Last active
August 17, 2023 03:39
-
-
Save wuping2004/dd9e434ea95f22f06d699f42e9d3150d to your computer and use it in GitHub Desktop.
CloudServiceTLS.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# You can use the -SetCipherOrder (or -sco) option to also set the TLS cipher | |
# suite order. Change the cipherorder variable below to the order you want to set on the | |
# server. Setting this requires a reboot to take effect. | |
Param( | |
[parameter(Mandatory=$false)] | |
[alias("sco")] | |
[switch]$SetCipherOrder) | |
Function DisableRC4 { | |
param ( $restart) | |
$subkeys = Get-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" | |
$ciphers = $subkeys.OpenSubKey("Ciphers", $true) | |
if($ciphers.SubKeyCount -eq 0) { | |
$k1 = $ciphers.CreateSubKey("RC4 128/128") | |
$k1.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWord) | |
$restart = $true | |
$k2 = $ciphers.CreateSubKey("RC4 64/128") | |
$k2.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWord) | |
$k3 = $ciphers.CreateSubKey("RC4 56/128") | |
$k3.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWord) | |
$k4 = $ciphers.CreateSubKey("RC4 40/128") | |
$k4.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWord) | |
} | |
$restart | |
} | |
Function Set-CryptoSetting { | |
param ( | |
$keyindex, | |
$value, | |
$valuedata, | |
$valuetype, | |
$restart | |
) | |
# Check for existence of registry key, and create if it does not exist | |
If (!(Test-Path -Path $regkeys[$keyindex])) { | |
New-Item $regkeys[$keyindex] | Out-Null | |
} | |
# Get data of registry value, or null if it does not exist | |
$val = (Get-ItemProperty -Path $regkeys[$keyindex] -Name $value -ErrorAction SilentlyContinue).$value | |
If ($val -eq $null) { | |
# Value does not exist - create and set to desired value | |
New-ItemProperty -Path $regkeys[$keyindex] -Name $value -Value $valuedata -PropertyType $valuetype | Out-Null | |
$restart = $True | |
} Else { | |
# Value does exist - if not equal to desired value, change it | |
If ($val -ne $valuedata) { | |
Set-ItemProperty -Path $regkeys[$keyindex] -Name $value -Value $valuedata | |
$restart = $True | |
} | |
} | |
$restart | |
} | |
$regkeys = @( | |
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0", | |
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client", | |
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server", #2 | |
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1", | |
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client", #4 | |
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server", | |
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2", #6 | |
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client", | |
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server", #8 | |
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0", | |
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client", #10 | |
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server", | |
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0", #12 | |
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client", | |
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server", #14 | |
"HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002" | |
) | |
Function Set-Windows10PlusCurveOrder { | |
param ( $reboot) | |
$desiredOrder = "NistP384;NistP256".Split(";") | |
If ([Environment]::OSVersion.Version.Major -ge 10) { | |
If (!(Test-Path -Path $regkeys[15])) { | |
New-Item $regkeys[15] | Out-Null | |
$reboot = $True | |
} | |
$val = (Get-Item -Path $regkeys[15] -ErrorAction SilentlyContinue).GetValue("EccCurves", $null) | |
if( $val -eq $null) { | |
New-ItemProperty -Path $regkeys[15] -Name EccCurves -Value $desiredOrder -PropertyType MultiString | Out-Null | |
$reboot = $True | |
} else { | |
if ([System.String]::Join(';', $val) -ne [System.String]::Join(';', $desiredOrder)) { | |
Write-Host "The original curve order ", `n, $val, `n, "needs to be updated to ", $desiredOrder | |
Set-ItemProperty -Path $regkeys[15] -Name EccCurves -Value $desiredOrder | |
$reboot = $True | |
} | |
} | |
} | |
$reboot | |
} | |
If ([Environment]::OSVersion.Version.Major -lt 10) { | |
# This is for Windows before 10 | |
Write-Host "Configuring Windows before 10..." | |
$cipherorder = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256," | |
$cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256," | |
$cipherorder += "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256," | |
$cipherorder += "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256," | |
$cipherorder += "TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256," | |
$cipherorder += "TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256," | |
$cipherorder += "TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA" | |
} Else { | |
# this is for windows 10 or above | |
Write-Host "Configuring Windows 10+..." | |
$cipherorder = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," | |
$cipherorder += "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," | |
$cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," | |
$cipherorder += "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," | |
$cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," | |
$cipherorder += "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," | |
$cipherorder += "TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256," | |
$cipherorder += "TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256," | |
$cipherorder += "TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA" | |
} | |
# This is for Windows XP Embedded compatibility, remove to get securer if doesn't care. | |
# $cipherorder = $cipherorder + ",TLS_RSA_WITH_3DES_EDE_CBC_SHA" | |
# If any settings are changed, this will change to $True and the server will reboot | |
$reboot = $False | |
# Check for existence of parent registry keys (SSL 2.0 and SSL 3.0), and create if they do not exist | |
For ($i = 9; $i -le 12; $i = $i + 3) { | |
If (!(Test-Path -Path $regkeys[$i])) { | |
New-Item $regkeys[$i] | Out-Null | |
} | |
} | |
# Ensure SSL 2.0 disabled for client | |
$reboot = Set-CryptoSetting 10 DisabledByDefault 1 DWord $reboot | |
# Ensure SSL 2.0 disabled for server | |
$reboot = Set-CryptoSetting 11 Enabled 0 DWord $reboot | |
# Ensure SSL 3.0 disabled for client | |
$reboot = Set-CryptoSetting 13 DisabledByDefault 1 DWord $reboot | |
# Ensure SSL 3.0 disabled for server | |
$reboot = Set-CryptoSetting 14 Enabled 0 DWord $reboot | |
# Ensure TLS 1.0 Key exists | |
If (!(Test-Path -Path $regkeys[0])) { | |
New-Item $regkeys[0] | Out-Null | |
} | |
# Ensure TLS 1.0 disabled for client | |
$reboot = Set-CryptoSetting 1 Enabled 0 DWord $reboot | |
$reboot = Set-CryptoSetting 1 DisabledByDefault 1 DWord $reboot | |
# Ensure TLS 1.0 disabled for server | |
$reboot = Set-CryptoSetting 2 Enabled 0 DWord $reboot | |
$reboot = Set-CryptoSetting 2 DisabledByDefault 1 DWord $reboot | |
# Ensure TLS 1.1 Key exists | |
If (!(Test-Path -Path $regkeys[3])) { | |
New-Item $regkeys[3] | Out-Null | |
} | |
# Ensure TLS 1.1 disabled for client | |
$reboot = Set-CryptoSetting 4 Enabled 0 DWord $reboot | |
$reboot = Set-CryptoSetting 4 DisabledByDefault 1 DWord $reboot | |
# Ensure TLS 1.1 disabled for client | |
$reboot = Set-CryptoSetting 5 Enabled 0 DWord $reboot | |
$reboot = Set-CryptoSetting 5 DisabledByDefault 1 DWord $reboot | |
If (Test-Path -Path $regkeys[8]) { | |
# Ensure TLS 1.2 enabled for server for older version of windows if the settings has been changed | |
$reboot = Set-CryptoSetting 8 Enabled 1 DWord $reboot | |
} | |
$reboot = DisableRC4($reboot) | |
If ($SetCipherOrder) { | |
If (!(Test-Path -Path $regkeys[15])) { | |
New-Item $regkeys[15] | Out-Null | |
$reboot = $True | |
} | |
$val = (Get-Item -Path $regkeys[15] -ErrorAction SilentlyContinue).GetValue("Functions", $null) | |
if ($val -ne $cipherorder) | |
{ | |
Write-Host "The original cipher suite order needs to be updated", `n, $val | |
Set-ItemProperty -Path $regkeys[15] -Name Functions -Value $cipherorder | |
$reboot = $True | |
} | |
} | |
$reboot = Set-Windows10PlusCurveOrder $reboot | |
# If any settings were changed, reboot | |
If ($reboot) { | |
# Randomize the reboot timing since it could be run in a large cluster. | |
$tick = [System.Int32]([System.DateTime]::Now.Ticks % [System.Int32]::MaxValue) | |
$rand = [System.Random]::new($tick) | |
$sec = $rand.Next(30, 600) | |
Write-Host "Rebooting after", $sec, " second(s)..." | |
shutdown.exe /r /t $sec /c "TLS settings changed" /f /d p:2:4 | |
} Else { | |
Write-Host "Nothing get updated." | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment