Last active
August 17, 2018 07:50
-
-
Save JimWolff/cb86f299f16924363da43630a817438b to your computer and use it in GitHub Desktop.
IISCrypto template for pre windows server 2016, restricts protocol use to TLS 1.2. Boarder support version located here: https://gist.github.com/JimWolff/f6969253fb23744ea2bfae57d8b990b1 (template used in autofix security script here: https://gist.github.com/JimWolff/fc35d863db8971b2a73c96f90c5002e4)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-16"?> | |
| <iisCryptoTemplate xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" version="0"> | |
| <header> | |
| <name>BestPracticePlus_Pre2016Server_tls1.2only</name> | |
| <author>Jim Wolff</author> | |
| <lastUpdated>2018-08-16T04:46:36.849556Z</lastUpdated> | |
| <description>Follows best practise, but also removed weak ciphers that might still be enabled.</description> | |
| <builtIn>false</builtIn> | |
| </header> | |
| <schannel setClientProtocols="true"> | |
| <clientProtocols> | |
| <schannelItem name="Multi-Protocol Unified Hello" state="Disabled" /> | |
| <schannelItem name="PCT 1.0" state="Disabled" /> | |
| <schannelItem name="SSL 2.0" state="Disabled" /> | |
| <schannelItem name="SSL 3.0" state="Disabled" /> | |
| <schannelItem name="TLS 1.0" state="Disabled" /> | |
| <schannelItem name="TLS 1.1" state="Disabled" minimumOSVersion="Windows2008R2" /> | |
| <schannelItem name="TLS 1.2" state="Enabled" minimumOSVersion="Windows2008R2" /> | |
| </clientProtocols> | |
| <serverProtocols> | |
| <schannelItem name="Multi-Protocol Unified Hello" state="Disabled" /> | |
| <schannelItem name="PCT 1.0" state="Disabled" /> | |
| <schannelItem name="SSL 2.0" state="Disabled" /> | |
| <schannelItem name="SSL 3.0" state="Disabled" /> | |
| <schannelItem name="TLS 1.0" state="Disabled" /> | |
| <schannelItem name="TLS 1.1" state="Disabled" minimumOSVersion="Windows2008R2" /> | |
| <schannelItem name="TLS 1.2" state="Enabled" minimumOSVersion="Windows2008R2" /> | |
| </serverProtocols> | |
| <ciphers> | |
| <schannelItem name="NULL" state="Disabled" /> | |
| <schannelItem name="DES 56/56" state="Disabled" /> | |
| <schannelItem name="RC2 40/128" state="Disabled" /> | |
| <schannelItem name="RC2 56/128" state="Disabled" /> | |
| <schannelItem name="RC2 128/128" state="Disabled" /> | |
| <schannelItem name="RC4 40/128" state="Disabled" /> | |
| <schannelItem name="RC4 56/128" state="Disabled" /> | |
| <schannelItem name="RC4 64/128" state="Disabled" /> | |
| <schannelItem name="RC4 128/128" state="Disabled" /> | |
| <schannelItem name="Triple DES 168" state="Disabled" /> | |
| <schannelItem name="AES 128/128" state="Enabled" /> | |
| <schannelItem name="AES 256/256" state="Enabled" /> | |
| </ciphers> | |
| <hashes> | |
| <schannelItem name="MD5" state="Enabled" /> | |
| <schannelItem name="SHA" state="Enabled" /> | |
| <schannelItem name="SHA 256" state="Enabled" minimumOSVersion="Windows2008R2" /> | |
| <schannelItem name="SHA 384" state="Enabled" minimumOSVersion="Windows2008R2" /> | |
| <schannelItem name="SHA 512" state="Enabled" minimumOSVersion="Windows2008R2" /> | |
| </hashes> | |
| <keyExchanges> | |
| <schannelItem name="Diffie-Hellman" state="Enabled" /> | |
| <schannelItem name="PKCS" state="Enabled" /> | |
| <schannelItem name="ECDH" state="Enabled" /> | |
| </keyExchanges> | |
| </schannel> | |
| <cipherSuites> | |
| <cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521" state="Enabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384" state="Enabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256" state="Enabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521" state="Enabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384" state="Enabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256" state="Enabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521" state="Enabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384" state="Enabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256" state="Enabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521" state="Enabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384" state="Enabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256" state="Enabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521" state="Enabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384" state="Enabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521" state="Enabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384" state="Enabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256" state="Enabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521" state="Enabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384" state="Enabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521" state="Enabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384" state="Enabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256" state="Enabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521" state="Enabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384" state="Enabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256" state="Enabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521" state="Enabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384" state="Enabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256" state="Enabled" /> | |
| <cipherSuiteItem name="TLS_RSA_WITH_AES_256_GCM_SHA384" state="Enabled" /> | |
| <cipherSuiteItem name="TLS_RSA_WITH_AES_128_GCM_SHA256" state="Enabled" /> | |
| <cipherSuiteItem name="TLS_RSA_WITH_AES_256_CBC_SHA256" state="Disabled" /> | |
| <cipherSuiteItem name="TLS_RSA_WITH_AES_128_CBC_SHA256" state="Disabled" /> | |
| <cipherSuiteItem name="TLS_RSA_WITH_AES_256_CBC_SHA" state="Disabled" /> | |
| <cipherSuiteItem name="TLS_RSA_WITH_AES_128_CBC_SHA" state="Disabled" /> | |
| <cipherSuiteItem name="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" state="Disabled" /> | |
| <cipherSuiteItem name="TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" state="Disabled" /> | |
| <cipherSuiteItem name="TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" state="Disabled" /> | |
| <cipherSuiteItem name="TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" state="Disabled" /> | |
| <cipherSuiteItem name="TLS_DHE_DSS_WITH_AES_256_CBC_SHA" state="Disabled" /> | |
| <cipherSuiteItem name="TLS_DHE_DSS_WITH_AES_128_CBC_SHA" state="Disabled" /> | |
| <cipherSuiteItem name="TLS_RSA_WITH_3DES_EDE_CBC_SHA" state="Disabled" /> | |
| <cipherSuiteItem name="TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" state="Disabled" /> | |
| <cipherSuiteItem name="TLS_RSA_WITH_RC4_128_SHA" state="Disabled" /> | |
| <cipherSuiteItem name="TLS_RSA_WITH_RC4_128_MD5" state="Disabled" /> | |
| <cipherSuiteItem name="TLS_RSA_WITH_NULL_SHA256" state="Disabled" /> | |
| <cipherSuiteItem name="TLS_RSA_WITH_NULL_SHA" state="Disabled" /> | |
| <cipherSuiteItem name="SSL_CK_RC4_128_WITH_MD5" state="Disabled" /> | |
| <cipherSuiteItem name="SSL_CK_DES_192_EDE3_CBC_WITH_MD5" state="Disabled" /> | |
| <cipherSuiteItem name="TLS_AES_256_GCM_SHA384" state="Disabled" /> | |
| <cipherSuiteItem name="TLS_AES_128_GCM_SHA256" state="Disabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" state="Disabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" state="Disabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" state="Disabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" state="Disabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" state="Disabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" state="Disabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" state="Disabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" state="Disabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" state="Disabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" state="Disabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" state="Disabled" /> | |
| <cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" state="Disabled" /> | |
| <cipherSuiteItem name="TLS_PSK_WITH_AES_256_GCM_SHA384" state="Disabled" /> | |
| <cipherSuiteItem name="TLS_PSK_WITH_AES_128_GCM_SHA256" state="Disabled" /> | |
| <cipherSuiteItem name="TLS_PSK_WITH_AES_256_CBC_SHA384" state="Disabled" /> | |
| <cipherSuiteItem name="TLS_PSK_WITH_AES_128_CBC_SHA256" state="Disabled" /> | |
| <cipherSuiteItem name="TLS_PSK_WITH_NULL_SHA384" state="Disabled" /> | |
| <cipherSuiteItem name="TLS_PSK_WITH_NULL_SHA256" state="Disabled" /> | |
| </cipherSuites> | |
| </iisCryptoTemplate> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment