Created
March 6, 2023 20:41
-
-
Save Cashiuus/d5ffbda8731d34d60664749eb535a6fe to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This script provides support for Transport Layer Security (TLS) 1.1 and TLS 1.2 | |
| # in Windows Server 2012, Windows 7 Service Pack 1 (SP1), and Windows Server 2008 R2 SP1. | |
| # Reference Doc: https://support.microsoft.com/en-us/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392 | |
| # for the Cipher Suites Support documentation go to | |
| # https://docs.microsoft.com/en-us/windows/desktop/SecAuthN/cipher-suites-in-schannel | |
| # -- CHANGES 2023 -- # | |
| # Check to ensure we are running as Administrator first? | |
| Write-Host 'Backup Registry before making changes...' | |
| Write-Host '--------------------------------------------------------------------------------' | |
| # Backup the registry first in case of problems so we can revert | |
| Write-Host 'Configuring IIS with SSL/TLS Deployment Best Practices...' | |
| Write-Host '--------------------------------------------------------------------------------' | |
| # Disable Multi-Protocol Unified Hello | |
| New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null | |
| New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null | |
| Write-Host 'Multi-Protocol Unified Hello has been disabled.' | |
| # Disable PCT 1.0 | |
| New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null | |
| New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null | |
| Write-Host 'PCT 1.0 has been disabled.' | |
| # Disable SSL 2.0 (PCI Compliance) | |
| New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null | |
| New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null | |
| Write-Host 'SSL 2.0 has been disabled.' | |
| # NOTE: If you disable SSL 3.0 the you may lock out some people still using Windows XP | |
| # with IE6/7. Without SSL 3.0 enabled, there is no protocol available | |
| # for these people to fall back. Safer shopping certifications may require that | |
| # you disable SSLv3. | |
| # | |
| # Disable SSL 3.0 (PCI Compliance) and enable "Poodle" protection | |
| New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null | |
| New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null | |
| Write-Host 'SSL 3.0 has been disabled.' | |
| # Get OS version | |
| $os = Get-WmiObject -class Win32_OperatingSystem | |
| # v6.3 = Server 2012 R2, so if current server OS is a version below that value, check for this | |
| # patch being present before we try to do any TLS reconfiguring | |
| if ([System.Version]$os.Version -lt [System.Version]'6.3') { | |
| Write-Host "`n`nmake sure you have installed KB 3080079`n https://support.microsoft.com/en-us/help/3080079/update-to-add-rds-support-for-tls-1-1-and-tls-1-2-in-windows-7-or-wind" | |
| Write-Host -nonewline "Continue? (Y/N) " | |
| $response = Read-Host | |
| if ( $response -ne "Y" ) { exit } | |
| } | |
| # -- CHANGES 2023 -- # | |
| # Disable TLS 1.0 for client and server SCHANNEL communications | |
| New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled' -value 0 -PropertyType 'DWord' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null | |
| New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'Enabled' -value 0 -PropertyType 'DWord' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null | |
| Write-Host 'TLS 1.0 has been disabled.' | |
| # -- CHANGES 2023 -- # | |
| # Disable TLS 1.1 for client and server SCHANNEL communications | |
| New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled' -value 0 -PropertyType 'DWord' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null | |
| New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled' -value 0 -PropertyType 'DWord' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null | |
| Write-Host 'TLS 1.1 has been disabled.' | |
| # Add and Enable TLS 1.2 for client and server SCHANNEL communications | |
| New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null | |
| New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null | |
| Write-Host 'TLS 1.2 has been enabled.' | |
| # Re-create the ciphers key | |
| New-Item 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers' -Force | Out-Null | |
| # Disable insecure/weak ciphers. | |
| $insecureCiphers = @( | |
| 'DES 56/56', | |
| 'NULL', | |
| 'RC2 128/128', | |
| 'RC2 40/128', | |
| 'RC2 56/128', | |
| 'RC4 40/128', | |
| 'RC4 56/128', | |
| 'RC4 64/128', | |
| 'RC4 128/128', | |
| 'Triple DES 168' | |
| ) | |
| Foreach ($insecureCipher in $insecureCiphers) { | |
| $key = (Get-Item HKLM:\).OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey($insecureCipher) | |
| $key.SetValue('Enabled', 0, 'DWord') | |
| $key.close() | |
| Write-Host "Weak cipher $insecureCipher has been disabled." | |
| } | |
| # Enable new secure ciphers | |
| # - RC4: It is recommended to disable RC4, but you may lock out WinXP/IE8 if you enforce this. This is a requirement for FIPS 140-2. | |
| # - 3DES: It is recommended to disable these in near future. This is the last cipher supported by Windows XP. | |
| # - Windows Vista and before 'Triple DES 168' was named 'Triple DES 168/168' per https://support.microsoft.com/en-us/kb/245030 | |
| # - Disable Triple DES 168: https://www.techtarget.com/searchsecurity/tip/Expert-advice-Encryption-101-Triple-DES-explained | |
| $secureCiphers = @( | |
| 'AES 128/128', | |
| 'AES 256/256' | |
| # 'Triple DES 168' | |
| ) | |
| Foreach ($secureCipher in $secureCiphers) { | |
| $key = (Get-Item HKLM:\).OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey($secureCipher) | |
| New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\$secureCipher" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null | |
| $key.close() | |
| Write-Host "Strong cipher $secureCipher has been enabled." | |
| } | |
| # Set hashes configuration | |
| # -- CHANGES 2023 -- # - Added backslash here it was missing before SYSTEM and put quotes around 'Enabled' | |
| New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes' -Force | Out-Null | |
| New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5' -name 'Enabled' -value 0 -PropertyType 'DWord' -Force | Out-Null | |
| $secureHashes = @( | |
| 'SHA', | |
| 'SHA256', | |
| 'SHA384', | |
| 'SHA512' | |
| ) | |
| Foreach ($secureHash in $secureHashes) { | |
| $key = (Get-Item HKLM:\).OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes', $true).CreateSubKey($secureHash) | |
| New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\$secureHash" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null | |
| $key.close() | |
| Write-Host "Hash $secureHash has been enabled." | |
| } | |
| # Set KeyExchangeAlgorithms configuration | |
| New-Item 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms' -Force | Out-Null | |
| $secureKeyExchangeAlgorithms = @( | |
| 'Diffie-Hellman', | |
| 'ECDH', | |
| 'PKCS' | |
| ) | |
| Foreach ($secureKeyExchangeAlgorithm in $secureKeyExchangeAlgorithms) { | |
| $key = (Get-Item HKLM:\).OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms', $true).CreateSubKey($secureKeyExchangeAlgorithm) | |
| New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\$secureKeyExchangeAlgorithm" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null | |
| $key.close() | |
| Write-Host "KeyExchangeAlgorithm $secureKeyExchangeAlgorithm has been enabled." | |
| } | |
| # -- CHANGES 2023 -- # | |
| # Enable Longer DH Key Size (default is 1024 and too weak) | |
| # MS Security Advisory: https://learn.microsoft.com/en-us/security-updates/securityadvisories/2016/3174644 | |
| New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman' -name 'ServerMinKeyBitLength' -value '2048' -PropertyType 'DWord' -Force | Out-Null | |
| New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" -name 'ClientMinKeyBitLength' -value '2048' -PropertyType 'DWord' -Force | Out-Null | |
| Write-Host "Configured secure default key length of 2048 for Diffie-Hellman key shares (previously 1024)" | |
| # https://support.microsoft.com/en-us/help/3174644/microsoft-security-advisory-updated-support-for-diffie-hellman-key-exc | |
| New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS' -Force | Out-Null | |
| New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS" -name 'ClientMinKeyBitLength' -value '2048' -PropertyType 'DWord' -Force | Out-Null | |
| # -- CHANGES 2023 -- # | |
| # Set cipher suites order as secure as possible (Enables Perfect Forward Secrecy) | |
| # NOTE: PFS does have a noticeable effect on system performance in some scenarios due to its higher computing requirements. | |
| # Server owners may need to test for an increase in resource consumption when number of TLS connections scales up. | |
| if ([System.Version]$os.Version -lt [System.Version]'10.0') { | |
| Write-Host 'Use cipher suites order for Windows 2008_R2/2012/2012_R2' | |
| $cipherSuitesOrder = @( | |
| 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256', | |
| 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384', | |
| 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521', | |
| 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384', | |
| 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521', | |
| # Commenting all these out, as CBC ciphers are now considered weak | |
| # 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256', | |
| # 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384', | |
| # 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521', | |
| # 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256', | |
| # 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384', | |
| # 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521', | |
| # 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256', | |
| # 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384', | |
| # 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521', | |
| # 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384', | |
| # 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521', | |
| # 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256', | |
| # 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384', | |
| # 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521', | |
| # 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256', | |
| # 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384', | |
| # 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521', | |
| # 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256', | |
| # 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384', | |
| # 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521', | |
| # 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256', | |
| # 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384', | |
| # 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521' | |
| # -- End of commenting out, adding these | |
| # Adding these in which are not shown as vulnerable based on sslyze scan results | |
| 'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384', | |
| 'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256', | |
| # Below are the only AEAD ciphers available on Windows 2012R2 and earlier. | |
| # - RSA certificates need below ciphers, but ECDSA certificates (EV) may not. | |
| # - We get penalty for not using AEAD suites with RSA certificates. | |
| 'TLS_RSA_WITH_AES_256_GCM_SHA384', | |
| 'TLS_RSA_WITH_AES_128_GCM_SHA256', | |
| 'TLS_RSA_WITH_AES_256_CBC_SHA256', | |
| 'TLS_RSA_WITH_AES_128_CBC_SHA256', | |
| 'TLS_RSA_WITH_AES_256_CBC_SHA', | |
| 'TLS_RSA_WITH_AES_128_CBC_SHA' | |
| ) | |
| } | |
| else { | |
| Write-Host 'Use cipher suites order for Windows 10/11/2016 and later.' | |
| $cipherSuitesOrder = @( | |
| 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', | |
| 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', | |
| # Commenting some of these, but need to keep a few that are weak, but not "insecure" at this time | |
| 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', | |
| 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', | |
| # 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', | |
| # 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', | |
| 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', | |
| 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256' | |
| #'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384', | |
| #'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', | |
| #'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA', | |
| #'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA', | |
| # If we have issues due to an RSA cert, we can try re-enabling these 2 while troubleshooting | |
| #'TLS_RSA_WITH_AES_256_GCM_SHA384', | |
| #'TLS_RSA_WITH_AES_128_GCM_SHA256' | |
| ) | |
| } | |
| # NOTE: For future use, these are the secure ciphers used if we are configuring for TLS 1.3, in this order | |
| # TLS_AES_256_GCM_SHA384 | |
| # TLS_CHACHA20_POLY1305_SHA256 | |
| # TLS_AES_128_GCM_SHA256 | |
| # TLS_AES_128_CCM_8_SHA256 | |
| # TLS_AES_128_CCM_SHA256 | |
| # Windows requires this list to be comma-separated. Also, the whole string can be no more than 1,023 characters | |
| $cipherSuitesAsString = [string]::join(',', $cipherSuitesOrder) | |
| # -- End of my changes -- # | |
| New-Item 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -name 'Functions' -value $cipherSuitesAsString -PropertyType 'String' -Force | Out-Null | |
| # Set TLS_FALLBACK_SCSV | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL' -name UseScsvForTls -value 1 -PropertyType 'DWord' -Force | Out-Null | |
| # Set AllowInsecureRenegoation to disabled | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL' -name AllowInsecureRenegoClients -value 0 -PropertyType 'DWord' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL' -name AllowInsecureRenegoServers -value 0 -PropertyType 'DWord' -Force | Out-Null | |
| Write-Host '--------------------------------------------------------------------------------' | |
| Write-Host 'NOTE: After the system has been rebooted you can verify your server' | |
| Write-Host ' configuration at https://www.ssllabs.com/ssltest/' | |
| Write-Host "--------------------------------------------------------------------------------`n" | |
| Write-Host -ForegroundColor Red 'A computer restart is required to apply settings. When able, restart your server for this change to take affect' | |
| # Restart-Computer -Force -Confirm |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment