Securing SSL Configuration in IIS

Update 2/1/17

I updated Alex’s script at the bottom to the most recent version (1.7) as it reflects further hardening recommended as of late. I recommend referencing his script as oppose to each individual section I put as his full script has a lot more hardening, enables PFS and does OS detection.

 

In my previous post, I highlighted the importance of securing your SSL configuration and how to do it in Apache. Now, we will take a look at how at securing SSL in IIS. This post will be noticeably shorter thanks to the wonders of PowerShell.

The script we will be using is brought to us by Alexander Haas over here. The script in its entirety is at the bottom of this post. We will first take a look at it in sections.

*NOTE* this script was tested against IIS8. Older versions of IIS may not support items such as TLSv1.2. For example, you cannot enable TLSv1.2 in Server 2003.

Deprecated

First, we need to disable the use of older encryption and enable the use of more preferred and secure ones.

Disabling deprecated ones:

Disabling PCT 1.0

# Disable PCT 1.0
md 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0' -Force
md 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force 

Disabling SSLv2

# Disable SSL 2.0 (PCI Compliance)
md 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force 

Disabling SSLv3

 # Disable SSL 3.0 (PCI Compliance)
md 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force 

Disable insecure ciphers

 # Disable insecure ciphers
$insecureCiphers = 'NULL','RC2 40/128','RC2 56/128','RC2 128/128','RC4 40/128','RC4 56/128','RC4 64/128','DES 56/56'
Foreach ($insecureCipher in $insecureCiphers) {
  $key = (Get-Item HKLM:\).OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey($insecureCipher)
  $key.SetValue('Enabled', 0, 'DWord')
  $key.close()
  Write-Host "$insecureCipher has been disabled"
}

Disabling Multi-Protocol Unified Hello

 # Disable Multi-Protocol Unified Hello
md 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force 

Now let us enable the newer and more secure ones..

Add and enable TLSv1.1

# Add and Enable TLS 1.1 for client and server SCHANNEL communications
md 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1' -Force
md 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force
md 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled' -value 1 -PropertyType 'DWord' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force 

Add and enable TLSv1.2

# Add and Enable TLS 1.2 for client and server SCHANNEL communications
md 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2' -Force
md 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force
md 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value 1 -PropertyType 'DWord' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force 

Enable the new and more secure ciphers

# Enable new secure ciphers
$secureCiphers = 'RC4 128/128','Triple DES 168/168','AES 128/128','AES 256/256'
Foreach ($secureCipher in $secureCiphers) {
  $key = (Get-Item HKLM:\).OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey($secureCipher)
  New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\$secureCipher" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force
  $key.close()
  Write-Host "$secureCipher has been enabled"
} 

Now we will do some additional hardening:

# Set hashes configuration
md 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5' -name Enabled -value '0xffffffff' -PropertyType 'DWord' -Force
md 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA' -name Enabled -value '0xffffffff' -PropertyType 'DWord' -Force
# Set KeyExchangeAlgorithms configuration
md 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman' -name Enabled -value '0xffffffff' -PropertyType 'DWord' -Force
md 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS' -name Enabled -value '0xffffffff' -PropertyType 'DWord' -Force 

And finally, we change the cipher suite order to enable Perfect Forward Secrecy.

# Set cipher suites order as secure as possible (Enables Perfect Forward Secrecy)
New-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -name 'Functions' -value 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA' -PropertyType 'String' -Force 

After all of these changes have been made, you need to restart your computer or server for them to take effect. Afterwards, you can test your configuration with SSL Labs once more. Remember that disabling SSLv3 eliminates compatibility with older browsers like IE8.

The last change is to enable HTTP Strict Transport Security. Since this is just a header, we can make an edit to the web.config file. Many online resource state this change via IIS does not exactly follow the spec but it still enables the feature.

In the web.config file, add these lines.

<system.webServer>
    <httpProtocol>
        <customHeaders>
            <add name="Strict-Transport-Security" value="max-age=31536000"/>
        </customHeaders>
    </httpProtocol>
</system.webServer>
 

*NOTE* Your web.config most likely already has system.webserver tags so you can omit those tags and place the rest in between the already present system.webserver tags.

Here is Alexander’s entire script:

</pre>
<pre class="powershell geshifilter-powershell"><span class="co1"># Copyright 2016, Alexander Hass</span>
<span class="co1"># http://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12</span>
<span class="co1">#</span>
<span class="co1"># Version 1.7</span>
<span class="co1"># - Windows Version compare failed. Get-CimInstance requires Windows 2012 or later.</span>
<span class="co1"># Version 1.6</span>
<span class="co1"># - OS version detection for cipher suites order.</span>
<span class="co1"># Version 1.5</span>
<span class="co1"># - Enabled ECDH and more secure hash functions and reorderd cipher list.</span>
<span class="co1"># - Added Client setting for all ciphers.</span>
<span class="co1"># Version 1.4</span>
<span class="co1"># - RC4 has been disabled.</span>
<span class="co1"># Version 1.3</span>
<span class="co1"># - MD5 has been disabled.</span>
<span class="co1"># Version 1.2</span>
<span class="co1"># - Re-factored code style and output</span>
<span class="co1"># Version 1.1</span>
<span class="co1"># - SSLv3 has been disabled. (Poodle attack protection)</span>
 
<span class="kw1">Write-Host</span> <span class="st0">'Configuring IIS with SSL/TLS Deployment Best Practices...'</span>
<span class="kw1">Write-Host</span> <span class="st0">'--------------------------------------------------------------------------------'</span>
 
<span class="co1"># Disable Multi-Protocol Unified Hello</span>
<span class="kw1">New-Item</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">New-ItemProperty</span> <span class="kw5">-path</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server'</span> <span class="kw5">-name</span> Enabled <span class="kw5">-value</span> <span class="nu0">0</span> <span class="kw5">-PropertyType</span> <span class="st0">'DWord'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">New-ItemProperty</span> <span class="kw5">-path</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server'</span> <span class="kw5">-name</span> <span class="st0">'DisabledByDefault'</span> <span class="kw5">-value</span> <span class="nu0">1</span> <span class="kw5">-PropertyType</span> <span class="st0">'DWord'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">New-Item</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">New-ItemProperty</span> <span class="kw5">-path</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client'</span> <span class="kw5">-name</span> Enabled <span class="kw5">-value</span> <span class="nu0">0</span> <span class="kw5">-PropertyType</span> <span class="st0">'DWord'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">New-ItemProperty</span> <span class="kw5">-path</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client'</span> <span class="kw5">-name</span> <span class="st0">'DisabledByDefault'</span> <span class="kw5">-value</span> <span class="nu0">1</span> <span class="kw5">-PropertyType</span> <span class="st0">'DWord'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">Write-Host</span> <span class="st0">'Multi-Protocol Unified Hello has been disabled.'</span>
 
<span class="co1"># Disable PCT 1.0</span>
<span class="kw1">New-Item</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">New-ItemProperty</span> <span class="kw5">-path</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server'</span> <span class="kw5">-name</span> Enabled <span class="kw5">-value</span> <span class="nu0">0</span> <span class="kw5">-PropertyType</span> <span class="st0">'DWord'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">New-ItemProperty</span> <span class="kw5">-path</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server'</span> <span class="kw5">-name</span> <span class="st0">'DisabledByDefault'</span> <span class="kw5">-value</span> <span class="nu0">1</span> <span class="kw5">-PropertyType</span> <span class="st0">'DWord'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">New-Item</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">New-ItemProperty</span> <span class="kw5">-path</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client'</span> <span class="kw5">-name</span> Enabled <span class="kw5">-value</span> <span class="nu0">0</span> <span class="kw5">-PropertyType</span> <span class="st0">'DWord'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">New-ItemProperty</span> <span class="kw5">-path</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client'</span> <span class="kw5">-name</span> <span class="st0">'DisabledByDefault'</span> <span class="kw5">-value</span> <span class="nu0">1</span> <span class="kw5">-PropertyType</span> <span class="st0">'DWord'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">Write-Host</span> <span class="st0">'PCT 1.0 has been disabled.'</span>
 
<span class="co1"># Disable SSL 2.0 (PCI Compliance)</span>
<span class="kw1">New-Item</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">New-ItemProperty</span> <span class="kw5">-path</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server'</span> <span class="kw5">-name</span> Enabled <span class="kw5">-value</span> <span class="nu0">0</span> <span class="kw5">-PropertyType</span> <span class="st0">'DWord'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">New-ItemProperty</span> <span class="kw5">-path</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server'</span> <span class="kw5">-name</span> <span class="st0">'DisabledByDefault'</span> <span class="kw5">-value</span> <span class="nu0">1</span> <span class="kw5">-PropertyType</span> <span class="st0">'DWord'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">New-Item</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">New-ItemProperty</span> <span class="kw5">-path</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client'</span> <span class="kw5">-name</span> Enabled <span class="kw5">-value</span> <span class="nu0">0</span> <span class="kw5">-PropertyType</span> <span class="st0">'DWord'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">New-ItemProperty</span> <span class="kw5">-path</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client'</span> <span class="kw5">-name</span> <span class="st0">'DisabledByDefault'</span> <span class="kw5">-value</span> <span class="nu0">1</span> <span class="kw5">-PropertyType</span> <span class="st0">'DWord'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">Write-Host</span> <span class="st0">'SSL 2.0 has been disabled.'</span>
 
<span class="co1"># NOTE: If you disable SSL 3.0 the you may lock out some people still using</span>
<span class="co1"># Windows XP with IE6/7. Without SSL 3.0 enabled, there is no protocol available</span>
<span class="co1"># for these people to fall back. Safer shopping certifications may require that</span>
<span class="co1"># you disable SSLv3.</span>
<span class="co1">#</span>
<span class="co1"># Disable SSL 3.0 (PCI Compliance) and enable "Poodle" protection</span>
<span class="kw1">New-Item</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">New-ItemProperty</span> <span class="kw5">-path</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server'</span> <span class="kw5">-name</span> Enabled <span class="kw5">-value</span> <span class="nu0">0</span> <span class="kw5">-PropertyType</span> <span class="st0">'DWord'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">New-ItemProperty</span> <span class="kw5">-path</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server'</span> <span class="kw5">-name</span> <span class="st0">'DisabledByDefault'</span> <span class="kw5">-value</span> <span class="nu0">1</span> <span class="kw5">-PropertyType</span> <span class="st0">'DWord'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">New-Item</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">New-ItemProperty</span> <span class="kw5">-path</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client'</span> <span class="kw5">-name</span> Enabled <span class="kw5">-value</span> <span class="nu0">0</span> <span class="kw5">-PropertyType</span> <span class="st0">'DWord'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">New-ItemProperty</span> <span class="kw5">-path</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client'</span> <span class="kw5">-name</span> <span class="st0">'DisabledByDefault'</span> <span class="kw5">-value</span> <span class="nu0">1</span> <span class="kw5">-PropertyType</span> <span class="st0">'DWord'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">Write-Host</span> <span class="st0">'SSL 3.0 has been disabled.'</span>
 
<span class="co1"># Add and Enable TLS 1.0 for client and server SCHANNEL communications</span>
<span class="kw1">New-Item</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">New-ItemProperty</span> <span class="kw5">-path</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server'</span> <span class="kw5">-name</span> <span class="st0">'Enabled'</span> <span class="kw5">-value</span> <span class="st0">'0xffffffff'</span> <span class="kw5">-PropertyType</span> <span class="st0">'DWord'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">New-ItemProperty</span> <span class="kw5">-path</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server'</span> <span class="kw5">-name</span> <span class="st0">'DisabledByDefault'</span> <span class="kw5">-value</span> <span class="nu0">0</span> <span class="kw5">-PropertyType</span> <span class="st0">'DWord'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">New-Item</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">New-ItemProperty</span> <span class="kw5">-path</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client'</span> <span class="kw5">-name</span> <span class="st0">'Enabled'</span> <span class="kw5">-value</span> <span class="st0">'0xffffffff'</span> <span class="kw5">-PropertyType</span> <span class="st0">'DWord'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">New-ItemProperty</span> <span class="kw5">-path</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client'</span> <span class="kw5">-name</span> <span class="st0">'DisabledByDefault'</span> <span class="kw5">-value</span> <span class="nu0">0</span> <span class="kw5">-PropertyType</span> <span class="st0">'DWord'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">Write-Host</span> <span class="st0">'TLS 1.0 has been enabled.'</span>
 
<span class="co1"># Add and Enable TLS 1.1 for client and server SCHANNEL communications</span>
<span class="kw1">New-Item</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">New-ItemProperty</span> <span class="kw5">-path</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server'</span> <span class="kw5">-name</span> <span class="st0">'Enabled'</span> <span class="kw5">-value</span> <span class="st0">'0xffffffff'</span> <span class="kw5">-PropertyType</span> <span class="st0">'DWord'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">New-ItemProperty</span> <span class="kw5">-path</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server'</span> <span class="kw5">-name</span> <span class="st0">'DisabledByDefault'</span> <span class="kw5">-value</span> <span class="nu0">0</span> <span class="kw5">-PropertyType</span> <span class="st0">'DWord'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">New-Item</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">New-ItemProperty</span> <span class="kw5">-path</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client'</span> <span class="kw5">-name</span> <span class="st0">'Enabled'</span> <span class="kw5">-value</span> <span class="st0">'0xffffffff'</span> <span class="kw5">-PropertyType</span> <span class="st0">'DWord'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">New-ItemProperty</span> <span class="kw5">-path</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client'</span> <span class="kw5">-name</span> <span class="st0">'DisabledByDefault'</span> <span class="kw5">-value</span> <span class="nu0">0</span> <span class="kw5">-PropertyType</span> <span class="st0">'DWord'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">Write-Host</span> <span class="st0">'TLS 1.1 has been enabled.'</span>
 
<span class="co1"># Add and Enable TLS 1.2 for client and server SCHANNEL communications</span>
<span class="kw1">New-Item</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">New-ItemProperty</span> <span class="kw5">-path</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server'</span> <span class="kw5">-name</span> <span class="st0">'Enabled'</span> <span class="kw5">-value</span> <span class="st0">'0xffffffff'</span> <span class="kw5">-PropertyType</span> <span class="st0">'DWord'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">New-ItemProperty</span> <span class="kw5">-path</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server'</span> <span class="kw5">-name</span> <span class="st0">'DisabledByDefault'</span> <span class="kw5">-value</span> <span class="nu0">0</span> <span class="kw5">-PropertyType</span> <span class="st0">'DWord'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">New-Item</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">New-ItemProperty</span> <span class="kw5">-path</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client'</span> <span class="kw5">-name</span> <span class="st0">'Enabled'</span> <span class="kw5">-value</span> <span class="st0">'0xffffffff'</span> <span class="kw5">-PropertyType</span> <span class="st0">'DWord'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">New-ItemProperty</span> <span class="kw5">-path</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client'</span> <span class="kw5">-name</span> <span class="st0">'DisabledByDefault'</span> <span class="kw5">-value</span> <span class="nu0">0</span> <span class="kw5">-PropertyType</span> <span class="st0">'DWord'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">Write-Host</span> <span class="st0">'TLS 1.2 has been enabled.'</span>
 
<span class="co1"># Re-create the ciphers key.</span>
<span class="kw1">New-Item</span> <span class="st0">'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
 
<span class="co1"># Disable insecure/weak ciphers.</span>
<span class="re0">$insecureCiphers</span> <span class="sy0">=</span> <span class="sy0">@</span><span class="br0">(</span>
  <span class="st0">'DES 56/56'</span><span class="sy0">,</span>
  <span class="st0">'NULL'</span><span class="sy0">,</span>
  <span class="st0">'RC2 128/128'</span><span class="sy0">,</span>
  <span class="st0">'RC2 40/128'</span><span class="sy0">,</span>
  <span class="st0">'RC2 56/128'</span><span class="sy0">,</span>
  <span class="st0">'RC4 40/128'</span><span class="sy0">,</span>
  <span class="st0">'RC4 56/128'</span><span class="sy0">,</span>
  <span class="st0">'RC4 64/128'</span><span class="sy0">,</span>
  <span class="st0">'RC4 128/128'</span>
<span class="br0">)</span>
<span class="kw3">Foreach</span> <span class="br0">(</span><span class="re0">$insecureCipher</span> <span class="kw3">in</span> <span class="re0">$insecureCiphers</span><span class="br0">)</span> <span class="br0">{</span>
  <span class="re0">$key</span> <span class="sy0">=</span> <span class="br0">(</span><span class="kw1">Get-Item</span> HKLM:\<span class="br0">)</span>.OpenSubKey<span class="br0">(</span><span class="st0">'SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers'</span><span class="sy0">,</span> <span class="re0">$true</span><span class="br0">)</span>.CreateSubKey<span class="br0">(</span><span class="re0">$insecureCipher</span><span class="br0">)</span>
  <span class="re0">$key</span>.SetValue<span class="br0">(</span><span class="st0">'Enabled'</span><span class="sy0">,</span> <span class="nu0">0</span><span class="sy0">,</span> <span class="st0">'DWord'</span><span class="br0">)</span>
  <span class="re0">$key</span>.close<span class="br0">(</span><span class="br0">)</span>
  <span class="kw1">Write-Host</span> <span class="st0">"Weak cipher $insecureCipher has been disabled."</span>
<span class="br0">}</span>
 
<span class="co1"># Enable new secure ciphers.</span>
<span class="co1"># - RC4: It is recommended to disable RC4, but you may lock out WinXP/IE8 if you enforce this. This is a requirement for FIPS 140-2.</span>
<span class="co1"># - 3DES: It is recommended to disable these in near future. This is the last cipher supported by Windows XP.</span>
<span class="co1"># - Windows Vista and before 'Triple DES 168' was named 'Triple DES 168/168' per https://support.microsoft.com/en-us/kb/245030</span>
<span class="re0">$secureCiphers</span> <span class="sy0">=</span> <span class="sy0">@</span><span class="br0">(</span>
  <span class="st0">'AES 128/128'</span><span class="sy0">,</span>
  <span class="st0">'AES 256/256'</span><span class="sy0">,</span>
  <span class="st0">'Triple DES 168'</span>
<span class="br0">)</span>
<span class="kw3">Foreach</span> <span class="br0">(</span><span class="re0">$secureCipher</span> <span class="kw3">in</span> <span class="re0">$secureCiphers</span><span class="br0">)</span> <span class="br0">{</span>
  <span class="re0">$key</span> <span class="sy0">=</span> <span class="br0">(</span><span class="kw1">Get-Item</span> HKLM:\<span class="br0">)</span>.OpenSubKey<span class="br0">(</span><span class="st0">'SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers'</span><span class="sy0">,</span> <span class="re0">$true</span><span class="br0">)</span>.CreateSubKey<span class="br0">(</span><span class="re0">$secureCipher</span><span class="br0">)</span>
  <span class="kw1">New-ItemProperty</span> <span class="kw5">-path</span> <span class="st0">"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\$secureCipher"</span> <span class="kw5">-name</span> <span class="st0">'Enabled'</span> <span class="kw5">-value</span> <span class="st0">'0xffffffff'</span> <span class="kw5">-PropertyType</span> <span class="st0">'DWord'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
  <span class="re0">$key</span>.close<span class="br0">(</span><span class="br0">)</span>
  <span class="kw1">Write-Host</span> <span class="st0">"Strong cipher $secureCipher has been enabled."</span>
<span class="br0">}</span>
 
<span class="co1"># Set hashes configuration.</span>
<span class="kw1">New-Item</span> <span class="st0">'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">New-Item</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="kw1">New-ItemProperty</span> <span class="kw5">-path</span> <span class="st0">'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5'</span> <span class="kw5">-name</span> Enabled <span class="kw5">-value</span> <span class="nu0">0</span> <span class="kw5">-PropertyType</span> <span class="st0">'DWord'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
 
<span class="re0">$secureHashes</span> <span class="sy0">=</span> <span class="sy0">@</span><span class="br0">(</span>
  <span class="st0">'SHA'</span><span class="sy0">,</span>
  <span class="st0">'SHA256'</span><span class="sy0">,</span>
  <span class="st0">'SHA384'</span><span class="sy0">,</span>
  <span class="st0">'SHA512'</span>
<span class="br0">)</span>
<span class="kw3">Foreach</span> <span class="br0">(</span><span class="re0">$secureHash</span> <span class="kw3">in</span> <span class="re0">$secureHashes</span><span class="br0">)</span> <span class="br0">{</span>
  <span class="re0">$key</span> <span class="sy0">=</span> <span class="br0">(</span><span class="kw1">Get-Item</span> HKLM:\<span class="br0">)</span>.OpenSubKey<span class="br0">(</span><span class="st0">'SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes'</span><span class="sy0">,</span> <span class="re0">$true</span><span class="br0">)</span>.CreateSubKey<span class="br0">(</span><span class="re0">$secureHash</span><span class="br0">)</span>
  <span class="kw1">New-ItemProperty</span> <span class="kw5">-path</span> <span class="st0">"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\$secureHash"</span> <span class="kw5">-name</span> <span class="st0">'Enabled'</span> <span class="kw5">-value</span> <span class="st0">'0xffffffff'</span> <span class="kw5">-PropertyType</span> <span class="st0">'DWord'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
  <span class="re0">$key</span>.close<span class="br0">(</span><span class="br0">)</span>
  <span class="kw1">Write-Host</span> <span class="st0">"Hash $secureHash has been enabled."</span>
<span class="br0">}</span>
 
<span class="co1"># Set KeyExchangeAlgorithms configuration.</span>
<span class="kw1">New-Item</span> <span class="st0">'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
<span class="re0">$secureKeyExchangeAlgorithms</span> <span class="sy0">=</span> <span class="sy0">@</span><span class="br0">(</span>
  <span class="st0">'Diffie-Hellman'</span><span class="sy0">,</span>
  <span class="st0">'ECDH'</span><span class="sy0">,</span>
  <span class="st0">'PKCS'</span>
<span class="br0">)</span>
<span class="kw3">Foreach</span> <span class="br0">(</span><span class="re0">$secureKeyExchangeAlgorithm</span> <span class="kw3">in</span> <span class="re0">$secureKeyExchangeAlgorithms</span><span class="br0">)</span> <span class="br0">{</span>
  <span class="re0">$key</span> <span class="sy0">=</span> <span class="br0">(</span><span class="kw1">Get-Item</span> HKLM:\<span class="br0">)</span>.OpenSubKey<span class="br0">(</span><span class="st0">'SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms'</span><span class="sy0">,</span> <span class="re0">$true</span><span class="br0">)</span>.CreateSubKey<span class="br0">(</span><span class="re0">$secureKeyExchangeAlgorithm</span><span class="br0">)</span>
  <span class="kw1">New-ItemProperty</span> <span class="kw5">-path</span> <span class="st0">"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\$secureKeyExchangeAlgorithm"</span> <span class="kw5">-name</span> <span class="st0">'Enabled'</span> <span class="kw5">-value</span> <span class="st0">'0xffffffff'</span> <span class="kw5">-PropertyType</span> <span class="st0">'DWord'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
  <span class="re0">$key</span>.close<span class="br0">(</span><span class="br0">)</span>
  <span class="kw1">Write-Host</span> <span class="st0">"KeyExchangeAlgorithm $secureKeyExchangeAlgorithm has been enabled."</span>
<span class="br0">}</span>
 
<span class="co1"># Set cipher suites order as secure as possible (Enables Perfect Forward Secrecy).</span>
<span class="re0">$os</span> <span class="sy0">=</span> <span class="kw1">Get-WmiObject</span> <span class="kw5">-class</span> Win32_OperatingSystem
<span class="kw3">if</span> <span class="br0">(</span><span class="br0">[</span>System.Version<span class="br0">]</span><span class="re0">$os</span>.Version <span class="kw4">-lt</span> <span class="br0">[</span>System.Version<span class="br0">]</span><span class="st0">'10.0'</span><span class="br0">)</span> <span class="br0">{</span>
  <span class="kw1">Write-Host</span> <span class="st0">'Use cipher suites order for Windows 2008R2/2012/2012R2.'</span>
  <span class="re0">$cipherSuitesOrder</span> <span class="sy0">=</span> <span class="sy0">@</span><span class="br0">(</span>
    <span class="st0">'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521'</span><span class="sy0">,</span>
    <span class="st0">'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384'</span><span class="sy0">,</span>
    <span class="st0">'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256'</span><span class="sy0">,</span>
    <span class="st0">'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521'</span><span class="sy0">,</span>
    <span class="st0">'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384'</span><span class="sy0">,</span>
    <span class="st0">'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256'</span><span class="sy0">,</span>
    <span class="st0">'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521'</span><span class="sy0">,</span>
    <span class="st0">'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384'</span><span class="sy0">,</span>
    <span class="st0">'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256'</span><span class="sy0">,</span>
    <span class="st0">'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521'</span><span class="sy0">,</span>
    <span class="st0">'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384'</span><span class="sy0">,</span>
    <span class="st0">'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256'</span><span class="sy0">,</span>
    <span class="st0">'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521'</span><span class="sy0">,</span>
    <span class="st0">'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384'</span><span class="sy0">,</span>
    <span class="st0">'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521'</span><span class="sy0">,</span>
    <span class="st0">'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384'</span><span class="sy0">,</span>
    <span class="st0">'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256'</span><span class="sy0">,</span>
    <span class="st0">'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521'</span><span class="sy0">,</span>
    <span class="st0">'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384'</span><span class="sy0">,</span>
    <span class="st0">'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521'</span><span class="sy0">,</span>
    <span class="st0">'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384'</span><span class="sy0">,</span>
    <span class="st0">'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256'</span><span class="sy0">,</span>
    <span class="st0">'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521'</span><span class="sy0">,</span>
    <span class="st0">'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384'</span><span class="sy0">,</span>
    <span class="st0">'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256'</span><span class="sy0">,</span>
    <span class="st0">'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521'</span><span class="sy0">,</span>
    <span class="st0">'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384'</span><span class="sy0">,</span>
    <span class="st0">'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256'</span><span class="sy0">,</span>
    <span class="st0">'TLS_RSA_WITH_AES_256_GCM_SHA384'</span><span class="sy0">,</span>
    <span class="st0">'TLS_RSA_WITH_AES_128_GCM_SHA256'</span><span class="sy0">,</span>
    <span class="st0">'TLS_RSA_WITH_AES_256_CBC_SHA256'</span><span class="sy0">,</span>
    <span class="st0">'TLS_RSA_WITH_AES_128_CBC_SHA256'</span><span class="sy0">,</span>
    <span class="st0">'TLS_RSA_WITH_AES_256_CBC_SHA'</span><span class="sy0">,</span>
    <span class="st0">'TLS_RSA_WITH_AES_128_CBC_SHA'</span><span class="sy0">,</span>
    <span class="st0">'TLS_RSA_WITH_3DES_EDE_CBC_SHA'</span>
  <span class="br0">)</span>
<span class="br0">}</span>
<span class="kw3">else</span> <span class="br0">{</span>
  <span class="kw1">Write-Host</span> <span class="st0">'Use cipher suites order for Windows 10/2016 and later.'</span>
  <span class="re0">$cipherSuitesOrder</span> <span class="sy0">=</span> <span class="sy0">@</span><span class="br0">(</span>
    <span class="st0">'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'</span><span class="sy0">,</span>
    <span class="st0">'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'</span><span class="sy0">,</span>
    <span class="st0">'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384'</span><span class="sy0">,</span>
    <span class="st0">'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256'</span><span class="sy0">,</span>
    <span class="st0">'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA'</span><span class="sy0">,</span>
    <span class="st0">'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA'</span><span class="sy0">,</span>
    <span class="st0">'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384'</span><span class="sy0">,</span>
    <span class="st0">'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256'</span><span class="sy0">,</span>
    <span class="st0">'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384'</span><span class="sy0">,</span>
    <span class="st0">'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256'</span><span class="sy0">,</span>
    <span class="st0">'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA'</span><span class="sy0">,</span>
    <span class="st0">'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA'</span><span class="sy0">,</span>
    <span class="st0">'TLS_RSA_WITH_AES_256_GCM_SHA384'</span><span class="sy0">,</span>
    <span class="st0">'TLS_RSA_WITH_AES_128_GCM_SHA256'</span><span class="sy0">,</span>
    <span class="st0">'TLS_RSA_WITH_AES_256_CBC_SHA256'</span><span class="sy0">,</span>
    <span class="st0">'TLS_RSA_WITH_AES_128_CBC_SHA256'</span><span class="sy0">,</span>
    <span class="st0">'TLS_RSA_WITH_AES_256_CBC_SHA'</span><span class="sy0">,</span>
    <span class="st0">'TLS_RSA_WITH_AES_128_CBC_SHA'</span><span class="sy0">,</span>
    <span class="st0">'TLS_RSA_WITH_3DES_EDE_CBC_SHA'</span>
  <span class="br0">)</span>
<span class="br0">}</span>
<span class="re0">$cipherSuitesAsString</span> <span class="sy0">=</span> <span class="br0">[</span><span class="re3">string</span><span class="br0">]</span>::join<span class="br0">(</span><span class="st0">','</span><span class="sy0">,</span> <span class="re0">$cipherSuitesOrder</span><span class="br0">)</span>
<span class="co1"># One user reported this key does not exists on Windows 2012R2. Cannot repro myself on a brand new Windows 2012R2 core machine. Adding this just to be save.</span>
<span class="kw1">New-Item</span> <span class="st0">'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002'</span> <span class="kw5">-ErrorAction</span> SilentlyContinue
<span class="kw1">New-ItemProperty</span> <span class="kw5">-path</span> <span class="st0">'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002'</span> <span class="kw5">-name</span> <span class="st0">'Functions'</span> <span class="kw5">-value</span> <span class="re0">$cipherSuitesAsString</span> <span class="kw5">-PropertyType</span> <span class="st0">'String'</span> <span class="kw5">-Force</span> <span class="sy0">|</span> <span class="kw1">Out-Null</span>
 
<span class="kw1">Write-Host</span> <span class="st0">'--------------------------------------------------------------------------------'</span>
<span class="kw1">Write-Host</span> <span class="st0">'NOTE: After the system has been rebooted you can verify your server'</span>
<span class="kw1">Write-Host</span> <span class="st0">'      configuration at https://www.ssllabs.com/ssltest/'</span>
<span class="kw1">Write-Host</span> <span class="st0">"--------------------------------------------------------------------------------<span class="es0">`n</span>"</span>
 
<span class="kw1">Write-Host</span> <span class="kw5">-ForegroundColor</span> Red <span class="st0">'A computer restart is required to apply settings. Restart computer now?'</span>
Restart<span class="sy0">-</span>Computer <span class="kw5">-Force</span> <span class="kw5">-Confirm</span></pre>
<pre>

8 Comments:

  1. Why at the top of this article do you show how to disable the use of SSL 3.0 and then in the full script at the bottom you are enabling it?

    • I see how that can be confusing. So a couple things..

      1. I am not the original writer of the script by any means. The original writer as I credited is Alexander Hass. I simply break down his script throughout my post so people can understand what each part is doing and only execute specific sections based on their goals.

      2. At the top he is adding SSLv3 for support and enabling it so one can for sure disable SSLv2. The in the middle, it disables SSLv3. However as noted, this part is commented out.

      Disabling SSLv3 completely is definitely the most recommended thing to do in terms of security but unfortunately can cause compatibility issues still in some applications and middle-ware. So I encourage everyone to pursue disabling it but but aware of the possible side effects.

  2. Can I get a new personal email contact? Quick question about SSL script!

  3. FYI, Alexander now disables use of MD5 hash (sets value to '0') as of his ver 1.3. His comment being "07.11.2014: Disabled MD5 chipher as this is not used.".
    I haven't substantiated what "it's not used" means, but I wanted to point out the change.

    I've actually been leaving it enabled, as I don't have a test mechanism to see what removing might break; additionally, at his word, if now it "isn't used" then whether it's enabled or disabled shouldn't matter.

    /Acey

  4. Great article. All the security hardening steps required to meet the current threat profile. Please keep this up to date as things develop !

  5. Hello,
    this is a very cool article! But i have one more question… Can i use this Script on a IIS 8.5 on Exchange 2013 Server?

Leave a Reply

Your email address will not be published. Required fields are marked *