-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathGet-TLSProtocol.ps1
121 lines (101 loc) · 6.4 KB
/
Get-TLSProtocol.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
# https://technet.microsoft.com/library/security/3009008
# Microsoft Security Advisory 3009008
# Vulnerability in SSL 3.0 Could Allow Information Disclosure
# Implement workaround via Registry edit
# Intended to be run on/applied to the local machine, either via interactive console or WinRM
# To run remotely:
# Invoke-Command -Credential $my2acct -Authentication Credssp -EnableNetworkAccess -ComputerName GBCI02VMLOC01 -FilePath \\gbci02psh01\PS-Repo\Systems\Msft_SecAdv_3009008.ps1
# To create test-condition, first run:
# Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Name 'Enabled' -Value 1
# Invoke-Command -Credential $my2acct -Authentication Credssp -EnableNetworkAccess -ComputerName gbci02vc01, gbci02vcum01, gbci02veeam01, gbci02vmloc01, gbci91vc01 -ScriptBlock { Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Name 'Enabled' -Value 0 -ErrorAction SilentlyContinue; Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -Name 'Enabled' -Value 0 -ErrorAction SilentlyContinue}
[string]$MyName = $($MyInvocation.MyCommand).Name
Write-Debug -Message ('Starting {0} on {1}' -f $MyName, $Env:COMPUTERNAME)
Write-Output -InputObject 'Declaring function Set-SSL3Disabled'
function Set-SSL3Disabled {
<#
'Client','Server' | ForEach {
$regPath = "$SSL3_Key\$PSItem"
if (test-path -Path $regPath -PathType Container) {
if ((Get-ItemProperty -Path $regPath -Name 'Enabled').'Enabled' -eq 0) {
Write-Output "$MyName`: Disabling SSL 3.0 Web $PSItem support"
Write-EventLog -LogName 'Windows PowerShell' -Source 'PowerShell' -EntryType Information -Message "$MyName`: Disabling SSL 3.0 Web $PSItem support" -EventId 301
Set-ItemProperty -Path $regPath -Name 'Enabled' -Value 1
} else {
Write-Output "$MyName`: SSL 3.0 Web $PSItem support already disabled (by registry)"
Write-EventLog -LogName 'Windows PowerShell' -Source 'PowerShell' -EntryType Information -Message "$MyName`:SSL 3.0 Web $PSItem support already disabled (by registry)" -EventId 302
}
}
}
#>
$SCHANNEL_Key = 'HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols'
Get-ChildItem -LiteralPath 'HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols' -Recurse | ForEach-Object { Get-ChildItem -LiteralPath $PSItem.Name.Replace('HKEY_LOCAL_MACHINE\','HKLM:\') } }
Get-ChildItem -LiteralPath $SCHANNEL_Key -Recurse | ForEach-Object {
Get-ChildItem -LiteralPath $PSItem.Name -Recurse | ForEach-Object {
# $KeyPathString = $PSItem.Name.Replace('HKEY_LOCAL_MACHINE\','HKLM:\').ToString()
$PSItem.Name #.Replace('HKEY_LOCAL_MACHINE\','HKLM:\').ToString()
}
}
if ((Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$PSItem\Client" -Name 'Enabled').Enabled -ne 0) {
Write-Output -InputObject ('Disabling SSL 3.0 Web {0} support' -f $PSItem)
Write-EventLog -LogName 'Windows PowerShell' -Source 'PowerShell' -EntryType Information -Message "Disabling SSL 3.0 Web $PSItem support" -EventId 301
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\$PSItem" -Name 'Enabled' -Value 0 -ErrorAction SilentlyContinue
}
}
}
}
Write-Output -InputObject 'Declaring function Get-TLSProtocol'
function Get-TLSProtocol {
# Get SCHANNEL Protocol, endpoint, and Enabled value from (local) registry
# Thanks to: https://connect.microsoft.com/PowerShell/feedback/details/632464/get-itemproperty-in-registry-should-return-value-type
$SCHANNEL_Key = 'HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols'
# Setup shell of default properties for object to be returned by this function
$Private:properties = [ordered]@{
'Protocol' = 'N/A'
'Endpoint' = 'N/A'
'Property' = 'N/A'
'Value' = 'N/A'
'Value Type' = 'N/A'
}
$Private:RetObject = New-Object -TypeName PSObject -Property $properties
Write-Debug -Message ('Get-ChildItem -path {0} -Recurse' -f $SCHANNEL_Key)
Get-ChildItem -path $SCHANNEL_Key -Recurse | ForEach-Object {
$KeyPathString = $PSItem.Name.Replace('HKEY_LOCAL_MACHINE\','HKLM:\').ToString()
Write-Debug -Message ('$KeyPathString: {0}' -f $KeyPathString)
if (Get-ItemProperty -Path $KeyPathString -Name 'Enabled' -ErrorAction SilentlyContinue) {
$key = Get-Item -Path $([Convert]::ToString($KeyPathString)).replace('\Enabled','')
Write-Debug -Message ('Checking $key: {0}' -f $key)
# Pull Protocol name and endpoint (e.g. Client or Server) from reg path
$Tokens = $KeyPathString -split '\\'
$Protocol = $Tokens.GetValue(($Tokens.Count)-2)
$Endpoint = $Tokens.GetValue(($Tokens.Count)-1)
Write-Debug -Message ('$Protocol: {0}' -f $Protocol)
Write-Debug -Message ('$Endpoint: {0}' -f $Endpoint)
# These REG values are / should be DWORD
$ValueType = $key.GetValueKind('Enabled')
$Value = $key.GetValue('Enabled')
Write-Debug -Message ('$ValueType: {0}' -f $ValueType)
Write-Debug -Message ('$Value: {0}' -f $Value)
$Private:properties = [ordered]@{
'Protocol' = $Protocol
'Endpoint' = $Endpoint
'Property' = 'Enabled'
'Value' = $Value
'Value Type' = $ValueType
}
Write-Debug -Message $properties
} # end if Enabled
$Private:RetObject = New-Object -TypeName PSObject -Property $properties
} # end foreach
return $RetObject | Format-Table -AutoSize
}
<#
[] Mirror over to GitHub or UserVoice?
https://connect.microsoft.com/PowerShell/feedback/details/632464/get-itemproperty-in-registry-should-return-value-type
Currently I see no easy way to get type of registry values. Info presented by Get-ItemProperty is not very helpful. I found workaround for that (sample):
$key = Get-Item 'HKLM:\software\Microsoft\windows\CurrentVersion\policies\Explorer'
$Property = @{Name = 'Property'; Expression = {$PSItem}}
$Value = @{Name = 'Value'; Expression = {$key.GetValue($PSItem) }}
$ValueType = @{Name = 'Value Type'; Expression = {$key.GetValueKind($PSItem)}}
$key.Property | select $Property, $Value, $ValueType
I think it would be better if Get-ItemProperty would return type too.
#>