-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathEdit-TLSConfig.ps1
84 lines (64 loc) · 5.19 KB
/
Edit-TLSConfig.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
# https://community.rackspace.com/products/f/25/t/507
# This posting is primarily aimed at customers who are running PCI compliance scans and are of disabling certain protocols to pass the PCI compliance scan.</p>
# The following script block includes elements to disable certain weak encryption mechanisms using registry edits. After running any element of the script it will be necessary to reboot your Windows server in order to fully apply these changes.</p>
#make TSL 1.2 protocol reg keys
$SCHANNELPath = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2'
New-Item -Path ('{0}\Protocols\TLS 1.2' -f $SCHANNELPath)
New-Item -Path ('{0}\Protocols\TLS 1.2\Server' -f $SCHANNELPath)
New-Item -Path ('{0}\Protocols\TLS 1.2\Client' -f $SCHANNELPath)
# Enable TLS 1.2 for client and server SCHANNEL communications
New-ItemProperty -Path ('{0}\Protocols\TLS 1.2\Server' -f $SCHANNELPath) -name 'Enabled' -value 1 -PropertyType 'DWord'
New-ItemProperty -Path ('{0}\Protocols\TLS 1.2\Server' -f $SCHANNELPath) -name 'DisabledByDefault' -value 0 -PropertyType 'DWord'
New-ItemProperty -Path ('{0}\Protocols\TLS 1.2\Client' -f $SCHANNELPath) -name 'Enabled' -value 1 -PropertyType 'DWord'
New-ItemProperty -Path ('{0}\Protocols\TLS 1.2\Client' -f $SCHANNELPath) -name 'DisabledByDefault' -value 0 -PropertyType 'DWord'
# Make and Enable TLS 1.1 for client and server SCHANNEL communications
New-Item -Path ('{0}\Protocols\TLS 1.1' -f $SCHANNELPath)
New-Item -Path ('{0}\Protocols\TLS 1.1\Server' -f $SCHANNELPath)
New-Item -Path ('{0}\Protocols\TLS 1.1\Client' -f $SCHANNELPath)
New-ItemProperty -Path ('{0}\Protocols\TLS 1.1\Server' -f $SCHANNELPath) -name 'Enabled' -value 1 -PropertyType 'DWord'
New-ItemProperty -Path ('{0}\Protocols\TLS 1.1\Server' -f $SCHANNELPath) -name 'DisabledByDefault' -value 0 -PropertyType 'DWord'
New-ItemProperty -Path ('{0}\Protocols\TLS 1.1\Client' -f $SCHANNELPath) -name 'Enabled' -value 1 -PropertyType 'DWord'
New-ItemProperty -Path ('{0}\Protocols\TLS 1.1\Client' -f $SCHANNELPath) -name 'DisabledByDefault' -value 0 -PropertyType 'DWord'
# Disable SSL 2.0
New-Item -Path ('{0}\Protocols\SSL 2.0\Server' -f $SCHANNELPath)
New-ItemProperty -Path ('{0}\Protocols\SSL 2.0\Server' -f $SCHANNELPath) -name Enabled -value 0 -PropertyType 'DWord'
# Enable SSL 3.0
New-Item -Path ('{0}\Protocols\SSL 3.0\Server' -f $SCHANNELPath)
New-ItemProperty -Path ('{0}\Protocols\SSL 3.0\Server' -f $SCHANNELPath) -name Enabled -value 1 -PropertyType 'DWord'
#Disable Weak Cyphers
New-Item -Path ('{0}\Ciphers\Null' -f $SCHANNELPath)
New-ItemProperty -Path ('{0}\Ciphers\Null' -f $SCHANNELPath) -name 'Enabled' -value 0 -PropertyType 'Dword'
New-Item -Path ('{0}\Ciphers\DES 56' -f $SCHANNELPath)
New-Item -Path ('{0}\Ciphers\DES 56/56' -f $SCHANNELPath)
New-ItemProperty -Path ('{0}\Ciphers\DES 56/56' -f $SCHANNELPath) -name 'Enabled' -value 0 -PropertyType 'Dword'
New-Item -Path ('{0}\Ciphers\RC2 40' -f $SCHANNELPath)
New-Item -Path ('{0}\Ciphers\RC2 40/128' -f $SCHANNELPath)
New-ItemProperty -Path ('{0}\Ciphers\RC2 40/128' -f $SCHANNELPath) -name 'Enabled' -value 0 -PropertyType 'Dword'
New-Item -Path ('{0}\Ciphers\RC2 56' -f $SCHANNELPath)
New-Item -Path ('{0}\Ciphers\RC2 56/128' -f $SCHANNELPath)
New-ItemProperty -Path ('{0}\Ciphers\RC2 40/128' -f $SCHANNELPath) -name 'Enabled' -value 0 -PropertyType 'Dword'
New-Item -Path ('{0}\Ciphers\RC2 128' -f $SCHANNELPath)
New-Item -Path ('{0}\Ciphers\RC2 128/128' -f $SCHANNELPath)
New-ItemProperty -Path ('{0}\Ciphers\RC2 128/128' -f $SCHANNELPath) -name 'Enabled' -value 0 -PropertyType 'Dword'
New-Item -Path ('{0}\Ciphers\RC4 40' -f $SCHANNELPath)
New-Item -Path ('{0}\Ciphers\RC4 40/128' -f $SCHANNELPath)
New-ItemProperty -Path ('{0}\Ciphers\RC4 40/128' -f $SCHANNELPath) -name 'Enabled' -value 0 -PropertyType 'Dword'
New-Item -Path ('{0}\Ciphers\RC4 56' -f $SCHANNELPath)
New-Item -Path ('{0}\Ciphers\RC4 56/128' -f $SCHANNELPath)
New-ItemProperty -Path ('{0}\Ciphers\RC4 56/128' -f $SCHANNELPath) -name 'Enabled' -value 0 -PropertyType 'Dword'
New-Item -Path ('{0}\Ciphers\RC4 64' -f $SCHANNELPath)
New-Item -Path ('{0}\Ciphers\RC4 64/128' -f $SCHANNELPath)
New-ItemProperty -Path ('{0}\Ciphers\RC4 64/128' -f $SCHANNELPath) -name 'Enabled' -value 0 -PropertyType 'Dword'
#Enable Strong Cyphers
New-Item -Path ('{0}\Ciphers\RC4 128' -f $SCHANNELPath)
New-Item -Path ('{0}\Ciphers\RC4 128/128' -f $SCHANNELPath)
New-ItemProperty -Path ('{0}\Ciphers\RC4 128/128' -f $SCHANNELPath) -name 'Enabled' -value 1 -PropertyType 'Dword'
New-Item -Path ('{0}\Ciphers\Triple DES 168' -f $SCHANNELPath)
New-Item -Path ('{0}\Ciphers\Triple DES 168/168' -f $SCHANNELPath)
New-ItemProperty -Path ('{0}\Ciphers\Triple DES 168/168' -f $SCHANNELPath) -name 'Enabled' -value 1 -PropertyType 'Dword'
New-Item -Path ('{0}\Ciphers\AES 128' -f $SCHANNELPath)
New-Item -Path ('{0}\Ciphers\AES 128/128' -f $SCHANNELPath)
New-ItemProperty -Path ('{0}\Ciphers\AES 128/128' -f $SCHANNELPath) -name 'Enabled' -value 1 -PropertyType 'Dword'
New-Item -Path ('{0}\Ciphers\AES 256' -f $SCHANNELPath)
New-Item -Path ('{0}\Ciphers\AES 256/256' -f $SCHANNELPath)
New-ItemProperty -Path ('{0}\Ciphers\AES 256/256' -f $SCHANNELPath) -name 'Enabled' -value 1 -PropertyType 'Dword'