STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 5 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Microsoft Internet Explorer 11 Security Technical Implementation Guide

V-250541

CAT II (Medium)

Allow Fallback to SSL 3.0 (Internet Explorer) must be disabled.

Rule ID

SV-250541r1117186_rule

STIG

Microsoft Internet Explorer 11 Security Technical Implementation Guide

Version

V2R7

CCIs

CCI-002450

Discussion

This parameter ensures only DoD-approved ciphers and algorithms are enabled for use by the web browser by blocking an insecure fallback to SSL when TLS 1.0 or greater fails. Satisfies: SRG-APP-000514, SRG-APP-000555, SRG-APP-000625, SRG-APP-000630, SRG-APP-000635

Check Content

The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Security Features >> "Allow fallback to SSL 3.0 (Internet Explorer)" must be "Enabled", and "No Sites" selected from the drop-down box. If "Allow fallback to SSL 3.0 (Internet Explorer)" is not "Enabled" or any other drop-down option is selected, this is a finding. 

Procedure: Use the Windows Registry Editor to navigate to the following key: 

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings. 

Criteria: If the value "EnableSSL3Fallback" is REG_DWORD=0, this is not a finding.

Fix Text

Set the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Security Features >> "Allow fallback to SSL 3.0 (Internet Explorer)" to "Enabled", and select "No Sites" from the drop-down box.