I ran into a situation where I needed to remotely set the values in a user’s Internet Options control panel. With all the problems with SSL 2.0 and SSL 3.0 lately, we’ve pushed out configurations to block them. Some of our users have reported problems connecting to business-critical websites which aren’t working with our settings. So I need to remotely check the SSL 3.0 box for them.
To get this done I had two problems:
- What values do I need to store in the registry?
- Where do I store them?
First, find the keys.
I fired up procmon from Sysinternals and opened up my Internet Options control panel. With some trial and error I was able to narrow the settings i needed to change. The process is to change the settings in my UI (remember to click apply!) and watch the registry changes in procmon. In case you’re looking for exactly the same thing I am, changing the SSL/TLS settings, here’s the key you need:
And here are the values you need:
SSL/TLS Version Decimal Hexidecimal SSL 2.0 8 0x8 SSL 3.0 32 0x20 TLS 1.0 128 0x80 TLS 1.1 512 0x200 TLS 1.2 2048 0x800
This is a bitfield. To get the correct value, you just add up the options you want and then store that value in the registry.
I needed to have SSL 3.0, TLS 1.0, and TLS 1.1 enabled.
When you store the result in the registry, make sure you enter it in the expected format.
Second, figure out where to store the values.
Now, just open up the remote registry and find
HKEY_CURRENT_USER and and rock and roll!
Okay, going to have to pull some teeth here. The issue is that there really isn’t a
HKEY_CURRENT_USER hive. When a user logs on, Windows maps their
HKEY_USERS hive onto the
HKCU hive. It makes things so much easier. Since we’re not logged on to this system as that user, we don’t get the easy version.
If your users generally have one PC each, you probably will see several short SIDs and a pair of long ones. The long one without “_classes” on the end is your user’s SID. But you can get a user’s SID via powershell to be 100% sure.
PS C:\Windows> (New-Object System.Security.Principal.NTAccount("Domain","username")).Translate([System.Security.Principal.SecurityIdentifier]) | fl Value
Value : S-1-5-21-776511741-573735546-682002230-13423
So in my case, I’ll need to use
Put it all together.
Almost done, I swear. In regedit I connected to the remote computer then browsed to the right user’s
HKEY_USERS key (that long SID we found earlier). I browsed to the key I found earlier,
Software\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols. Finally, I set the value I calculated, 672 (decimal).
Sites are fixing their SSL settings as fast as they can, so don’t just set something like this and forget it. Periodically test the sites your users require to see if they work with SSL 2.0 and SSL 3.0 disabled. Once they do, you can undo your changes.