Skip to content

Instantly share code, notes, and snippets.

@phbits

phbits/Set-SchannelProtocol.ps1

Created April 24, 2020 18:54
Show Gist options
  • Save phbits/99f2697eb1fa427bc465fca5d9cc8e6f to your computer and use it in GitHub Desktop.
Save phbits/99f2697eb1fa427bc465fca5d9cc8e6f to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Set-SchannelProtocol.ps1
Function Set-SchannelProtocol
{
<#
.SYNOPSIS
Disables schannel protocols by default. Enable a protocol by using the -EnableProtocol switch.
.DESCRIPTION
Microsoft IIS uses schannel for implementing HTTPS. This function will enable/disable protocols for both the client and server.
WARNING! These settings are system wide meaning they impact all process/services running on the system.
BOTH Client and Server are configured. Client refers to outgoing connections such as browsers
whereas Server refers to hosted process/services such as IIS.
This function must be launched from an elevated admin prompt.
.EXAMPLE
Set-SchannelProtocol -Protocol 'SSL 2.0'
.EXAMPLE
$DisableProtocols = 'SSL 2.0','SSL 3.0','TLS 1.0','TLS 1.1','DTLS 1.0','DTLS 1.2'
$DisableProtocols | %{ Set-SchannelProtocol -Protocol $) }
.EXAMPLE
Set-SchannelProtocol -Protocol 'TLS 1.2' -EnableProtocol
.NOTES
Tested on Windows Server 2019 and PowerShell 5.1
.LINK
https://docs.microsoft.com/en-us/windows/win32/secauthn/secure-channel
.LINK
https://docs.microsoft.com/en-us/windows-server/security/tls/tls-ssl-schannel-ssp-overview
#>
[CmdletBinding()]
param(
[Parameter(Mandatory=$true)]
[ValidateSet('SSL 2.0','SSL 3.0','TLS 1.0','TLS 1.1','TLS 1.2','DTLS 1.0','DTLS 1.2')]
[ValidateNotNullOrEmpty()]
[System.String]
# Protocol
$Protocol
,
[Switch]
# Enable Protocol
$EnableProtocol
)
$i = 0
$RegBase = 'HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols'
$RegEnabledValue = 0
if($EnableProtocol){ $RegEnabledValue = 1 }
$RegDisabledByDefaultValue = 1
if($EnableProtocol){ $RegDisabledByDefaultValue = 0 }
do {
$i++
switch($i)
{
1 { # Create folders
$ProtocolBase = Join-Path $RegBase -ChildPath $Protocol
if($(Test-Path $ProtocolBase) -eq $false)
{
New-Item -Path $RegBase -Name $Protocol | Out-Null
}
$ProtocolBaseServer = Join-Path $ProtocolBase -ChildPath 'Server'
if($(Test-Path $ProtocolBaseServer) -eq $false)
{
New-Item -Path $ProtocolBase -Name 'Server' | Out-Null
}
$ProtocolBaseClient = Join-Path $ProtocolBase -ChildPath 'Client'
if($(Test-Path $ProtocolBaseClient) -eq $false)
{
New-Item -Path $ProtocolBase -Name 'Client' | Out-Null
}
}
2 { # Configure Client
$ProtocolPath = Join-Path $RegBase -ChildPath $Protocol
$ProtocolBaseClient = Join-Path $ProtocolBase -ChildPath 'Client'
Set-ItemProperty -Path $ProtocolBaseClient -Type DWord -Name 'Enabled' -Value $RegEnabledValue | Out-Null
Write-Output $('{0} : Enabled={1}' -f $ProtocolBaseClient,$RegEnabledValue)
Set-ItemProperty -Path $ProtocolBaseClient -Type DWord -Name 'DisabledByDefault' -Value $RegDisabledByDefaultValue | Out-Null
Write-Output $('{0} : DisabledByDefault={1}' -f $ProtocolBaseClient,$RegDisabledByDefaultValue)
}
3 { # Configure Server
$ProtocolPath = Join-Path $RegBase -ChildPath $Protocol
$ProtocolBaseServer = Join-Path $ProtocolBase -ChildPath 'Server'
Set-ItemProperty -Path $ProtocolBaseServer -Type DWord -Name 'Enabled' -Value $RegEnabledValue | Out-Null
Write-Host $('{0} : Enabled={1}' -f $ProtocolBaseServer,$RegEnabledValue)
Set-ItemProperty -Path $ProtocolBaseServer -Type DWord -Name 'DisabledByDefault' -Value $RegDisabledByDefaultValue | Out-Null
Write-Host $('{0} : DisabledByDefault={1}' -f $ProtocolBaseServer,$RegDisabledByDefaultValue)
}
default {
Write-Host 'Reboot to make changes active.'
$i = 0
}
}
} while ($i -ne 0)
} # End function Set-SchannelProtocol
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment