Instantly share code, notes, and snippets.

Jim Wolff JimWolff

  • Denmark
View GitHub Profile
View bpp_2018-08-16_tls1.2only.ictpl
<?xml version="1.0" encoding="utf-16"?>
<iisCryptoTemplate xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" version="0">
<header>
<name>BestPracticePlus_Pre2016Server_tls1.2only</name>
<author>Jim Wolff</author>
<lastUpdated>2018-08-16T04:46:36.849556Z</lastUpdated>
<description>Follows best practise, but also removed weak ciphers that might still be enabled.</description>
<builtIn>false</builtIn>
</header>
<schannel setClientProtocols="true">
View bbp_http2fs_tls1.2only_win2k16-2018-04-18.ictpl
<?xml version="1.0" encoding="utf-16"?>
<iisCryptoTemplate xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" version="0">
<header>
<name>Best Practise (restricted to TLS1.2), prioritize HTTP/2, FS</name>
<author>Jim Wolff</author>
<lastUpdated>2018-04-18T10:45:11.0463186Z</lastUpdated>
<description>Using best practises, but TLS_ECDHE_ECDSA is prioritesed because its needed for http/2 not to use blacklisted cipher suites, prioriteses suites to ensure FS, uses TLS1.2 only to achieve a grade A+ on IIS in win2k16 with HSTS enabled.</description>
<builtIn>false</builtIn>
</header>
<schannel setClientProtocols="true">
View bbp_http2fs_win2k16-2018-03-12.ictpl
<?xml version="1.0" encoding="utf-16"?>
<iisCryptoTemplate xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" version="0">
<header>
<name>Best Practice, prio HTTP/2, FS</name>
<author>Jim Wolff</author>
<lastUpdated>2018-03-12T12:45:11.0463186Z</lastUpdated>
<description>Using best practises, but TLS_ECDHE_ECDSA is prioritesed because its needed for http/2 not to use blacklisted cipher suites, prioriteses suites to ensure FS</description>
<builtIn>false</builtIn>
</header>
<schannel setClientProtocols="true">
View bpp_2018-03-12.ictpl
<?xml version="1.0" encoding="utf-16"?>
<iisCryptoTemplate xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" version="0">
<header>
<name>BestPracticePlus_Pre2016Server</name>
<author>Jim Wolff</author>
<lastUpdated>2018-03-12T12:45:51.3047731Z</lastUpdated>
<description>Follows best practise, but also removed weak ciphers that might still be enabled.</description>
<builtIn>false</builtIn>
</header>
<schannel setClientProtocols="true">
View iota generator.linq
// its open source so any comments on the security or anything else is welcome, provided free of charge, but use this piece of code at your own risk, i am not liable for any damages.
const bool useRealRandom = true;
Random globalRand = new Random(); // non true-random function.
//using System.Net
void Main()
{
// user configurable values
// numberOfTimesToScramble shouldn't really make things "more random" since the time seed already makes it random, but i just want to provide several "knobs" for users to turn, to make it different for each user.
const int numberOfTimesToScramble = 13; // 1 or above.
const int minChunkSize = 4; // recommended 3-7
View bbp_http2fs_win2k16-20-06-2017.ictpl
<?xml version="1.0" encoding="utf-16"?>
<iisCryptoTemplate xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" version="0">
<header>
<name>Best Practice, prio HTTP/2, FS</name>
<author>Jim Wolff</author>
<lastUpdated>2017-06-20T23:12:11.0463186Z</lastUpdated>
<description>Using best practises, but TLS_ECDHE_ECDSA is prioritesed because its needed for http/2 not to use blacklisted cipher suites, prioriteses suites to ensure FS</description>
<builtIn>false</builtIn>
</header>
<schannel setClientProtocols="true">
View TailNewestFileInDir
cls;$a=gci -Path "$(Get-Location)\*" -Include *.txt,*.log|sort LastAccessTime -Desc|select -f 1;$host.UI.RawUI.WindowTitle=$a.FullName;gc $a.FullName -Tail 10 -Wait
View FixSSLSecurity.ps1
# 2018-08-17 reintroduced templates for 2012 with ciphers: 0x9C, 0x9D they are considered weak, but are the only AEAD ciphers available for 2012 atm.
# updated 2018-08-16 with some extra steps like enabling OCSP for SNI, added TLS1.2 only option for pre win2k16 aswell, added check to see if HTTP/2 was disabled.
if (!([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { Write-Host "Starting as administrator and using Bypass ExecutionPolicy.";Start-Process powershell.exe "-NoProfile -ExecutionPolicy Bypass -File `"$PSCommandPath`"" -Verb RunAs; exit }
# Go to a location we have write access to.
Set-Location ~\Downloads
# Global variables and settings.
[System.Net.ServicePointManager]::SecurityProtocol = 192 -bor 768 -bor 3072 # .Net doesn't enable tls1.1 and 1.2 by default, but can run it as long as .net 4.5 is installed. Which we need to download from sites that only allows tls1.2
$icDownloadUrl = "http:/
View bpp_2017-06-19.ictpl
<?xml version="1.0" encoding="utf-16"?>
<iisCryptoTemplate xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" version="0">
<header>
<name>BestPracticePlus_2017-09-19</name>
<author>Jim Wolff</author>
<lastUpdated>2017-06-19T06:34:51.3047731Z</lastUpdated>
<description>Follows best practise, but also removed weak ciphers that might still be enabled.</description>
<builtIn>false</builtIn>
</header>
<schannel setClientProtocols="true">
View CheckInstalled.NetVersion.ps1
# credit: https://stackoverflow.com/a/3495491/665879
Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -recurse |
Get-ItemProperty -name Version,Release -EA 0 |
Where { $_.PSChildName -match '^(?!S)\p{L}'} |
Select PSChildName, Version, Release, @{
name="Product"
expression={
switch -regex ($_.Release) {
"378389" { [Version]"4.5" }
"378675|378758" { [Version]"4.5.1" }