PowerShell script for disabling SSLv3 - Refactored

DisableSslv3.ps1

# MS Security bulletin: https://technet.microsoft.com/en-us/library/security/3009008.aspx
# Azure post where this script originally came from: http://azure.microsoft.com/blog/2014/10/19/how-to-disable-ssl-3-0-in-azure-websites-roles-and-virtual-machines/
#
#
# NOTE: This registry change requires that the server be restarted. The script
#       will detect if a change is applied and AUTOMATICALLY reboot the server.
#       If you don't want automatic reboot comment out the final section of the
#       script before running!

Function Ensure-RegKeyExists {
	param (
		$key
	)

	If (!(Test-Path -Path $key)) {
		New-Item $key | Out-Null
	}
}

Function Set-RegKey {
  param (
    $key,
    $value,
    $valuedata,
    $valuetype,
    $restart
  )

  # Check for existence of registry key, and create if it does not exist
  Ensure-RegKeyExists $key

  # Get data of registry value, or null if it does not exist
  $val = (Get-ItemProperty -Path $key -Name $value -ErrorAction SilentlyContinue).$value

  If ($val -eq $null) {
    # Value does not exist - create and set to desired value
    New-ItemProperty -Path $key -Name $value -Value $valuedata -PropertyType $valuetype | Out-Null
    $restart = $True
  } Else {
    # Value does exist - if not equal to desired value, change it
    If ($val -ne $valuedata) {
      Set-ItemProperty -Path $key -Name $value -Value $valuedata
      $restart = $True
    }
  }
  return $restart
}

# If any settings are changed, this will change to $True and the server will reboot
$reboot = $False
$SSL2_Parent_Key = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0";
$SSL2_Client_Key = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client";
$SSL2_Server_Key = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server";
$SSL3_Parent_Key = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0";
$SSL3_Client_Key = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client";
$SSL3_Server_Key = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server";

# Check for existence of parent registry keys (SSL 2.0 and SSL 3.0), and create if they do not exist
Ensure-RegKeyExists $SSL2_Parent_Key
Ensure-RegKeyExists $SSL3_Parent_Key

# Ensure SSL 2.0 disabled for client
$reboot = Set-RegKey $SSL2_Client_Key DisabledByDefault 1 DWord $reboot

# Ensure SSL 2.0 disabled for server
$reboot = Set-RegKey $SSL2_Server_Key Enabled 0 DWord $reboot

# Ensure SSL 3.0 disabled for client
$reboot = Set-RegKey $SSL3_Client_Key DisabledByDefault 1 DWord $reboot

# Ensure SSL 3.0 disabled for server
$reboot = Set-RegKey $SSL3_Server_Key Enabled 0 DWord $reboot

# If any settings were changed, reboot
If ($reboot) {
  Write-Host "Rebooting now..."
  shutdown.exe /r /t 5 /c "Crypto settings changed" /f /d p:2:4
}

thnx

Very helpful script. Thx.

Note that Microsoft broke all the links to their security articles, so the link on line 1 is broken.

The correct link is now:

https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2015/3009008

And, yes, the link is largely illegible now. Well done, Microsoft.