Monthly archives: February 2006
Windows' SChannel is the "service" that handles all the secure internet communications, such as PCT, SSL, and TLS. Sometimes for security reasons, you may want to disable the older secure communication protocols, such as SSL 2.0. SSL 3.0 has been in use for years now and enhances SSL 2.0, making it more cryptographically secure. You may also want to disable PCT 1.0 since it's non-standard (although be careful with this as some built-in systems in windows, such as the Message Queue, rely on PCT). Or perhaps you want to disable the newer protocols for compatibility reasons. Who knows?
Before you would have to manually edit the registry on every affected machine. So I created this Administrative Template for Group Policy to control these settings. Unfortunately, Microsoft did not store these settings in the "true policy" locations of the registry, so in the GPEDIT.MSC you need to click on Administrative Templates, then select View -> Filtering... Uncheck "Only show policy settings that can be fully managed." This will allow you to see the "preferences." (Policy settings that are not fully managed are called Preferences.) You can google for more information on the differences between policies and preferences.
Anyway, this administrative template will be handy if you need to disable SSL 2.0 on a large array of web servers, for instance. Or if you want to make sure that all outgoing communications are secure for workstations.
Microsoft's explanation of Administrative Templates...
Link to the SCHANNEL.ADM administrative template...