Last active
March 22, 2024 18:53
-
-
Save richardhicks/133c1dad9b0800827788c4d084cdd77f to your computer and use it in GitHub Desktop.
Disable Insecure TLS Cipher Suites for LDAPS on Domain Controllers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This Gist is a PowerShell script to set the SSL Cipher Suite Order Group Policy Object (GPO) for Windows Server 2016 and 2019/2022. | |
| # Reference: https://www.dsinternals.com/en/active-directory-domain-controller-tls-ldaps/ | |
| # Security optmized cipher suite list for Windows Server 2019/2022 | |
| $Ciphers2022 = 'TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256' | |
| # Security optmized cipher suite list for Windows Server 2016 | |
| $Ciphers2016 = 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256' | |
| $GpoName = 'Domain Controller Security Baseline' | |
| $GpoParams = @{ | |
| Name = $GpoName | |
| Key = 'HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002\' | |
| ValueName = 'Functions' | |
| Type = 'String' | |
| Value = $Ciphers2022 # Change to $Ciphers2016 for Windows Server 2016 | |
| } | |
| Set-GpRegistryValue @GpoParams |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment