1+ # You can use the -SetCipherOrder (or -sco) option to also set the TLS cipher
2+ # suite order. Change the cipherorder variable below to the order you want to set on the
3+ # server. Setting this requires a reboot to take effect.
4+
5+ Param (
6+ [parameter (Mandatory = $false )]
7+ [alias (" sco"
8+ [switch ]$SetCipherOrder )
9+
10+ $regkeys = @ (
11+ " HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0" ,
12+ " HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" ,
13+ " HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" ,
14+ " HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1" ,
15+ " HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" ,
16+ " HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" ,
17+ " HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2" ,
18+ " HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" ,
19+ " HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" ,
20+ " HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0" ,
21+ " HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" ,
22+ " HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" ,
23+ " HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0" ,
24+ " HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" ,
25+ " HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" ,
26+ " HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002"
27+ )
28+ $cipherorder = " TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,"
29+ $cipherorder += " TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,"
30+ $cipherorder += " TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,"
31+ $cipherorder += " TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA"
32+
33+ # If any settings are changed, this will change to $True and the server will reboot
34+ $reboot = $False
35+
36+ Function DisableRC4 {
37+ param ( $restart )
38+ $subkeys = Get-Item - Path " HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL"
39+ $ciphers = $subkeys.OpenSubKey (" Ciphers" , $true )
40+
41+ if ($ciphers.SubKeyCount -eq 0 ) {
42+ $k1 = $ciphers.CreateSubKey (" RC4 128/128"
43+ $k1.SetValue (" Enabled" , 0 , [Microsoft.Win32.RegistryValueKind ]::DWord)
44+ $restart = $true
45+ $k2 = $ciphers.CreateSubKey (" RC4 64/128"
46+ $k2.SetValue (" Enabled" , 0 , [Microsoft.Win32.RegistryValueKind ]::DWord)
47+ $k3 = $ciphers.CreateSubKey (" RC4 56/128"
48+ $k3.SetValue (" Enabled" , 0 , [Microsoft.Win32.RegistryValueKind ]::DWord)
49+ $k4 = $ciphers.CreateSubKey (" RC4 40/128"
50+ $k4.SetValue (" Enabled" , 0 , [Microsoft.Win32.RegistryValueKind ]::DWord)
51+ }
52+ }
53+
54+ Function Set-CryptoSetting {
55+ param (
56+ $keyindex ,
57+ $value ,
58+ $valuedata ,
59+ $valuetype ,
60+ $restart
61+ )
62+
63+ # Check for existence of registry key, and create if it does not exist
64+ If (! (Test-Path - Path $regkeys [$keyindex ])) {
65+ New-Item $regkeys [$keyindex ] | Out-Null
66+ }
67+
68+ # Get data of registry value, or null if it does not exist
69+ $val = (Get-ItemProperty - Path $regkeys [$keyindex ] - Name $value - ErrorAction SilentlyContinue).$value
70+
71+ If ($val -eq $null ) {
72+ # Value does not exist - create and set to desired value
73+ New-ItemProperty - Path $regkeys [$keyindex ] - Name $value - Value $valuedata - PropertyType $valuetype | Out-Null
74+ $restart = $True
75+ } Else {
76+ # Value does exist - if not equal to desired value, change it
77+ If ($val -ne $valuedata ) {
78+ Set-ItemProperty - Path $regkeys [$keyindex ] - Name $value - Value $valuedata
79+ $restart = $True
80+ }
81+ }
82+ }
83+
84+ # Check for existence of parent registry keys (SSL 2.0 and SSL 3.0), and create if they do not exist
85+ For ($i = 9 ; $i -le 12 ; $i = $i + 3 ) {
86+ If (! (Test-Path - Path $regkeys [$i ])) {
87+ New-Item $regkeys [$i ] | Out-Null
88+ }
89+ }
90+
91+ # Ensure SSL 2.0 disabled for client
92+ $reboot = Set-CryptoSetting 10 DisabledByDefault 1 DWord $reboot
93+
94+ # Ensure SSL 2.0 disabled for server
95+ $reboot = Set-CryptoSetting 11 Enabled 0 DWord $reboot
96+
97+ # Ensure SSL 3.0 disabled for client
98+ $reboot = Set-CryptoSetting 13 DisabledByDefault 1 DWord $reboot
99+
100+ # Ensure SSL 3.0 disabled for server
101+ $reboot = Set-CryptoSetting 14 Enabled 0 DWord $reboot
102+
103+ DisableRC4($reboot )
104+
105+ If ($SetCipherOrder ) {
106+ If (! (Test-Path - Path $regkeys [15 ])) {
107+ New-Item $regkeys [15 ] | Out-Null
108+ $restart = $True
109+ }
110+
111+ $val = (Get-Item - Path $regkeys [15 ] - ErrorAction SilentlyContinue).GetValue(" Functions" , $null )
112+
113+ if ($val -ne $cipherorder )
114+ {
115+ Set-ItemProperty - Path $regkeys [15 ] - Name Functions - Value $cipherorder
116+ $restart = $True
117+ }
118+ }
119+
120+
121+ # If any settings were changed, reboot
122+ If ($reboot ) {
123+ Write-Host " Rebooting now..."
124+ shutdown.exe / r / t 5 / c " Crypto settings changed" / f / d p:2 :4
125+ }
0 commit comments