Manage SSL/TLS settings in IE

The other day I had the need to configure SSL/TLS settings in IE for users in my organization. While I’m aware of the easy methods of managing IE settings using group policy, I always prefer to use Group Policy Preferences to manage the settings instead. After a bit of digging I identified that to manage the SSL/TLS settings you simply had to change the value of ‘SecureProtocols’ at HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings.

Below are the possible values that you can use and what they do.

0 – Disable SSLTLS
8 – SSL 2.0
32 – SSL 3.0
40 – SSL 2.0, SSL 3.0
128 – TLS 1.0
136 – SSL 2.0, TLS 1.0
160 – SSL 3.0, TLS 1.0
168 – SSL 2.0, SSL 3.0, TLS 1.0
512 – TLS 1.1
520 – SSL 2.0, TLS 1.1
544 – SSL 3.0, TLS 1.1
552 – SSL 2.0, SSL 3.0, TLS 1.1
640 – TLS 1.0, TLS 1.1
648 – SSL 2.0, TLS 1.0, TLS 1.1
672 – SSL 3.0, TLS 1.0, TLS 1.1
680 – SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1
2048 – TLS 1.2
2056 – SSL 2.0, TLS 1.2
2080 – SSL 3.0, TLS 1.2
2088 – SSL 2.0, SSL 3.0, TLS 1.2
2176 – TLS 1.0, TLS 1.2
2184 – SSL 2.0, TLS 1.0, TLS 1.2
2208 – SSL 3.0, TLS 1.0, TLS 1.2
2216 – SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.2
2560 – TLS 1.1, TLS 1.2
2568 – SSL 2.0, TLS 1.1, TLS 1.2
2592 – SSL 3.0, TLS 1.1, TLS 1.2
2600 – SSL 2.0, SSL 3.0, TLS 1.1, TLS 1.2
2688 – TLS 1.0, TLS 1.1, TLS 1.2
2696 – SSL 2.0, TLS 1.0, TLS 1.1, TLS 1.2
2720 – SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
2728 – SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2

Values were obtained from: http://blogs.technet.com/b/iede/archive/2010/09/27/as-59-63-ssl-2-0-ssl-3-0-tls-1-0-tls-1-1-tls-1-2-verwenden.aspx

Set default OU for Computer and User objects

You’ve likely noticed that every time a system is joined to the domain without a computer object being defined first, it ends up in the default “Computers” container. The same is true about user objects always ending up in the default Users container unless otherwise specified.  Generally an IT organization simply works around this behavior, however I think it’s better for an organization to customize their domain a bit by changing these default settings.

To change the default settings, all you have to do is run a simple command line on your DC for both user objects and computer objects. The command lines are below.

For user objects:

ReDirUsr “OU=User Accounts,DC=domain,DC=local”

For computer objects:

ReDirCmp “OU=Computer Accounts,DC=domain,DC=local”

Additionally, I would put GPO’s on the new default OU’s that would cripple user accounts and computer accounts on your domain while they’re in this default OU. If you think about it, you generally have a much more defined OU structure than just “User Accounts” and “Computer Accounts”. I would personally use those two default OU’s to catch user and computer objects that are created in your domain incorrectly. That will allow you to correct any configuration issues there might be with the objects before moving them to their proper OU, and possibly even track down someone in your organization that’s doing some incorrectly.

Configuring the “Compatibility” tab

This post discusses how to configure options on the Compatibility tab for a given executable by making modifications through the registry.

There are two different ways to go about doing it, making a change for an executable for all users on a system and making a change for an executable for a single user.

When you configure an executable to run in compatibility mode, Windows XP and 7 will store that configuration change either under HKCUSoftwareMicrosoftWindows NTCurrentVersionAppCompatFlagsLayers (If the change is only for a particular user.) or HKLMSoftwareMicrosoftWindows NTCurrentVersionAppCompatFlagsLayers (If making the change for all users.) Under the Layers key, the OS creates a String value for each executable and then assigned the compatibility properties to the value of that string. For example, if you had an executable living under C:Program FilesAdobeReaderAdbRd.exe and you wanted Windows 7 to run the executable in Windows XP SP3 compatility mode, you would create the following string.

Value Name: C:Program FilesAdobeReaderAdbRd.exe
Data: WINXPSP3

After that string is in place, depending on where you placed the string (System or User) the next time the executable is launched it will run under Windows XP SP3 compatibility.

In addition to just defining the OS compatibility, you can also specify all the additional options that you would see on the compatibility tab using that same string value. Below I’ve listed the available options and how you would call for that option to be enabled.

Windows XP Options

Windows 95 = WIN95
Windows 98/ME = WIN98
Windows NT 4.0 SP5 = NT4SP5
Windows 2000 = WIN2000

Run in 256 Colors = 256COLOR
Run in 640 x 480 screen resolution = 640X480
Disable visual themes = DISABLETHEMES
Turn off advanced text services for this program = DISABLECICERO

Windows 7 Options

Windows 95 = WIN95
Windows 98/ME = WIN98
Windows NT 4 SP5 = NT4SP5
Windows 2000 = WIN2000
Windows XP SP2 = WINXPSP2
Windows XP SP3 = WINXPSP3
Server 2003 SP1 = WINSRV03SP1
Server 2008 SP1 = WINSRV08SP1
Windows Vista = VISTARTM
Windows Vista SP1 = VISTASP1
Windows Vista SP2 = VISTASP2
Windows 7 = WIN7RTM

Run in 256 colors = 256COLOR
Run in 640×480 screen resolution = 640X480
Disable visual themes = DISABLETHEMES
Disable desktop composition = DISABLEDWM
Disable display scaling on high DPI settings = HIGHDPIAWARE
Run this program as an Administrator = RUNASADMIN

 

When wanting to use any of the additional options other than the OS mode, you simple need to add the option on to the value data. For example, if you wanted an executable to run under Windows XP SP3 mode and also run as an Administrator, the value would look like the following. “WINXPSP3 RUNASADMIN” Luckily, the order you provide these values in doesn’t matter. So even though on the compatibility tab the run as administrator option is always at the bottom, you can specify it first and then maybe specify the run in 256 colors option last.

Deploy Windows 7 and use a KMS Server

I do the following to during my imaging process to setup a Windows 7 client to activate against a KMS server.

First, I run the below command line to define the KMS host. The starting directory should be %systemroot%System32

smsswd.exe /run: SLMGR.VBS -skms KMSSERVER:1688

I then run the following command line to have the computer activate against the KMS host.

smsswd.exe /run: SLMGR.VBS -ato

 

In the event that you want to specify a MAK key instead of using a KMS server, you can run the following command.

smsswd.exe /run: SLMGR.VBS -ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

 

Hide drive letters in Explorer

The following will allow you to hide the drive letter from Explorer without hiding the drive itself. This would be useful if you wanted users to remember drive names (descriptions) rather than drive letters.

First navigate to HKLMSoftwareMicrosoftWindowsCurrentVersionExplorer. Once there, create a DWORD and name it “ShowDriveLettersFirst”. You then give it one of the values below.

0 – Show all drive letters after drive description

1 – Show local drive letters after description and show network drive letters before drive description

2 – Display no drive letter at all

4 – Show all drive letters before the drive names

Turn Windows features on and off with DISM

DISM is an awesome tool that’s been introduced with Windows 7 and allows you do all sorts of management with a WIM image or to do maintenance on a Windows 7 installation. In the following post I’m going to document how you can use DISM to turn Windows features on and off on a local installation of Windows 7 or during a task sequence.

The first thing you need to figure out when working with Windows features are the feature names. You discover the feature names by opening up Command Prompt and typing…

DISM /online /get-features

You should then get a big list of all the features available that you can turn on and off.

As an example, to turn off the Media Center feature you need to run this command…

DISM /online /Disable-Feature /FeatureName:MediaCenter /quiet /norestart

And then if you want to turn it back on you would run this…

DISM /online /Enable-Feature /FeatureName:MediaCenter /quiet /norestart

Missing items from Windows 7 Start Menu

Ever since I implemented folder redirection for Windows 7 I’ve noticed that certain system specific items were missing from the Start Menu. This included folders such as Accessories, Startup, Windows Virtual PC (for running XP Mode), and Maintenance. This was a problem because a co-worker wanted to run legacy applications from the virtual xp machine on his Windows 7 machine transparently on the Windows 7 desktop. Obviously he couldn’t launch the applications transparently if the Windows Virtual PC folder was missing from his start menu.

Since this was something he really, really, wanted to do, he spent lots of time looking into it and found this out.

If you enable the GPO object “Remove user’s folders from the Start Menu”, all those items listed above will be gone from the Start Menu. I’ve since set the GPO object back to Not configured and the items have returned.

So far I haven’t seen any “bad things” happen to the start menu. I know that it’s recommended to have that GPO enabled since I have folder redirection implemented, but I’m unaware of the technical reasons why.

I’ll be sure to update this entry if I find anything else out.

WMI Filters with Group Policy Management

A way that you can keep your Active Directory structure clean and organized is to use WMI filters to assist in determining which GPOs go to who and/or what.

To create a WMI filter, open the Group Policy Management console and expand down from the Forest level until you get to WMI Filters.

 

Now right click on the WMI Filters container or within the container and click New. At this point you just need to create the name for a filter and then add a WMI query for it. Below are some example queries for targeting a Windows XP machine and Windows 7 machine.

Windows 7…

Select * from Win32_OperatingSystem where Version like “6.%” and ProductType = “1”

Windows XP…

Select * from Win32_OperatingSystem where Version like “5.%” and ProductType = “1”

Once you’ve got a filter in place, you can assign it to a GPO by selecting a GPO and then select the filter you want used for that GPO. See below for an example of assigning a Windows 7 WMI Filter to a Windows 7 Workstation GPO.

 

When you have a filter assigned to a GPO, the GPO will only be applied to a workstation that tries to apply the GPO when the WMI query results in a true statement.