Skip to content

Instantly share code, notes, and snippets.

@jeffpatton1971

jeffpatton1971/DisableSSLv3.ps1

Last active November 2, 2016 17:25
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jeffpatton1971/465c6b058fc6eff5c95a to your computer and use it in GitHub Desktop.
Save jeffpatton1971/465c6b058fc6eff5c95a to your computer and use it in GitHub Desktop.
Download ZIP
Disable SSL V3 Stuff and set ciphersuites
Raw
DisableSSLv3.ps1
$Protocols = "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols"
$Ciphers = "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers"
$Hashes = "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes"
$KeyExchangeAlgorithms = "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms"
$CipherOrder = "SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002"
Import-Module C:\projects\mod-posh\powershell\production\includes\RegistryLibrary.psm1
#
# Disable old SSL
#
$RegPath = "$($Protocols)\TLS 1.1\Server"
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "DisabledByDefault" -ValueType DWORD -Value 0
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 4294967295
$RegPath = "$($Protocols)\TLS 1.2\Server"
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "DisabledByDefault" -ValueType DWORD -Value 0
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 4294967295
$RegPath = "$($Protocols)\SSL 3.0\Server"
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "DisabledByDefault" -ValueType DWORD -Value 1
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 0
$RegPath = "$($Protocols)\PCT 1.0\Server"
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "DisabledByDefault" -ValueType DWORD -Value 1
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 0
$RegPath = "$($Protocols)\SSL 2.0\Server"
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "DisabledByDefault" -ValueType DWORD -Value 1
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 0
$RegPath = "$($Protocols)\TLS 1.0\Server"
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "DisabledByDefault" -ValueType DWORD -Value 0
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 4294967295
#
# Ciphers
#
$RegPath = "$($Ciphers)\AES 128/128"
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 4294967295
$RegPath = "$($Ciphers)\AES 256/256"
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 4294967295
$RegPath = "$($Ciphers)\DES 56/56"
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 0
$RegPath = "$($Ciphers)\NULL"
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 0
$RegPath = "$($Ciphers)\RC2 128/128"
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 0
$RegPath = "$($Ciphers)\RC2 40/128"
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 0
$RegPath = "$($Ciphers)\RC2 56/128"
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 0
$RegPath = "$($Ciphers)\RC4 128/128"
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 4294967295
$RegPath = "$($Ciphers)\RC4 40/128"
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 0
$RegPath = "$($Ciphers)\RC4 56/128"
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 0
$RegPath = "$($Ciphers)\RC4 64/128"
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 0
$RegPath = "$($Ciphers)\Triple DES 168/168"
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 4294967295
#
# Hashes
#
$RegPath = "$($Hashes)\MD5"
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 4294967295
$RegPath = "$($Hashes)\SHA"
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 4294967295
#
# Key Exchange Algorithms
#
$RegPath = "$($KeyExchangeAlgorithms)\Diffie-Hellman"
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 4294967295
$RegPath = "$($KeyExchangeAlgorithms)\PKCS"
New-RegistryKey -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName "Enabled" -ValueType DWORD -Value 4294967295
#
# Set Cipher Ordering
#
$RegPath = $CipherOrder
Set-RegistryValue -Hive HKEY_LOCAL_MACHINE -SubKeyName $RegPath -ValueName Functions -ValueType ExpandedString -Value 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA'
@jeffpatton1971
Copy link
Author

You'll need my registry module for this to work.
https://github.com/jeffpatton1971/mod-posh/blob/master/powershell/production/includes/RegistryLibrary.psm1

@jeffpatton1971
Copy link
Author

I had missed the Key for Cipher Ordering, it's in an odd location and is a comma separated list of Cipher's in which order is important. The order presented in code is from strongest to weakest based on a recommendation by Microsoft.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment