Skip to content

Instantly share code, notes, and snippets.

@markthiessen
Created October 20, 2014 15:11
Show Gist options
  • Save markthiessen/6db140136d67142fd19d to your computer and use it in GitHub Desktop.
Save markthiessen/6db140136d67142fd19d to your computer and use it in GitHub Desktop.
PowerShell script for disabling SSLv3 - Refactored
# MS Security bulletin: https://technet.microsoft.com/en-us/library/security/3009008.aspx
# Azure post where this script originally came from: http://azure.microsoft.com/blog/2014/10/19/how-to-disable-ssl-3-0-in-azure-websites-roles-and-virtual-machines/
#
#
# NOTE: This registry change requires that the server be restarted. The script
# will detect if a change is applied and AUTOMATICALLY reboot the server.
# If you don't want automatic reboot comment out the final section of the
# script before running!
Function Ensure-RegKeyExists {
param (
$key
)
If (!(Test-Path -Path $key)) {
New-Item $key | Out-Null
}
}
Function Set-RegKey {
param (
$key,
$value,
$valuedata,
$valuetype,
$restart
)
# Check for existence of registry key, and create if it does not exist
Ensure-RegKeyExists $key
# Get data of registry value, or null if it does not exist
$val = (Get-ItemProperty -Path $key -Name $value -ErrorAction SilentlyContinue).$value
If ($val -eq $null) {
# Value does not exist - create and set to desired value
New-ItemProperty -Path $key -Name $value -Value $valuedata -PropertyType $valuetype | Out-Null
$restart = $True
} Else {
# Value does exist - if not equal to desired value, change it
If ($val -ne $valuedata) {
Set-ItemProperty -Path $key -Name $value -Value $valuedata
$restart = $True
}
}
return $restart
}
# If any settings are changed, this will change to $True and the server will reboot
$reboot = $False
$SSL2_Parent_Key = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0";
$SSL2_Client_Key = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client";
$SSL2_Server_Key = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server";
$SSL3_Parent_Key = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0";
$SSL3_Client_Key = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client";
$SSL3_Server_Key = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server";
# Check for existence of parent registry keys (SSL 2.0 and SSL 3.0), and create if they do not exist
Ensure-RegKeyExists $SSL2_Parent_Key
Ensure-RegKeyExists $SSL3_Parent_Key
# Ensure SSL 2.0 disabled for client
$reboot = Set-RegKey $SSL2_Client_Key DisabledByDefault 1 DWord $reboot
# Ensure SSL 2.0 disabled for server
$reboot = Set-RegKey $SSL2_Server_Key Enabled 0 DWord $reboot
# Ensure SSL 3.0 disabled for client
$reboot = Set-RegKey $SSL3_Client_Key DisabledByDefault 1 DWord $reboot
# Ensure SSL 3.0 disabled for server
$reboot = Set-RegKey $SSL3_Server_Key Enabled 0 DWord $reboot
# If any settings were changed, reboot
If ($reboot) {
Write-Host "Rebooting now..."
shutdown.exe /r /t 5 /c "Crypto settings changed" /f /d p:2:4
}
@Kentrg11
Copy link

Kentrg11 commented Jun 6, 2016

thnx

@whagan
Copy link

whagan commented Nov 25, 2020

Very helpful script. Thx.

@AikenBM
Copy link

AikenBM commented Sep 7, 2021

Note that Microsoft broke all the links to their security articles, so the link on line 1 is broken.

The correct link is now:

https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2015/3009008

And, yes, the link is largely illegible now. Well done, Microsoft.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment