forked from bcdady/MyScripts
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathMsft_SecAdv_3009008.ps1
151 lines (131 loc) · 7.52 KB
/
Msft_SecAdv_3009008.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
#requires -Version 3 -Module PSLogger
#===============================================================================
# NAME : Msft_SecAdv_3009008.ps1
# LANGUAGE : Windows PowerShell
# AUTHOR : Bryan Dady
# DATE : 10/13/2016
# COMMENT : Mitigates Microsoft Security Advisory 3009008 -- Vulnerability in SSL 3.0 Could Allow Information Disclosure
# NOTES : # https://technet.microsoft.com/library/security/3009008
# Microsoft Security Advisory 3009008 -- Vulnerability in SSL 3.0 Could Allow Information Disclosure
#===============================================================================
[CmdletBinding(SupportsShouldProcess)]
param ()
Set-StrictMode -Version latest
# Implement workaround via Registry edit
# Intended to be run on/applied to the local machine, either via interactive console or WinRM
# To run remotely:
# Invoke-Command -Credential $my2acct -Authentication Credssp -EnableNetworkAccess -ComputerName ComputerName01, ServerName02 -FilePath \\PS-Repo\Security\Msft_SecAdv_3009008.ps1
# To create test-condition, first run:
# Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Name 'Enabled' -Value 1
# Invoke-Command -Credential $my2acct -Authentication Credssp -EnableNetworkAccess -ComputerName ComputerName01, ServerName02 -ScriptBlock { Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Name 'Enabled' -Value 0 -ErrorAction SilentlyContinue; Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -Name 'Enabled' -Value 0 -ErrorAction SilentlyContinue}
[string]$MyName = $($MyInvocation.MyCommand).Name
Write-Debug -Message "Starting $MyName on $Env:COMPUTERNAME"
Write-Output -InputObject 'Declaring function Set-SSL3Disabled'
function Set-SSL3Disabled {
<#
.SYNOPSIS
Enumerate current SSL settings, and dynamically mitigate SSL 3 vulnerabilities by applying guidance from Microsoft Security Advisory 3009008 "Vulnerability in SSL 3.0 Could Allow Information Disclosure"
.DESCRIPTION
Get-TLSProtocols function enumerates SSL 3 settings from the various applicable registry keys
Sets registry values, under HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols, to
.EXAMPLE
PS C:\> <example usage>
Explanation of what the example does
.INPUTS
Inputs (if any)
.OUTPUTS
Output (if any)
.NOTES
General notes
.LINK
https://technet.microsoft.com/library/security/3009008
#>
<#
'Client','Server' | ForEach {
$regPath = "$SSL3_Key\$PSItem"
if (test-path -Path $regPath -PathType Container)
{
if ((Get-ItemProperty -Path $regPath -Name 'Enabled').'Enabled' -eq 0)
{
Write-Output "$MyName`: Disabling SSL 3.0 Web $PSItem support"
Write-EventLog -LogName 'Windows PowerShell' -Source 'PowerShell' -EntryType Information -Message "$MyName`: Disabling SSL 3.0 Web $PSItem support" -EventId 301
Set-ItemProperty -Path $regPath -Name 'Enabled' -Value 1
}
else
{
Write-Output "$MyName`: SSL 3.0 Web $PSItem support already disabled (by registry)"
Write-EventLog -LogName 'Windows PowerShell' -Source 'PowerShell' -EntryType Information -Message "$MyName`:SSL 3.0 Web $PSItem support already disabled (by registry)" -EventId 302
}
}
}
#>
$SCHANNEL_Key = 'HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols'
Get-ChildItem -path $SCHANNEL_Key -Recurse | ForEach {
Get-ChildItem -path $PSItem -Recurse | ForEach {
$KeyPathString = $PSItem.Name.Replace('HKEY_LOCAL_MACHINE\','HKLM:\').ToString()
if ((Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$PSItem\Client" -Name 'Enabled').Enabled -ne 0)
{
Write-Output "Disabling SSL 3.0 Web $PSItem support"
Write-EventLog -LogName 'Windows PowerShell' -Source 'PowerShell' -EntryType Information -Message "Disabling SSL 3.0 Web $PSItem support" -EventId 301
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\$PSItem" -Name 'Enabled' -Value 0 -ErrorAction SilentlyContinue
}
}
}
}
Write-Output -InputObject 'Declaring function Get-TLSProtocols'
function Get-TLSProtocols {
# Get SCHANNEL Protocol, endpoint, and Enabled value from (local) registry
# Thanks to: https://connect.microsoft.com/PowerShell/feedback/details/632464/get-itemproperty-in-registry-should-return-value-type
$SCHANNEL_Key = 'HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols'
# Setup shell of default properties for object to be returned by this function
$Private:properties = [ordered]@{
'Protocol' = 'N/A'
'Endpoint' = 'N/A'
'Property' = 'N/A'
'Value' = 'N/A'
'Value Type' = 'N/A'
}
$Private:RetObject = New-Object -TypeName PSObject -Property $properties
Write-Debug -Message "Get-ChildItem -path $SCHANNEL_Key -Recurse"
Get-ChildItem -path $SCHANNEL_Key -Recurse | ForEach {
$KeyPathString = $PSItem.Name.Replace('HKEY_LOCAL_MACHINE\','HKLM:\').ToString()
Write-Debug -Message "`$KeyPathString: $KeyPathString"
if (Get-ItemProperty -Path $KeyPathString -Name 'Enabled' -ErrorAction SilentlyContinue)
{
$key = Get-Item -Path $([System.Convert]::ToString($KeyPathString)).replace('\Enabled','')
Write-Debug -Message "Checking `$key: $key"
# Pull Protocol name and endpoint (e.g. Client or Server) from reg path
$Tokens = $KeyPathString -split '\\'
$Protocol = $Tokens.GetValue(($Tokens.Count)-2)
$Endpoint = $Tokens.GetValue(($Tokens.Count)-1)
Write-Debug -Message "`$Protocol: $Protocol"
Write-Debug -Message "`$Endpoint: $Endpoint"
# These REG values are / should be DWORD
$ValueType = $key.GetValueKind('Enabled')
$Value = $key.GetValue('Enabled')
Write-Debug -Message "`$ValueType: $ValueType"
Write-Debug -Message "`$Value: $Value"
$Private:properties = [ordered]@{
'Protocol' = $Protocol
'Endpoint' = $Endpoint
'Property' = 'Enabled'
'Value' = $Value
'Value Type' = $ValueType
}
Write-Debug -Message $properties
} # end if Enabled
$Private:RetObject = New-Object -TypeName PSObject -Property $properties
} # end foreach
return $RetObject | Format-Table -AutoSize
}
<#
[ ] Mirror over to GitHub or UserVoice?
https://connect.microsoft.com/PowerShell/feedback/details/632464/get-itemproperty-in-registry-should-return-value-type
Currently I see no easy way to get type of registry values. Info presented by Get-ItemProperty is not very helpful. I found workaround for that (sample):
$key = Get-Item 'HKLM:\software\Microsoft\windows\CurrentVersion\policies\Explorer'
$Property = @{Name = 'Property'; Expression = {$PSItem}}
$Value = @{Name = 'Value'; Expression = {$key.GetValue($PSItem) }}
$ValueType = @{Name = 'Value Type'; Expression = {$key.GetValueKind($PSItem)}}
$key.Property | select $Property, $Value, $ValueType
I think it would be better if Get-ItemProperty would return type too.
#>