-
-
Save Kentrg11/fb80c096f2858381fb1ca05e9e3f935c to your computer and use it in GitHub Desktop.
PowerShell script for disabling SSLv3 - Refactored
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# MS Security bulletin: https://technet.microsoft.com/en-us/library/security/3009008.aspx | |
# Azure post where this script originally came from: http://azure.microsoft.com/blog/2014/10/19/how-to-disable-ssl-3-0-in-azure-websites-roles-and-virtual-machines/ | |
# | |
# | |
# NOTE: This registry change requires that the server be restarted. The script | |
# will detect if a change is applied and AUTOMATICALLY reboot the server. | |
# If you don't want automatic reboot comment out the final section of the | |
# script before running! | |
Function Ensure-RegKeyExists { | |
param ( | |
$key | |
) | |
If (!(Test-Path -Path $key)) { | |
New-Item $key | Out-Null | |
} | |
} | |
Function Set-RegKey { | |
param ( | |
$key, | |
$value, | |
$valuedata, | |
$valuetype, | |
$restart | |
) | |
# Check for existence of registry key, and create if it does not exist | |
Ensure-RegKeyExists $key | |
# Get data of registry value, or null if it does not exist | |
$val = (Get-ItemProperty -Path $key -Name $value -ErrorAction SilentlyContinue).$value | |
If ($val -eq $null) { | |
# Value does not exist - create and set to desired value | |
New-ItemProperty -Path $key -Name $value -Value $valuedata -PropertyType $valuetype | Out-Null | |
$restart = $True | |
} Else { | |
# Value does exist - if not equal to desired value, change it | |
If ($val -ne $valuedata) { | |
Set-ItemProperty -Path $key -Name $value -Value $valuedata | |
$restart = $True | |
} | |
} | |
return $restart | |
} | |
# If any settings are changed, this will change to $True and the server will reboot | |
$reboot = $False | |
$SSL2_Parent_Key = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0"; | |
$SSL2_Client_Key = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client"; | |
$SSL2_Server_Key = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server"; | |
$SSL3_Parent_Key = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0"; | |
$SSL3_Client_Key = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client"; | |
$SSL3_Server_Key = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server"; | |
# Check for existence of parent registry keys (SSL 2.0 and SSL 3.0), and create if they do not exist | |
Ensure-RegKeyExists $SSL2_Parent_Key | |
Ensure-RegKeyExists $SSL3_Parent_Key | |
# Ensure SSL 2.0 disabled for client | |
$reboot = Set-RegKey $SSL2_Client_Key DisabledByDefault 1 DWord $reboot | |
# Ensure SSL 2.0 disabled for server | |
$reboot = Set-RegKey $SSL2_Server_Key Enabled 0 DWord $reboot | |
# Ensure SSL 3.0 disabled for client | |
$reboot = Set-RegKey $SSL3_Client_Key DisabledByDefault 1 DWord $reboot | |
# Ensure SSL 3.0 disabled for server | |
$reboot = Set-RegKey $SSL3_Server_Key Enabled 0 DWord $reboot | |
# If any settings were changed, reboot | |
If ($reboot) { | |
Write-Host "Rebooting now..." | |
shutdown.exe /r /t 5 /c "Crypto settings changed" /f /d p:2:4 | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment