127 lines
8.6 KiB
PowerShell
127 lines
8.6 KiB
PowerShell
|
###############################################################################################
|
||
|
# Source : https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12 #
|
||
|
# Description : Script permettant de limiter les algorithmes de crypto IIS #
|
||
|
###############################################################################################
|
||
|
# Disable Multi-Protocol Unified Hello
|
||
|
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server' -Force | Out-Null
|
||
|
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
|
||
|
Write-Host 'Multi-Protocol Unified Hello has been disabled.'
|
||
|
|
||
|
# Disable PCT 1.0
|
||
|
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server' -Force | Out-Null
|
||
|
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
|
||
|
Write-Host 'PCT 1.0 has been disabled.'
|
||
|
|
||
|
# Disable SSL 2.0 (PCI Compliance)
|
||
|
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force | Out-Null
|
||
|
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
|
||
|
Write-Host 'SSL 2.0 has been disabled.'
|
||
|
|
||
|
# Disable SSL 3.0 (PCI Compliance) and enable "Poodle" protection
|
||
|
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force | Out-Null
|
||
|
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
|
||
|
Write-Host 'SSL 3.0 has been disabled.'
|
||
|
|
||
|
# Add and Enable TLS 1.0 for client and server SCHANNEL communications
|
||
|
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force | Out-Null
|
||
|
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
|
||
|
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
|
||
|
Write-Host 'TLS 1.0 has been enabled.'
|
||
|
|
||
|
# Add and Enable TLS 1.1 for client and server SCHANNEL communications
|
||
|
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force | Out-Null
|
||
|
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force | Out-Null
|
||
|
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
|
||
|
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
|
||
|
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled' -value 1 -PropertyType 'DWord' -Force | Out-Null
|
||
|
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
|
||
|
Write-Host 'TLS 1.1 has been enabled.'
|
||
|
|
||
|
# Add and Enable TLS 1.2 for client and server SCHANNEL communications
|
||
|
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null
|
||
|
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null
|
||
|
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
|
||
|
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
|
||
|
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value 1 -PropertyType 'DWord' -Force | Out-Null
|
||
|
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
|
||
|
Write-Host 'TLS 1.2 has been enabled.'
|
||
|
|
||
|
# Re-create the ciphers key.
|
||
|
New-Item 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers' -Force | Out-Null
|
||
|
|
||
|
# Disable insecure/weak ciphers.
|
||
|
$insecureCiphers = @(
|
||
|
'DES 56/56',
|
||
|
'NULL',
|
||
|
'RC2 128/128',
|
||
|
'RC2 40/128',
|
||
|
'RC2 56/128',
|
||
|
'RC4 40/128',
|
||
|
'RC4 56/128',
|
||
|
'RC4 64/128',
|
||
|
'RC4 128/128'
|
||
|
)
|
||
|
Foreach ($insecureCipher in $insecureCiphers) {
|
||
|
$key = (Get-Item HKLM:\).OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey($insecureCipher)
|
||
|
$key.SetValue('Enabled', 0, 'DWord')
|
||
|
$key.close()
|
||
|
Write-Host "Weak cipher $insecureCipher has been disabled."
|
||
|
}
|
||
|
|
||
|
# Set hashes configuration.
|
||
|
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5' -Force | Out-Null
|
||
|
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
|
||
|
|
||
|
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA' -Force | Out-Null
|
||
|
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA' -name Enabled -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
|
||
|
|
||
|
# Set KeyExchangeAlgorithms configuration.
|
||
|
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman' -Force | Out-Null
|
||
|
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman' -name Enabled -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
|
||
|
|
||
|
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS' -Force | Out-Null
|
||
|
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS' -name Enabled -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
|
||
|
|
||
|
# Set cipher suites order as secure as possible (Enables Perfect Forward Secrecy).
|
||
|
$cipherSuitesOrder = @(
|
||
|
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521',
|
||
|
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384',
|
||
|
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256',
|
||
|
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521',
|
||
|
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384',
|
||
|
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256',
|
||
|
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521',
|
||
|
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521',
|
||
|
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384',
|
||
|
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256',
|
||
|
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384',
|
||
|
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256',
|
||
|
'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521',
|
||
|
'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384',
|
||
|
'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521',
|
||
|
'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384',
|
||
|
'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256',
|
||
|
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521',
|
||
|
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384',
|
||
|
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521',
|
||
|
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384',
|
||
|
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256',
|
||
|
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521',
|
||
|
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384',
|
||
|
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256',
|
||
|
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521',
|
||
|
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384',
|
||
|
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256',
|
||
|
'TLS_DHE_DSS_WITH_AES_256_CBC_SHA256',
|
||
|
'TLS_DHE_DSS_WITH_AES_256_CBC_SHA',
|
||
|
'TLS_DHE_DSS_WITH_AES_128_CBC_SHA256',
|
||
|
'TLS_DHE_DSS_WITH_AES_128_CBC_SHA',
|
||
|
'TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA',
|
||
|
'TLS_RSA_WITH_AES_256_CBC_SHA256',
|
||
|
'TLS_RSA_WITH_AES_256_CBC_SHA',
|
||
|
'TLS_RSA_WITH_AES_128_CBC_SHA256',
|
||
|
'TLS_RSA_WITH_AES_128_CBC_SHA',
|
||
|
'TLS_RSA_WITH_3DES_EDE_CBC_SHA'
|
||
|
)
|
||
|
$cipherSuitesAsString = [string]::join(',', $cipherSuitesOrder)
|
||
|
New-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -name 'Functions' -value $cipherSuitesAsString -PropertyType 'String' -Force | Out-Null
|