-
-
Save anonymous/f756c18d6c1630c70dcdfab2d61f2ac9 to your computer and use it in GitHub Desktop.
Cryptographic Protocol Configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.SYNOPSIS | |
DSC configuration script for hardening cryptographic protocols. | |
#> | |
$disableCiphers=@('DES 56/56', 'NULL', 'RC2 128/128', 'RC2 40/128', 'RC2 56/128', 'RC4 128/128', 'RC4 40/128', 'RC4 56/128', 'RC4 64/128') | |
$enableCiphers=@('AES 128/128','AES 256/256','Triple DES 168/168') | |
$enableHashes=@("SHA","SHA256","SHA384","SHA512") | |
$keyExchangeAlgorithms=@("ECDH", "PKCS") | |
$disableProtocols=@("SSL 2.0", "SSL 3.0", "Multi-Protocol Unified Hello", "PCT 1.0","TLS 1.0") | |
$enableProtocols=@("TLS 1.1", "TLS 1.2") | |
Configuration SChannel { | |
#The experimental xPSDesiredStateConfiguration Module is used with the xRegistry resource to use key paths with forward slashes | |
Import-DscResource -moduleName xPSDesiredStateConfiguration | |
#region- SChannel | |
#region- Ciphers | |
foreach ($cipher in $disableCiphers) { | |
xRegistry $cipher { | |
Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\$cipher" | |
ValueName = "Enabled" | |
Ensure = "Present" | |
Force = $True | |
ValueData = 0 | |
ValueType = "Dword" | |
} | |
} | |
foreach ($cipher in $enableCiphers) { | |
xRegistry $cipher { | |
Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\$cipher" | |
ValueName = "Enabled" | |
Ensure = "Present" | |
Force = $True | |
Hex = $True | |
ValueData = "0xFFFFFFFF" | |
ValueType = "Dword" | |
} | |
} | |
#endregion- Ciphers | |
#region- Hashes | |
foreach ($hash in $enableHashes){ | |
Registry $hash { | |
Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\$hash" | |
ValueName = "Enabled" | |
Ensure = "Present" | |
Force = $True | |
Hex = $True | |
ValueData = "0xFFFFFFFF" | |
ValueType = "Dword" | |
} #registry resource | |
} #foreach service | |
#Disable MD5 hashing algorithm | |
Registry MD5 { | |
Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5" | |
ValueName = "Enabled" | |
Ensure = "Present" | |
Force = $True | |
ValueData = "0" | |
} | |
#endregion- Hashes | |
#region- KEX | |
foreach ($alg in $keyExchangeAlgorithms) { | |
Registry $alg { | |
Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\keyExchangeAlgorithms\$alg" | |
ValueName = "Enabled" | |
Ensure = "Present" | |
Force = $True | |
Hex = $True | |
ValueData = "0xFFFFFFFF" | |
ValueType = "Dword" | |
} #registry resource | |
} #foreach service | |
#Disable Diffie Hellman Key Exchange algorithm | |
Registry DiffieHellman { | |
Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\keyExchangeAlgorithms\Diffie-Hellman" | |
ValueName = "Enabled" | |
Ensure = "Present" | |
Force = $True | |
ValueData = "0" | |
} #registry resource | |
#endregion- KEX | |
#region 00010002 | |
Registry Functions_Policies { | |
Key = "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002" | |
ValueName = "Functions" | |
Ensure = "Present" | |
Force = $True | |
ValueData = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA" | |
ValueType = "String" | |
} | |
#endregion | |
#region disable SSL 2,3 and TLS 1.0 | |
foreach ($protocol in $disableProtocols) { | |
Registry "Client-Enabled$protocol" { | |
Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Client" | |
ValueName = "Enabled" | |
Ensure = "Present" | |
Force = $True | |
ValueType = "Dword" | |
ValueData = "0" | |
} | |
Registry "Client-DBD$protocol" { | |
Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Client" | |
ValueName = "DisabledByDefault" | |
Ensure = "Present" | |
Force = $True | |
Hex = $True | |
ValueType = "Dword" | |
ValueData = "0x00000001" | |
} | |
Registry "Server-Enabled$protocol" { | |
Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Server" | |
ValueName = "Enabled" | |
Ensure = "Present" | |
Force = $True | |
ValueData = "0" | |
ValueType = "Dword" | |
} | |
Registry "Server-DBD$protocol" { | |
Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Server" | |
ValueName = "DisabledByDefault" | |
Ensure = "Present" | |
Force = $True | |
Hex = $True | |
ValueData = "0x00000001" | |
ValueType = "Dword" | |
}#registry resource | |
} #foreach service | |
#endregion- Disable SSL 2,3, and TLS 1 | |
#region- enable TLS 1.1 and 1.2 | |
foreach ($protocol in $enableProtocols) { | |
Registry "Client-Enabled$protocol" { | |
Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Client" | |
ValueName = "Enabled" | |
Ensure = "Present" | |
Hex = $True | |
Force = $True | |
ValueData = "0xFFFFFFFF" | |
ValueType = "Dword" | |
} | |
Registry "Client-DBD$protocol" { | |
Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Client" | |
ValueName = "DisabledByDefault" | |
Ensure = "Present" | |
Force = $True | |
ValueData = "0" | |
} | |
Registry "Server-Enabled$protocol" { | |
Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Server" | |
ValueName = "Enabled" | |
Ensure = "Present" | |
Force = $True | |
Hex = $True | |
ValueData = "0xFFFFFFFF" | |
ValueType = "Dword" | |
} | |
Registry "Server-DBD$protocol" { | |
Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Server" | |
ValueName = "DisabledByDefault" | |
Ensure = "Present" | |
Force = $True | |
ValueData = "0" | |
} | |
} | |
#endregion- enable TLS 1.1 and 1.2 | |
#endregion- Schannel | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment