Last active
February 10, 2017 23:20
-
-
Save davidroberts63/aec94ac14a46ee51846a6b1eee4e6b6f to your computer and use it in GitHub Desktop.
Checks SSL/TLS settings on Windows
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function CheckIsEnabled($description, $path, $name = "Enabled", [switch]$failIfEnabled) | |
| { | |
| if((Test-Path $path) -eq $false) { | |
| Write-Host "$description is DISABLED due to non existent setting" | |
| return | |
| } | |
| $property = Get-ItemProperty $path -name $name -ErrorAction SilentlyContinue | |
| if($property -and $property.$name -ne 0) | |
| { | |
| Write-Host "$description is enabled." | |
| if($failIfEnabled) { Write-Warning "$description is enabled." } | |
| } else | |
| { | |
| Write-Host "$description is DISABLED." | |
| } | |
| } | |
| CheckIsEnabled "Multi-Protocol Unified Hello" 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server' -failIfEnabled | |
| CheckIsEnabled "PCT 1.0" 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server' -failIfEnabled | |
| CheckIsEnabled "SSL 2.0" 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -failIfEnabled | |
| CheckIsEnabled "SSL 3.0" 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -failIfEnabled | |
| CheckIsEnabled "TLS 1.0" 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -failIfEnabled | |
| CheckIsEnabled "TLS 1.1 Server" 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' | |
| CheckIsEnabled "TLS 1.1 Client" 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' | |
| CheckIsEnabled "TLS 1.2 Server" 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' | |
| CheckIsEnabled "TLS 1.2 Client" 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' | |
| CheckIsEnabled "MD5" 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5' -failIfEnabled | |
| CheckIsEnabled "SHA" 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA' | |
| CheckIsEnabled "Diffie-Hellman" 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman' | |
| CheckIsEnabled "PKCS" 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS' | |
| # Check ciphers | |
| $insecureCiphers = @( | |
| 'DES 56/56', | |
| 'NULL', | |
| 'RC2 128/128', | |
| 'RC2 40/128', | |
| 'RC2 56/128', | |
| 'RC4 40/128', | |
| 'RC4 56/128', | |
| 'RC4 64/128', | |
| 'RC4 128/128' | |
| ) | |
| foreach($insecureCipher in $insecureCiphers) { | |
| $path = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\$insecureCipher" | |
| CheckIsEnabled $insecureCipher $path -failIfEnabled | |
| } | |
| $secureCiphers = @( | |
| 'AES 128/128', | |
| 'AES 256/256', | |
| 'Triple DES 168/168' | |
| ) | |
| foreach($cipher in $secureCiphers ) { | |
| $path = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\$cipher" | |
| CheckIsEnabled $cipher $path | |
| } | |
| Write-Host "Done" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment