Skip to content

Instantly share code, notes, and snippets.

Jim Wolff JimWolff

  • Denmark
Block or report user

Report or block JimWolff

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@JimWolff
JimWolff / bpp_2018-08-16_tls1.2only.ictpl
Last active Aug 17, 2018
IISCrypto template for pre windows server 2016, restricts protocol use to TLS 1.2. Boarder support version located here: https://gist.github.com/JimWolff/f6969253fb23744ea2bfae57d8b990b1 (template used in autofix security script here: https://gist.github.com/JimWolff/fc35d863db8971b2a73c96f90c5002e4)
View bpp_2018-08-16_tls1.2only.ictpl
<?xml version="1.0" encoding="utf-16"?>
<iisCryptoTemplate xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" version="0">
<header>
<name>BestPracticePlus_Pre2016Server_tls1.2only</name>
<author>Jim Wolff</author>
<lastUpdated>2018-08-16T04:46:36.849556Z</lastUpdated>
<description>Follows best practise, but also removed weak ciphers that might still be enabled.</description>
<builtIn>false</builtIn>
</header>
<schannel setClientProtocols="true">
@JimWolff
JimWolff / bbp_http2fs_tls1.2only_win2k16-2018-04-18.ictpl
Last active Apr 18, 2018
IISCrypto template for enabling http2 on windows server 2016, restricts protocol use to TLS 1.2 to achieve a grade A+ on qualsys server test when HSTS is enabled. Boarder support version local here: https://gist.github.com/JimWolff/d8ea8ee58360f75c9283c6d74165774b (this template is used in my autofix ssl script here: https://gist.github.com/JimW…
View bbp_http2fs_tls1.2only_win2k16-2018-04-18.ictpl
<?xml version="1.0" encoding="utf-16"?>
<iisCryptoTemplate xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" version="0">
<header>
<name>Best Practise (restricted to TLS1.2), prioritize HTTP/2, FS</name>
<author>Jim Wolff</author>
<lastUpdated>2018-04-18T10:45:11.0463186Z</lastUpdated>
<description>Using best practises, but TLS_ECDHE_ECDSA is prioritesed because its needed for http/2 not to use blacklisted cipher suites, prioriteses suites to ensure FS, uses TLS1.2 only to achieve a grade A+ on IIS in win2k16 with HSTS enabled.</description>
<builtIn>false</builtIn>
</header>
<schannel setClientProtocols="true">
@JimWolff
JimWolff / bbp_http2fs_win2k16-2018-03-12.ictpl
Last active Apr 18, 2018
IISCrypto template optimized for windows server 2016 to enable http2 and disable blacklisted ciphersuites plus updated with newest weak ciphers disabled (this template is used in my autofix ssl script here: https://gist.github.com/JimWolff/fc35d863db8971b2a73c96f90c5002e4 )
View bbp_http2fs_win2k16-2018-03-12.ictpl
<?xml version="1.0" encoding="utf-16"?>
<iisCryptoTemplate xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" version="0">
<header>
<name>Best Practice, prio HTTP/2, FS</name>
<author>Jim Wolff</author>
<lastUpdated>2018-03-12T12:45:11.0463186Z</lastUpdated>
<description>Using best practises, but TLS_ECDHE_ECDSA is prioritesed because its needed for http/2 not to use blacklisted cipher suites, prioriteses suites to ensure FS</description>
<builtIn>false</builtIn>
</header>
<schannel setClientProtocols="true">
@JimWolff
JimWolff / bpp_2018-03-12.ictpl
Last active Aug 17, 2018
IISCrypto template file, best practice with removal of newest ciphers determined weak by qualys ssl labs
View bpp_2018-03-12.ictpl
<?xml version="1.0" encoding="utf-16"?>
<iisCryptoTemplate xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" version="0">
<header>
<name>BestPracticePlus_Pre2016Server</name>
<author>Jim Wolff</author>
<lastUpdated>2018-03-12T12:45:51.3047731Z</lastUpdated>
<description>Follows best practise, but also removed weak ciphers that might still be enabled.</description>
<builtIn>false</builtIn>
</header>
<schannel setClientProtocols="true">
@JimWolff
JimWolff / iota generator.linq
Last active Feb 1, 2018
This c# code is supposed to be used with Linqpad which is free to download at (https://www.linqpad.net/) you can also use the source with any IDE/compiler that speak C# (although the .Dump() command used is linqpad specific and should be switched to something like Console.WriteLine() when using something like Visual Studio Code)
View iota generator.linq
// its open source so any comments on the security or anything else is welcome, provided free of charge, but use this piece of code at your own risk, i am not liable for any damages.
const bool useRealRandom = true;
Random globalRand = new Random(); // non true-random function.
//using System.Net
void Main()
{
// user configurable values
// numberOfTimesToScramble shouldn't really make things "more random" since the time seed already makes it random, but i just want to provide several "knobs" for users to turn, to make it different for each user.
const int numberOfTimesToScramble = 13; // 1 or above.
const int minChunkSize = 4; // recommended 3-7
@JimWolff
JimWolff / bbp_http2fs_win2k16-20-06-2017.ictpl
Last active Apr 18, 2018
IISCrypto template optimized for windows server 2016 to enable http2 and disable blacklisted ciphersuites. (This script is deprecated please refer to: https://gist.github.com/JimWolff/d8ea8ee58360f75c9283c6d74165774b )
View bbp_http2fs_win2k16-20-06-2017.ictpl
<?xml version="1.0" encoding="utf-16"?>
<iisCryptoTemplate xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" version="0">
<header>
<name>Best Practice, prio HTTP/2, FS</name>
<author>Jim Wolff</author>
<lastUpdated>2017-06-20T23:12:11.0463186Z</lastUpdated>
<description>Using best practises, but TLS_ECDHE_ECDSA is prioritesed because its needed for http/2 not to use blacklisted cipher suites, prioriteses suites to ensure FS</description>
<builtIn>false</builtIn>
</header>
<schannel setClientProtocols="true">
@JimWolff
JimWolff / TailNewestFileInDir
Last active Jul 7, 2017
Powershell script that gets the tail of the newest file in the current directory and waits for more content, good for looking at the newest log file in a directory.
View TailNewestFileInDir
cls;$a=gci -Path "$(Get-Location)\*" -Include *.txt,*.log|sort LastAccessTime -Desc|select -f 1;$host.UI.RawUI.WindowTitle=$a.FullName;gc $a.FullName -Tail 10 -Wait
@JimWolff
JimWolff / FixSSLSecurity.ps1
Last active Mar 26, 2019
Downloads IISCrypto cli, uses custom template based on bestpractice, to fix ssl security on servers, enables http2 on win2k16 server and grade A+ in qualys ssl server test if using TLS1.2 only template
View FixSSLSecurity.ps1
# 2018-08-17 reintroduced templates for 2012 with ciphers: 0x9C, 0x9D they are considered weak, but are the only AEAD ciphers available for 2012 atm.
# updated 2018-08-16 with some extra steps like enabling OCSP for SNI, added TLS1.2 only option for pre win2k16 aswell, added check to see if HTTP/2 was disabled.
if (!([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { Write-Host "Starting as administrator and using Bypass ExecutionPolicy.";Start-Process powershell.exe "-NoProfile -ExecutionPolicy Bypass -File `"$PSCommandPath`"" -Verb RunAs; exit }
# Go to a location we have write access to.
Set-Location ~\Downloads
# Global variables and settings.
[System.Net.ServicePointManager]::SecurityProtocol = 192 -bor 768 -bor 3072 # .Net doesn't enable tls1.1 and 1.2 by default, but can run it as long as .net 4.5 is installed. Which we need to download from sites that only allows tls1.2
$icDownloadUrl = "http:/
@JimWolff
JimWolff / bpp_2017-06-19.ictpl
Created Jun 19, 2017
IISCrypto template file, best practice "plus", with extra removal of newest ciphers determined weak
View bpp_2017-06-19.ictpl
<?xml version="1.0" encoding="utf-16"?>
<iisCryptoTemplate xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" version="0">
<header>
<name>BestPracticePlus_2017-09-19</name>
<author>Jim Wolff</author>
<lastUpdated>2017-06-19T06:34:51.3047731Z</lastUpdated>
<description>Follows best practise, but also removed weak ciphers that might still be enabled.</description>
<builtIn>false</builtIn>
</header>
<schannel setClientProtocols="true">
@JimWolff
JimWolff / CheckInstalled.NetVersion.ps1
Created Jun 19, 2017
Powershell to check which .Net version is installed
View CheckInstalled.NetVersion.ps1
# credit: https://stackoverflow.com/a/3495491/665879
Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -recurse |
Get-ItemProperty -name Version,Release -EA 0 |
Where { $_.PSChildName -match '^(?!S)\p{L}'} |
Select PSChildName, Version, Release, @{
name="Product"
expression={
switch -regex ($_.Release) {
"378389" { [Version]"4.5" }
"378675|378758" { [Version]"4.5.1" }
You can’t perform that action at this time.