Navigation Menu

Skip to content

Instantly share code, notes, and snippets.

/Set-CryptoConfig.ps1 Secret

Created May 4, 2016 20:18
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save anonymous/f756c18d6c1630c70dcdfab2d61f2ac9 to your computer and use it in GitHub Desktop.
Save anonymous/f756c18d6c1630c70dcdfab2d61f2ac9 to your computer and use it in GitHub Desktop.
Download ZIP
Cryptographic Protocol Configuration
Raw
Set-CryptoConfig.ps1
<#
.SYNOPSIS
DSC configuration script for hardening cryptographic protocols.
#>
$disableCiphers=@('DES 56/56', 'NULL', 'RC2 128/128', 'RC2 40/128', 'RC2 56/128', 'RC4 128/128', 'RC4 40/128', 'RC4 56/128', 'RC4 64/128')
$enableCiphers=@('AES 128/128','AES 256/256','Triple DES 168/168')
$enableHashes=@("SHA","SHA256","SHA384","SHA512")
$keyExchangeAlgorithms=@("ECDH", "PKCS")
$disableProtocols=@("SSL 2.0", "SSL 3.0", "Multi-Protocol Unified Hello", "PCT 1.0","TLS 1.0")
$enableProtocols=@("TLS 1.1", "TLS 1.2")
Configuration SChannel {
#The experimental xPSDesiredStateConfiguration Module is used with the xRegistry resource to use key paths with forward slashes
Import-DscResource -moduleName xPSDesiredStateConfiguration
#region- SChannel
#region- Ciphers
foreach ($cipher in $disableCiphers) {
xRegistry $cipher {
Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\$cipher"
ValueName = "Enabled"
Ensure = "Present"
Force = $True
ValueData = 0
ValueType = "Dword"
}
}
foreach ($cipher in $enableCiphers) {
xRegistry $cipher {
Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\$cipher"
ValueName = "Enabled"
Ensure = "Present"
Force = $True
Hex = $True
ValueData = "0xFFFFFFFF"
ValueType = "Dword"
}
}
#endregion- Ciphers
#region- Hashes
foreach ($hash in $enableHashes){
Registry $hash {
Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\$hash"
ValueName = "Enabled"
Ensure = "Present"
Force = $True
Hex = $True
ValueData = "0xFFFFFFFF"
ValueType = "Dword"
} #registry resource
} #foreach service
#Disable MD5 hashing algorithm
Registry MD5 {
Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5"
ValueName = "Enabled"
Ensure = "Present"
Force = $True
ValueData = "0"
}
#endregion- Hashes
#region- KEX
foreach ($alg in $keyExchangeAlgorithms) {
Registry $alg {
Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\keyExchangeAlgorithms\$alg"
ValueName = "Enabled"
Ensure = "Present"
Force = $True
Hex = $True
ValueData = "0xFFFFFFFF"
ValueType = "Dword"
} #registry resource
} #foreach service
#Disable Diffie Hellman Key Exchange algorithm
Registry DiffieHellman {
Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\keyExchangeAlgorithms\Diffie-Hellman"
ValueName = "Enabled"
Ensure = "Present"
Force = $True
ValueData = "0"
} #registry resource
#endregion- KEX
#region 00010002
Registry Functions_Policies {
Key = "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002"
ValueName = "Functions"
Ensure = "Present"
Force = $True
ValueData = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA"
ValueType = "String"
}
#endregion
#region disable SSL 2,3 and TLS 1.0
foreach ($protocol in $disableProtocols) {
Registry "Client-Enabled$protocol" {
Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Client"
ValueName = "Enabled"
Ensure = "Present"
Force = $True
ValueType = "Dword"
ValueData = "0"
}
Registry "Client-DBD$protocol" {
Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Client"
ValueName = "DisabledByDefault"
Ensure = "Present"
Force = $True
Hex = $True
ValueType = "Dword"
ValueData = "0x00000001"
}
Registry "Server-Enabled$protocol" {
Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Server"
ValueName = "Enabled"
Ensure = "Present"
Force = $True
ValueData = "0"
ValueType = "Dword"
}
Registry "Server-DBD$protocol" {
Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Server"
ValueName = "DisabledByDefault"
Ensure = "Present"
Force = $True
Hex = $True
ValueData = "0x00000001"
ValueType = "Dword"
}#registry resource
} #foreach service
#endregion- Disable SSL 2,3, and TLS 1
#region- enable TLS 1.1 and 1.2
foreach ($protocol in $enableProtocols) {
Registry "Client-Enabled$protocol" {
Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Client"
ValueName = "Enabled"
Ensure = "Present"
Hex = $True
Force = $True
ValueData = "0xFFFFFFFF"
ValueType = "Dword"
}
Registry "Client-DBD$protocol" {
Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Client"
ValueName = "DisabledByDefault"
Ensure = "Present"
Force = $True
ValueData = "0"
}
Registry "Server-Enabled$protocol" {
Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Server"
ValueName = "Enabled"
Ensure = "Present"
Force = $True
Hex = $True
ValueData = "0xFFFFFFFF"
ValueType = "Dword"
}
Registry "Server-DBD$protocol" {
Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Server"
ValueName = "DisabledByDefault"
Ensure = "Present"
Force = $True
ValueData = "0"
}
}
#endregion- enable TLS 1.1 and 1.2
#endregion- Schannel
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment