Advertisement
opexxx

pfs4iis.ps1

Nov 25th, 2014
300
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Copyright 2014, Alexander Hass
  2. # http://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12
  3. #
  4. # Version 1.3
  5. # - MD5 has been disabled.
  6. # Version 1.2
  7. # - Re-factored code style and output
  8. # Version 1.1
  9. # - SSLv3 has been disabled. (Poodle attack protection)
  10.  
  11. Write-Host 'Configuring IIS with SSL/TLS Deployment Best Practices...'
  12. Write-Host '--------------------------------------------------------------------------------'
  13.  
  14. # Disable Multi-Protocol Unified Hello
  15. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server' -Force | Out-Null
  16. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
  17. Write-Host 'Multi-Protocol Unified Hello has been disabled.'
  18.  
  19. # Disable PCT 1.0
  20. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server' -Force | Out-Null
  21. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
  22. Write-Host 'PCT 1.0 has been disabled.'
  23.  
  24. # Disable SSL 2.0 (PCI Compliance)
  25. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force | Out-Null
  26. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
  27. Write-Host 'SSL 2.0 has been disabled.'
  28.  
  29. # NOTE: If you disable SSL 3.0 the you may lock out some people still using
  30. # Windows XP with IE6/7. Without SSL 3.0 enabled, there is no protocol available
  31. # for these people to fall back. Safer shopping certifications may require that
  32. # you disable SSLv3.
  33. #
  34. # Disable SSL 3.0 (PCI Compliance) and enable "Poodle" protection
  35. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force | Out-Null
  36. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
  37. Write-Host 'SSL 3.0 has been disabled.'
  38.  
  39. # Add and Enable TLS 1.0 for client and server SCHANNEL communications
  40. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force | Out-Null
  41. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
  42. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
  43. Write-Host 'TLS 1.0 has been enabled.'
  44.  
  45. # Add and Enable TLS 1.1 for client and server SCHANNEL communications
  46. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force | Out-Null
  47. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force | Out-Null
  48. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
  49. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
  50. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled' -value 1 -PropertyType 'DWord' -Force | Out-Null
  51. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
  52. Write-Host 'TLS 1.1 has been enabled.'
  53.  
  54. # Add and Enable TLS 1.2 for client and server SCHANNEL communications
  55. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null
  56. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null
  57. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
  58. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
  59. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value 1 -PropertyType 'DWord' -Force | Out-Null
  60. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
  61. Write-Host 'TLS 1.2 has been enabled.'
  62.  
  63. # Re-create the ciphers key.
  64. New-Item 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers' -Force | Out-Null
  65.  
  66. # Disable insecure/weak ciphers.
  67. $insecureCiphers = @(
  68.   'DES 56/56',
  69.   'NULL',
  70.   'RC2 128/128',
  71.   'RC2 40/128',
  72.   'RC2 56/128',
  73.   'RC4 40/128',
  74.   'RC4 56/128',
  75.   'RC4 64/128'
  76. )
  77. Foreach ($insecureCipher in $insecureCiphers) {
  78.   $key = (Get-Item HKLM:\).OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey($insecureCipher)
  79.   $key.SetValue('Enabled', 0, 'DWord')
  80.   $key.close()
  81.   Write-Host "Weak cipher $insecureCipher has been disabled."
  82. }
  83.  
  84. # Enable new secure ciphers.
  85. # - RC4: It is recommended to disable RC4, but you may lock out WinXP/IE8 if you enforce this. This is a requirement for FIPS 140-2.
  86. # - 3DES: It is recommended to disable these in near future.
  87. $secureCiphers = @(
  88.   'AES 128/128',
  89.   'AES 256/256',
  90.   'RC4 128/128',
  91.   'Triple DES 168/168'
  92. )
  93. Foreach ($secureCipher in $secureCiphers) {
  94.   $key = (Get-Item HKLM:\).OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey($secureCipher)
  95.   New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\$secureCipher" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
  96.   $key.close()
  97.   Write-Host "Strong cipher $secureCipher has been enabled."
  98. }
  99.  
  100. # Set hashes configuration.
  101. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5' -Force | Out-Null
  102. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
  103.  
  104. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA' -Force | Out-Null
  105. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA' -name Enabled -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
  106.  
  107. # Set KeyExchangeAlgorithms configuration.
  108. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman' -Force | Out-Null
  109. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman' -name Enabled -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
  110.  
  111. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS' -Force | Out-Null
  112. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS' -name Enabled -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
  113.  
  114. # Set cipher suites order as secure as possible (Enables Perfect Forward Secrecy).
  115. $cipherSuitesOrder = @(
  116.   'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521',
  117.   'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384',
  118.   'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256',
  119.   'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521',
  120.   'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384',
  121.   'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256',
  122.   'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521',
  123.   'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521',
  124.   'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384',
  125.   'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256',
  126.   'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384',
  127.   'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256',
  128.   'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521',
  129.   'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384',
  130.   'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521',
  131.   'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384',
  132.   'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256',
  133.   'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521',
  134.   'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384',
  135.   'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521',
  136.   'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384',
  137.   'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256',
  138.   'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521',
  139.   'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384',
  140.   'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256',
  141.   'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521',
  142.   'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384',
  143.   'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256',
  144.   'TLS_DHE_DSS_WITH_AES_256_CBC_SHA256',
  145.   'TLS_DHE_DSS_WITH_AES_256_CBC_SHA',
  146.   'TLS_DHE_DSS_WITH_AES_128_CBC_SHA256',
  147.   'TLS_DHE_DSS_WITH_AES_128_CBC_SHA',
  148.   'TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA',
  149.   'TLS_RSA_WITH_AES_256_CBC_SHA256',
  150.   'TLS_RSA_WITH_AES_256_CBC_SHA',
  151.   'TLS_RSA_WITH_AES_128_CBC_SHA256',
  152.   'TLS_RSA_WITH_AES_128_CBC_SHA',
  153.   'TLS_RSA_WITH_RC4_128_SHA',
  154.   'TLS_RSA_WITH_3DES_EDE_CBC_SHA'
  155. )
  156. $cipherSuitesAsString = [string]::join(',', $cipherSuitesOrder)
  157. New-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -name 'Functions' -value $cipherSuitesAsString -PropertyType 'String' -Force | Out-Null
  158.  
  159. Write-Host '--------------------------------------------------------------------------------'
  160. Write-Host 'NOTE: After the system has been rebooted you can verify your server'
  161. Write-Host '      configuration at https://www.ssllabs.com/ssltest/'
  162. Write-Host "--------------------------------------------------------------------------------`n"
  163.  
  164. Write-Host -ForegroundColor Red 'A computer restart is required to apply settings. Restart computer now?'
  165. Restart-Computer -Force -Confirm
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement