and aren't affected by the client policies. Similarly, Java and software that uses OpenSSL (Apache, etc) or other non-Schannel software aren't affected by the server policies.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of computers. The computer policy won't have an effect if it applies only to users and not to computers.<br />
<br />
Right-click on the Computer Configuration | Administrative Templates folder. Alternatively, right-clicking on the User Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|600px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|350px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|425px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|350px]]<br />
<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the Computer Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-Computer.png|600px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|300px]]<br />
<br />
Open the TLS/SSL Protocols folder within the Computer Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-Computer.png|600px]]<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then enable TLS 1.0 for client and server use while disabling PCT 1.0, SSL 2.0, and SSL 3.0 for client and server use. The screenshot above shows what this configuration looks like.<br />
<br />
The Group Policy Editor makes configuration convenient with the Next Setting button. Starting with the first setting, position the dialog box such that the recommendation for that setting at the top of the "Description:" line is visible. Apply that recommendation to every setting in this list, clicking Next Setting to navigate to the next setting. Click OK when done. After clicking OK, this group policy is ready to get picked up by computers upon their next application of the computer group policies to their local computer. Running gpupdate.exe on the computers that have this group policy assigned to them will cause them to pick up the change before gpupdate.exe returns.<br />
<br />
If your network is comprised entirely of Windows Server 2008 R2, Windows 7, or newer operating systems, then disabling TLS 1.0 can improve security further, though the author of this template hasn't yet tried disabling TLS 1.0 at the computer level in such a network.</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=TLS-SSL-Protocols&diff=2255TLS-SSL-Protocols2014-10-18T17:05:17Z<p>Stevenlawrance: </p>
<hr />
<div>As a way to mitigate the [https://www.openssl.org/~bodo/ssl-poodle.pdf Padding Oracle on Legacy Encryption (POODLE) attack], information technology (IT) administrators can disable all protocols older than TLSv1 via ActiveDirectory group policies. This page describes how to do this.<br />
<br />
Using the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] with the group policy editor allows IT administrators to deploy computer-level policies that disable legacy protocols within Windows Schannel and deploy user-level policies that disable legacy protocols within Internet Explorer. Note that a computer-level disable policy for a protocol overrides Internet Explorer's configuration for that protocol.<br />
<br />
This template implements [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommended registry settings to disable SSLv3].<br />
<br />
==Installation==<br />
Save the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] as TLS-SSL-Protocols.adm within your Windows INF folder. This is typically <code>C:\Windows\INF</code>.<br />
<br />
==Include in a Policy==<br />
This policy template includes two group policy targets: Computer and User.<br />
<br />
===Computer Policies===<br />
The Computer policies configure the Windows Schannel protocol support, which impacts client software and server software with dedicated settings for each. Internet Explorer, email software, and any program that connects to the local network or Internet and uses Windows Schannel for securing its connections are affected by the client policies. Internet Information Server, .NET server software, and any program that listens for and accepts secure connections from the local network or Internet and uses Windows Schannel for securing connections are affected by the server policies.<br />
<br />
Mozilla Firefox, Google Chrome, and Java, however, use their own software for securing connections and aren't affected by the client policies. Similarly, Java and software that uses OpenSSL (Apache, etc) or other non-Schannel software aren't affected by the server policies.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of computers. The computer policy won't have an effect if it applies only to users and not to computers.<br />
<br />
Right-click on the Computer Configuration | Administrative Templates folder. Alternatively, right-clicking on the User Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|600px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|350px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|425px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|350px]]<br />
<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the Computer Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-Computer.png|600px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|300px]]<br />
<br />
Open the TLS/SSL Protocols folder within the Computer Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-Computer.png|600px]]<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then enable TLS 1.0 for client and server use while disabling PCT 1.0, SSL 2.0, and SSL 3.0 for client and server use. The screenshot above shows what this configuration looks like.<br />
<br />
The Group Policy Editor makes configuration convenient with the Next Setting button. Starting with the first setting, position the dialog box such that the recommendation for that setting at the top of the "Description:" line is visible. Apply that recommendation to every setting in this list, clicking Next Setting to navigate to the next setting. Click OK when done. After clicking OK, this group policy is ready to get picked up by computers upon their next application of the computer group policies to their local computer. Running gpupdate.exe on the computers that have this group policy assigned to them will cause them to pick up the change before gpupdate.exe returns.<br />
<br />
If your network is comprised entirely of Windows Server 2008 R2, Windows 7, or newer operating systems, then disabling TLS 1.0 can improve security further, though the author of this template hasn't yet tried disabling TLS 1.0 at the computer level in such a network.</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=TLS-SSL-Protocols&diff=2254TLS-SSL-Protocols2014-10-18T17:04:50Z<p>Stevenlawrance: </p>
<hr />
<div>As a way to mitigate the [https://www.openssl.org/~bodo/ssl-poodle.pdf Padding Oracle on Legacy Encryption (POODLE) attack], information technology (IT) administrators can disable all protocols older than TLSv1 via ActiveDirectory group policies. This page describes how to do this.<br />
<br />
Using the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] with the group policy editor allows IT administrators to deploy computer-level policies that disable legacy protocols within Windows Schannel and deploy user-level policies that disable legacy protocols within Internet Explorer. Note that a computer-level disable policy for a protocol overrides Internet Explorer's configuration for that protocol.<br />
<br />
This template implements [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommended registry settings to disable SSLv3].<br />
<br />
==Installation==<br />
Save the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] as TLS-SSL-Protocols.adm within your Windows INF folder. This is typically <code>C:\Windows\INF</code>.<br />
<br />
==Include in a Policy==<br />
This policy template includes two group policy targets: Computer and User.<br />
<br />
===Computer Policies===<br />
The Computer policies configure the Windows Schannel protocol support, which impacts client software and server software with dedicated settings for each. Internet Explorer, email software, and any program that connects to the local network or Internet and uses Windows Schannel for securing its connections are affected by the client policies. Internet Information Server, .NET server software, and any program that listens for and accepts secure connections from the local network or Internet and uses Windows Schannel for securing connections are affected by the server policies.<br />
<br />
Mozilla Firefox, Google Chrome, and Java, however, use their own software for securing connections and aren't affected by the client policies. Similarly, Java and software that uses OpenSSL (Apache, etc) or other non-Schannel software aren't affected by the server policies.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of computers. The computer policy won't have an effect if it applies only to users and not to computers.<br />
<br />
Right-click on the Computer Configuration | Administrative Templates folder. Alternatively, right-clicking on the User Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|600px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|350px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|425px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|350px]]<br />
<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the Computer Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-Computer.png|600px]]<br />
<br />
In the Filtering dialog, uncheck the "Only show policy settings that can be fully managed" checkbox. Click OK.<br />
<br />
[[File:Filtering.png|400px]]<br />
<br />
Open the TLS/SSL Protocols folder within the Computer Configuration | Administrative Templates folder. A list of policy settings should appear. If it is empty, then the view filtering might be hiding them. Please follow the instructions above if that is happening.<br />
<br />
[[File:Policies-Computer.png|600px]]<br />
<br />
If you have Windows XP, Vista, 2008 (without R2), 2003, 2000, NT4, or earlier systems, then enable TLS 1.0 for client and server use while disabling PCT 1.0, SSL 2.0, and SSL 3.0 for client and server use. The screenshot above shows what this configuration looks like.<br />
<br />
The Group Policy Editor makes configuration convenient with the Next Setting button. Starting with the first setting, position the dialog box such that the recommendation for that setting at the top of the "Description:" line is visible. Apply that recommendation to every setting in this list, clicking Next Setting to navigate to the next setting. Click OK when done. After clicking OK, this group policy is ready to get picked up by computers upon their next application of the computer group policies to their local computer. Running gpupdate.exe on the computers that have this group policy assigned to them will cause them to pick up the change before gpupdate.exe returns.<br />
<br />
If your network is comprised entirely of Windows Server 2008 R2, Windows 7, or newer operating systems, then disabling TLS 1.0 can improve security further, though the author of this template hasn't yet tried disabling TLS 1.0 at the computer level in such a network.</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=TLS-SSL-Protocols&diff=2253TLS-SSL-Protocols2014-10-18T16:52:42Z<p>Stevenlawrance: </p>
<hr />
<div>As a way to mitigate the [https://www.openssl.org/~bodo/ssl-poodle.pdf Padding Oracle on Legacy Encryption (POODLE) attack], information technology (IT) administrators can disable all protocols older than TLSv1 via ActiveDirectory group policies. This page describes how to do this.<br />
<br />
Using the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] with the group policy editor allows IT administrators to deploy computer-level policies that disable legacy protocols within Windows Schannel and deploy user-level policies that disable legacy protocols within Internet Explorer. Note that a computer-level disable policy for a protocol overrides Internet Explorer's configuration for that protocol.<br />
<br />
This template implements [https://technet.microsoft.com/en-us/library/security/3009008.aspx#sectionToggle3 Microsoft's recommended registry settings to disable SSLv3].<br />
<br />
==Installation==<br />
Save the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible policy template] as TLS-SSL-Protocols.adm within your Windows INF folder. This is typically <code>C:\Windows\INF</code>.<br />
<br />
==Include in a Policy==<br />
This policy template includes two group policy targets: Computer and User.<br />
<br />
===Computer Policies===<br />
The Computer policies configure the Windows Schannel protocol support, which impacts client software and server software with dedicated settings for each. Internet Explorer, email software, and any program that connects to the local network or Internet and uses Windows Schannel for securing its connections are affected by the client policies. Internet Information Server, .NET server software, and any program that listens for and accepts secure connections from the local network or Internet and uses Windows Schannel for securing connections are affected by the server policies.<br />
<br />
Mozilla Firefox, Google Chrome, and Java, however, use their own software for securing connections and aren't affected by the client policies. Similarly, Java and software that uses OpenSSL (Apache, etc) or other non-Schannel software aren't affected by the server policies.<br />
<br />
To get started, either create a new group policy or edit an existing group policy that applies to groups of computers. The computer policy won't have an effect if it applies only to users and not to computers.<br />
<br />
Right-click on the Computer Configuration | Administrative Templates folder. Alternatively, right-clicking on the User Configuration | Administrative Templates folder also works as it yields the same end-result. Click on the "Add/Remove Templates..." menu item.<br />
<br />
[[File:AddTemplate1.png|600px]]<br />
<br />
In the Add/Remove Templates dialog, click on the "Add..." button if the TLS-SSL-Protocols policy template isn't listed.<br />
<br />
[[File:AddTemplate2.png|350px]]<br />
<br />
Select the TLS-SSL-Protocols.adm file and click the Open button.<br />
<br />
[[File:AddTemplate3.png|425px]]<br />
<br />
The Add/Remove Templates dialog should now list the TLS-SSL-Protocols policy template. Press the Close button to continue.<br />
<br />
[[File:AddTemplate4.png|350px]]<br />
<br />
By default, the Group Policy Editor doesn't display policy settings that live outside of the group policy registry trees. The settings in this policy template live outside of the group policy registry trees, so you will need to change the view filtering. To do this, right-click on the Computer Configuration | Administrative Templates folder, click on the View submenu, and click on the "Filtering..." menu item.<br />
<br />
[[File:Filtering-Computer.png|600px]]</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=TLS-SSL-Protocols&diff=2252TLS-SSL-Protocols2014-10-18T16:28:03Z<p>Stevenlawrance: Initial page</p>
<hr />
<div>As a way to mitigate the [https://www.openssl.org/~bodo/ssl-poodle.pdf Padding Oracle on Legacy Encryption (POODLE) attack], information technology (IT) administrators can disable all protocols older than TLSv1 via ActiveDirectory group policies. This page describes how to do this.<br />
<br />
Using the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible administrative template] with the group policy editor allows IT administrators to deploy computer-level policies that disable legacy protocols within Windows Schannel and deploy user-level policies that disable legacy protocols within Internet Explorer. Note that a computer-level disable policy for a protocol overrides Internet Explorer's configuration for that protocol.<br />
<br />
==Installation==<br />
Save the [https://www.moonlightdesign.org/dl/TLS-SSL-Protocols.adm Windows Server 2003 compatible administrative template] as TLS-SSL-Protocols.adm within your Windows INF folder. This is typically <code>C:\Windows\INF</code>.<br />
<br />
==Include in a Policy==<br />
This administrative template includes two group policy targets: Computer and User.<br />
<br />
===Computer Policies===<br />
The Computer policies configure the Windows Schannel protocol support, which impacts client software and server software with dedicated settings for each. Internet Explorer, email software, and any program that connects to the local network or Internet and uses Windows Schannel for securing its connections are affected by the client policies. Internet Information Server, .NET server software, and any program that listens for and accepts secure connections from the local network or Internet and uses Windows Schannel for securing connections are affected by the server policies.<br />
<br />
Mozilla Firefox, Google Chrome, and Java, however, use their own software for securing connections and aren't affected by the client policies. Similarly, Java and software that uses OpenSSL (Apache, etc) or other non-Schannel software aren't affected by the server policies.</div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=File:Policies-Computer-SSLv3Client.png&diff=2251File:Policies-Computer-SSLv3Client.png2014-10-18T16:18:31Z<p>Stevenlawrance: </p>
<hr />
<div></div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=File:Policies-User-IE.png&diff=2250File:Policies-User-IE.png2014-10-18T16:18:20Z<p>Stevenlawrance: </p>
<hr />
<div></div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=File:Policies-Computer.png&diff=2249File:Policies-Computer.png2014-10-18T16:18:00Z<p>Stevenlawrance: </p>
<hr />
<div></div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=File:Policies-User.png&diff=2248File:Policies-User.png2014-10-18T16:17:43Z<p>Stevenlawrance: </p>
<hr />
<div></div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=File:Filtering.png&diff=2247File:Filtering.png2014-10-18T16:17:30Z<p>Stevenlawrance: </p>
<hr />
<div></div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=File:Filtering-Computer.png&diff=2246File:Filtering-Computer.png2014-10-18T16:17:21Z<p>Stevenlawrance: </p>
<hr />
<div></div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=File:Filtering-User.png&diff=2245File:Filtering-User.png2014-10-18T16:17:10Z<p>Stevenlawrance: </p>
<hr />
<div></div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=File:AddTemplate4.png&diff=2244File:AddTemplate4.png2014-10-18T16:16:51Z<p>Stevenlawrance: </p>
<hr />
<div></div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=File:AddTemplate3.png&diff=2243File:AddTemplate3.png2014-10-18T16:16:26Z<p>Stevenlawrance: </p>
<hr />
<div></div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=File:AddTemplate2.png&diff=2242File:AddTemplate2.png2014-10-18T16:16:15Z<p>Stevenlawrance: </p>
<hr />
<div></div>Stevenlawrancehttps://www.moonlightdesign.org/wiki/index.php?title=File:AddTemplate1.png&diff=2241File:AddTemplate1.png2014-10-18T16:15:59Z<p>Stevenlawrance: </p>
<hr />
<div></div>Stevenlawrance