Last active
July 7, 2016 12:26
-
-
Save dkrusky/95d016fb1d054dfad80a to your computer and use it in GitHub Desktop.
Modified powershell script (must run as administrator) to pre-configure the box for A+ rating on ssllabs.com . Only support for TLS 1.2 is enabled due to lack of support in SCHANNEL for TLS fallback. You still need to setup HPKP, Strict-Security, and OCSP in IIS per site.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright 2014, Alexander Hass - Modified by MicroVB ( https://www.microvb.com ) | |
| # http://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12 | |
| # | |
| # Version 1.5 | |
| # - Disabled remaining problematic ciphers that do not supply forward secrecy | |
| # - Disabled TLS 1.0 from server SCHANNEL requests | |
| # - Disabled TLS 1.1 from server SCHANNEL requests | |
| # - Enabled secure renegotiation | |
| # - Moved cipher suite and protocol variables to the top of this file to make editing easier | |
| # - 3DES has been disabled. | |
| # Version 1.4 | |
| # - RC4 has been disabled. | |
| # Version 1.3 | |
| # - MD5 has been disabled. | |
| # Version 1.2 | |
| # - Re-factored code style and output | |
| # Version 1.1 | |
| # - SSLv3 has been disabled. (Poodle attack protection) | |
| # Disable insecure/weak ciphers. | |
| $insecureCiphers = @( | |
| 'DES 56/56', | |
| 'NULL', | |
| 'RC2 128/128', | |
| 'RC2 40/128', | |
| 'RC2 56/128', | |
| 'RC4 40/128', | |
| 'RC4 56/128', | |
| 'RC4 64/128', | |
| 'RC4 128/128', | |
| 'Triple DES 168/168' | |
| ) | |
| # Enable new secure ciphers. | |
| # - RC4: It is recommended to disable RC4, but you may lock out WinXP/IE8 if you enforce this. This is a requirement for FIPS 140-2. | |
| # - 3DES: It is recommended to disable these in near future. | |
| $secureCiphers = @( | |
| 'AES 128/128', | |
| 'AES 256/256' | |
| ) | |
| # Set cipher suites order as secure as possible (Enables Perfect Forward Secrecy). | |
| $cipherSuitesOrder = @( | |
| 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256', | |
| 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384', | |
| 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256', | |
| 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384', | |
| 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256', | |
| 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384', | |
| 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256', | |
| 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384', | |
| 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256', | |
| 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256', | |
| 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384', | |
| 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256', | |
| 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384', | |
| 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384' | |
| ) | |
| Write-Host 'Configuring IIS with SSL/TLS Deployment Best Practices...' | |
| Write-Host '--------------------------------------------------------------------------------' | |
| # Disable Multi-Protocol Unified Hello | |
| New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null | |
| Write-Host 'Multi-Protocol Unified Hello has been disabled.' | |
| # Disable PCT 1.0 | |
| New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null | |
| Write-Host 'PCT 1.0 has been disabled.' | |
| # Disable SSL 2.0 (PCI Compliance) | |
| New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null | |
| Write-Host 'SSL 2.0 has been disabled.' | |
| # NOTE: If you disable SSL 3.0 the you may lock out some people still using | |
| # Windows XP with IE6/7. Without SSL 3.0 enabled, there is no protocol available | |
| # for these people to fall back. Safer shopping certifications may require that | |
| # you disable SSLv3. | |
| # | |
| # Disable SSL 3.0 (PCI Compliance) and enable "Poodle" protection | |
| New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null | |
| Write-Host 'SSL 3.0 has been disabled.' | |
| # Add and Disabel TLS 1.0 for client and server SCHANNEL communications | |
| New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled' -value 0 -PropertyType 'DWord' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null | |
| Write-Host 'TLS 1.0 has been disabled.' | |
| # Add and Disable TLS 1.1 for server SCHANNEL communications (Leave it enabled for client SCHANNEL communications) | |
| New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled' -value 0 -PropertyType 'DWord' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null | |
| Write-Host 'TLS 1.1 has been disabled (server).' | |
| New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled' -value 1 -PropertyType 'DWord' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null | |
| Write-Host 'TLS 1.1 has been enabled (client).' | |
| # Add and Enable TLS 1.2 for client and server SCHANNEL communications | |
| New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null | |
| New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value 1 -PropertyType 'DWord' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null | |
| Write-Host 'TLS 1.2 has been enabled.' | |
| # Enable SCSV to mitigate downgrade attacks | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL' -name 'UseScsvForTls' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null | |
| Write-Host 'SCSV has been enabled.' | |
| # Re-create the ciphers key. | |
| New-Item 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers' -Force | Out-Null | |
| Foreach ($insecureCipher in $insecureCiphers) { | |
| $key = (Get-Item HKLM:\).OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey($insecureCipher) | |
| $key.SetValue('Enabled', 0, 'DWord') | |
| $key.close() | |
| Write-Host "Weak cipher $insecureCipher has been disabled." | |
| } | |
| Foreach ($secureCipher in $secureCiphers) { | |
| $key = (Get-Item HKLM:\).OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey($secureCipher) | |
| New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\$secureCipher" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null | |
| $key.close() | |
| Write-Host "Strong cipher $secureCipher has been enabled." | |
| } | |
| # Set hashes configuration. | |
| New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null | |
| New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA' -name Enabled -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null | |
| # Set KeyExchangeAlgorithms configuration. | |
| New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman' -name Enabled -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null | |
| New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS' -Force | Out-Null | |
| New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS' -name Enabled -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null | |
| $cipherSuitesAsString = [string]::join(',', $cipherSuitesOrder) | |
| New-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -name 'Functions' -value $cipherSuitesAsString -PropertyType 'String' -Force | Out-Null | |
| Write-Host '--------------------------------------------------------------------------------' | |
| Write-Host 'NOTE: After the system has been rebooted you can verify your server' | |
| Write-Host ' configuration at https://www.ssllabs.com/ssltest/' | |
| Write-Host "--------------------------------------------------------------------------------`n" | |
| Write-Host -ForegroundColor Red 'A computer restart is required to apply settings. Restart computer now?' | |
| Restart-Computer -Force -Confirm |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment