CustomPatch - KB3009008 - Disable SSLv3 in Per-User Internet Explorer settings using ActiveSetup (POODLE)
Log In or Register to download the BES file, and more.

0 Votes

Description

See https://support.microsoft.com/kb/3009008

This Fixlet configures ActiveSetup to disable SSLv3 in Internet Explorer, to mitigate the "POODLE" vulnerability.  As an ActiveSetup component, this runs one time for each user at their next logon time. 

The ActiveSetup script edits HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols.


Property Details

ID3914
StatusQA - Ready for Production Level Testing
TitleCustomPatch - KB3009008 - Disable SSLv3 in Per-User Internet Explorer settings using ActiveSetup (POODLE)
DomainBESC
SourceInternal
Source Release Date11/3/2014 12:00:00 AM
KeywordsSSL, POODLE, Internet Explorer, Active Setup, Per User
Added by on 11/3/2014 12:12:11 PM
Last Modified by on 11/3/2014 12:12:11 PM
Counters 9741 Views / 14 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

Used in 365 fixlets   * Results in a true/false
Show indented relevance
(if( name of operating system starts with "Win" ) then platform id of operating system != 3 else false) AND (if exists property "in proxy agent context" then ( not in proxy agent context ) else true )
isWindows (Relevance 1172)
Used in 1152 fixlets and 538 analyses   * Results in a true/false
Show indented relevance
windows of operating system
Used in 19 fixlets   * Results in a true/false
Show indented relevance
(language of version block of file "kernel32.dll" of system folder contains "English") OR (exists key "HKLM\System\CurrentControlSet\Control\Nls\MUILanguages" whose (exists value of it) of registry)
Used in 127 fixlets   * Results in a true/false
Show indented relevance
not ia64 of operating system
Used in 1 fixlet   * Results in a true/false
Show indented relevance
(name of it = "Win2003" OR name of it = "WinVista" OR name of it = "Win2008" OR name of it = "Win7" OR name of it = "Win2008R2" OR name of it = "Win8" OR name of it = "Win2012" OR name of it = "Win8.1" OR name of it = "Win2012R2") of operating system
Used in 1 fixlet   * Results in a true/false
Show indented relevance
/* Check that the Registry is configured to execute this ActiveSetup component */ (not exists key "KB3009008_POODLE" whose (exists value "IsInstalled" whose (it=1) of it) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components" of native registry) OR /* Check that the files required for this ActiveSetup component are present; item 0 below is a semicolon-delimited set of file pathnames */ ( exists (("\admtools\ActiveSetup\KB3009008_POODLE\ActiveSetup.cmd"),root folder of drive of system folder) whose (not exists file (pathname of item 1 of it as string & item 0 of it)))

Actions

Action 1 (default)

Action Link Click here to deploy this action.
Script Type BigFix Action Script
action uses wow64 redirection false

// Setup the files for ActiveSetup script operation
dos mkdir "{root folder of drive of system folder}\admtools\ActiveSetup\KB3009008_POODLE"
delete __appendfile
appendfile @reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v SecureProtocols /t REG_DWORD /d 0x80 /F
delete "{root folder of drive of system folder}\admtools\ActiveSetup\KB3009008_POODLE\ActiveSetup.cmd"
copy __appendfile "{root folder of drive of system folder}\admtools\ActiveSetup\KB3009008_POODLE\ActiveSetup.cmd"


// Setup the Registry to run this ActiveSetup batch file on next logon (for each user)
delete __createfile
createfile until
REM Update this block as needed
set KEYNAME=KB3009008_POODLE
set TITLE=Installing KB3009008_POODLE
set VERSION=1,0,0,0
set VALUE=%COMSPEC% /c "{root folder of drive of system folder}\admtools\ActiveSetup\KB3009008_POODLE\ActiveSetup.cmd"
REM end of per-package settings


set ACTIVESETUP=HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components

REG ADD "%ACTIVESETUP%\%KEYNAME%" /f
REG ADD "%ACTIVESETUP%\%KEYNAME%" /ve /t REG_SZ /d "%TITLE%" /f
REG ADD "%ACTIVESETUP%\%KEYNAME%" /v IsInstalled /t REG_DWORD /d 1 /f
REG ADD "%ACTIVESETUP%\%KEYNAME%" /v Version /t REG_SZ /d "%VERSION%" /f
REG ADD "%ACTIVESETUP%\%KEYNAME%" /v StubPath /t REG_EXPAND_SZ /d "%VALUE%" /f


delete "ActiveSetup-Registry.cmd"
move __createfile "ActiveSetup-Registry.cmd"
waithidden cmd /c ActiveSetup-Registry.cmd
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.


Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!