Last active
November 2, 2016 17:25
-
-
Save jeffpatton1971/465c6b058fc6eff5c95a to your computer and use it in GitHub Desktop.
Disable SSL V3 Stuff and set ciphersuites
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$Protocols = "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" | |
$Ciphers = "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers" | |
$Hashes = "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes" | |
$KeyExchangeAlgorithms = "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms" | |
$CipherOrder = "SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002" | |
Import-Module C:\projects\mod-posh\powershell\production\includes\RegistryLibrary.psm1 | |
# | |
# Disable old SSL | |
# | |
$RegPath = "$($Protocols)\TLS 1.1\Server" | |
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath | |
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "DisabledByDefault" -ValueType DWORD -Value 0 | |
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 4294967295 | |
$RegPath = "$($Protocols)\TLS 1.2\Server" | |
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath | |
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "DisabledByDefault" -ValueType DWORD -Value 0 | |
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 4294967295 | |
$RegPath = "$($Protocols)\SSL 3.0\Server" | |
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath | |
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "DisabledByDefault" -ValueType DWORD -Value 1 | |
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 0 | |
$RegPath = "$($Protocols)\PCT 1.0\Server" | |
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath | |
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "DisabledByDefault" -ValueType DWORD -Value 1 | |
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 0 | |
$RegPath = "$($Protocols)\SSL 2.0\Server" | |
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath | |
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "DisabledByDefault" -ValueType DWORD -Value 1 | |
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 0 | |
$RegPath = "$($Protocols)\TLS 1.0\Server" | |
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath | |
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "DisabledByDefault" -ValueType DWORD -Value 0 | |
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 4294967295 | |
# | |
# Ciphers | |
# | |
$RegPath = "$($Ciphers)\AES 128/128" | |
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath | |
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 4294967295 | |
$RegPath = "$($Ciphers)\AES 256/256" | |
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath | |
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 4294967295 | |
$RegPath = "$($Ciphers)\DES 56/56" | |
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath | |
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 0 | |
$RegPath = "$($Ciphers)\NULL" | |
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath | |
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 0 | |
$RegPath = "$($Ciphers)\RC2 128/128" | |
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath | |
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 0 | |
$RegPath = "$($Ciphers)\RC2 40/128" | |
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath | |
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 0 | |
$RegPath = "$($Ciphers)\RC2 56/128" | |
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath | |
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 0 | |
$RegPath = "$($Ciphers)\RC4 128/128" | |
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath | |
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 4294967295 | |
$RegPath = "$($Ciphers)\RC4 40/128" | |
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath | |
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 0 | |
$RegPath = "$($Ciphers)\RC4 56/128" | |
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath | |
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 0 | |
$RegPath = "$($Ciphers)\RC4 64/128" | |
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath | |
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 0 | |
$RegPath = "$($Ciphers)\Triple DES 168/168" | |
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath | |
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 4294967295 | |
# | |
# Hashes | |
# | |
$RegPath = "$($Hashes)\MD5" | |
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath | |
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 4294967295 | |
$RegPath = "$($Hashes)\SHA" | |
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath | |
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 4294967295 | |
# | |
# Key Exchange Algorithms | |
# | |
$RegPath = "$($KeyExchangeAlgorithms)\Diffie-Hellman" | |
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath | |
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 4294967295 | |
$RegPath = "$($KeyExchangeAlgorithms)\PKCS" | |
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath | |
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 4294967295 | |
# | |
# Set Cipher Ordering | |
# | |
$RegPath = $CipherOrder | |
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName Functions -ValueType ExpandedString -Value 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA' |
I had missed the Key for Cipher Ordering, it's in an odd location and is a comma separated list of Cipher's in which order is important. The order presented in code is from strongest to weakest based on a recommendation by Microsoft.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
You'll need my registry module for this to work.
https://github.com/jeffpatton1971/mod-posh/blob/master/powershell/production/includes/RegistryLibrary.psm1