Recently, we ran a pilot where FIPS-compliance mode was enabled on Windows 7 Enterprise SP1 32-bit computers. Specifically, the "System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing" security option was set to Enabled. The pilot is over and we turned off FIPS-compliance mode.
Since doing that, I have noticed that the SSL/TLS settings in Internet Explorer 9 are disabled on computers that were part of the pilot. I know the defaults are:
- SSL 2.0 : off
- SSL 3.0 : on
- TLS 1.0 : on
- TLS 1.1 : off
- TLS 1.2 : off
Now, all of these settings are disabled (grayed out) and the following settings are set:
- SSL 2.0 : on
- SSL 3.0 : on
- TLS 1.0 : on
- TLS 1.1 : off
- TLS 1.2 : off
This affects all user accounts on the system.
The test GPO we used to turn on FIPS mode for these computers has been verified to only be enforcing that FIPS setting. It was not controlling any Internet Explorer settings.
Here is the troubleshooting I have done so far:
- Reset Internet Explorer via the Reset button on the Advanced tab in Internet Options.
- Put computer in an OU that had Group Policy inheritance blocked, performed gpupdate, and rebooted to ensure no GPOs were affecting the computer.
- Verified that local policy was not enforcing the Internet Explorer SSL/TLS settings.
- Ran msconfig, disabled non-Microsoft services, and rebooted.
- Removed the Internet Explorer feature, rebooted, re-added it, and rebooted.
- Installed all available important and recommended Windows Updates.
- Installed Internet Explorer 11.
- Created a new local account and set it to Administrator and logged in as that.
- Removed the computer from the domain.
- Created another local account (with Administrator rights) and logged in as that while the computer was not on a domain.
- Ran the command from an elevated command prompt: secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose
- As a last-ditch effort, I ran CCLeaner and performed all the Clean and Registry fixes available.
Does anyone have any other ideas?