API tools faq
paste
Advertisement
opexxx

pfs4iis.ps1

opexxx
Nov 25th, 2014
298
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PowerShell 10.29 KB | None | 0 0
raw download clone embed print report
  1. # Copyright 2014, Alexander Hass
  2. # http://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12
  3. #
  4. # Version 1.3
  5. # - MD5 has been disabled.
  6. # Version 1.2
  7. # - Re-factored code style and output
  8. # Version 1.1
  9. # - SSLv3 has been disabled. (Poodle attack protection)
  10.  
  11. Write-Host 'Configuring IIS with SSL/TLS Deployment Best Practices...'
  12. Write-Host '--------------------------------------------------------------------------------'
  13.  
  14. # Disable Multi-Protocol Unified Hello
  15. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server' -Force | Out-Null
  16. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
  17. Write-Host 'Multi-Protocol Unified Hello has been disabled.'
  18.  
  19. # Disable PCT 1.0
  20. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server' -Force | Out-Null
  21. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
  22. Write-Host 'PCT 1.0 has been disabled.'
  23.  
  24. # Disable SSL 2.0 (PCI Compliance)
  25. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force | Out-Null
  26. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
  27. Write-Host 'SSL 2.0 has been disabled.'
  28.  
  29. # NOTE: If you disable SSL 3.0 the you may lock out some people still using
  30. # Windows XP with IE6/7. Without SSL 3.0 enabled, there is no protocol available
  31. # for these people to fall back. Safer shopping certifications may require that
  32. # you disable SSLv3.
  33. #
  34. # Disable SSL 3.0 (PCI Compliance) and enable "Poodle" protection
  35. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force | Out-Null
  36. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
  37. Write-Host 'SSL 3.0 has been disabled.'
  38.  
  39. # Add and Enable TLS 1.0 for client and server SCHANNEL communications
  40. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force | Out-Null
  41. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
  42. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
  43. Write-Host 'TLS 1.0 has been enabled.'
  44.  
  45. # Add and Enable TLS 1.1 for client and server SCHANNEL communications
  46. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force | Out-Null
  47. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force | Out-Null
  48. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
  49. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
  50. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled' -value 1 -PropertyType 'DWord' -Force | Out-Null
  51. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
  52. Write-Host 'TLS 1.1 has been enabled.'
  53.  
  54. # Add and Enable TLS 1.2 for client and server SCHANNEL communications
  55. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null
  56. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null
  57. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
  58. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
  59. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value 1 -PropertyType 'DWord' -Force | Out-Null
  60. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
  61. Write-Host 'TLS 1.2 has been enabled.'
  62.  
  63. # Re-create the ciphers key.
  64. New-Item 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers' -Force | Out-Null
  65.  
  66. # Disable insecure/weak ciphers.
  67. $insecureCiphers = @(
  68.   'DES 56/56',
  69.   'NULL',
  70.   'RC2 128/128',
  71.   'RC2 40/128',
  72.   'RC2 56/128',
  73.   'RC4 40/128',
  74.   'RC4 56/128',
  75.   'RC4 64/128'
  76. )
  77. Foreach ($insecureCipher in $insecureCiphers) {
  78.   $key = (Get-Item HKLM:\).OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey($insecureCipher)
  79.   $key.SetValue('Enabled', 0, 'DWord')
  80.   $key.close()
  81.   Write-Host "Weak cipher $insecureCipher has been disabled."
  82. }
  83.  
  84. # Enable new secure ciphers.
  85. # - RC4: It is recommended to disable RC4, but you may lock out WinXP/IE8 if you enforce this. This is a requirement for FIPS 140-2.
  86. # - 3DES: It is recommended to disable these in near future.
  87. $secureCiphers = @(
  88.   'AES 128/128',
  89.   'AES 256/256',
  90.   'RC4 128/128',
  91.   'Triple DES 168/168'
  92. )
  93. Foreach ($secureCipher in $secureCiphers) {
  94.   $key = (Get-Item HKLM:\).OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey($secureCipher)
  95.   New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\$secureCipher" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
  96.   $key.close()
  97.   Write-Host "Strong cipher $secureCipher has been enabled."
  98. }
  99.  
  100. # Set hashes configuration.
  101. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5' -Force | Out-Null
  102. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
  103.  
  104. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA' -Force | Out-Null
  105. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA' -name Enabled -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
  106.  
  107. # Set KeyExchangeAlgorithms configuration.
  108. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman' -Force | Out-Null
  109. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman' -name Enabled -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
  110.  
  111. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS' -Force | Out-Null
  112. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS' -name Enabled -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
  113.  
  114. # Set cipher suites order as secure as possible (Enables Perfect Forward Secrecy).
  115. $cipherSuitesOrder = @(
  116.   'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521',
  117.   'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384',
  118.   'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256',
  119.   'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521',
  120.   'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384',
  121.   'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256',
  122.   'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521',
  123.   'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521',
  124.   'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384',
  125.   'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256',
  126.   'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384',
  127.   'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256',
  128.   'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521',
  129.   'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384',
  130.   'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521',
  131.   'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384',
  132.   'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256',
  133.   'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521',
  134.   'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384',
  135.   'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521',
  136.   'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384',
  137.   'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256',
  138.   'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521',
  139.   'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384',
  140.   'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256',
  141.   'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521',
  142.   'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384',
  143.   'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256',
  144.   'TLS_DHE_DSS_WITH_AES_256_CBC_SHA256',
  145.   'TLS_DHE_DSS_WITH_AES_256_CBC_SHA',
  146.   'TLS_DHE_DSS_WITH_AES_128_CBC_SHA256',
  147.   'TLS_DHE_DSS_WITH_AES_128_CBC_SHA',
  148.   'TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA',
  149.   'TLS_RSA_WITH_AES_256_CBC_SHA256',
  150.   'TLS_RSA_WITH_AES_256_CBC_SHA',
  151.   'TLS_RSA_WITH_AES_128_CBC_SHA256',
  152.   'TLS_RSA_WITH_AES_128_CBC_SHA',
  153.   'TLS_RSA_WITH_RC4_128_SHA',
  154.   'TLS_RSA_WITH_3DES_EDE_CBC_SHA'
  155. )
  156. $cipherSuitesAsString = [string]::join(',', $cipherSuitesOrder)
  157. New-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -name 'Functions' -value $cipherSuitesAsString -PropertyType 'String' -Force | Out-Null
  158.  
  159. Write-Host '--------------------------------------------------------------------------------'
  160. Write-Host 'NOTE: After the system has been rebooted you can verify your server'
  161. Write-Host '      configuration at https://www.ssllabs.com/ssltest/'
  162. Write-Host "--------------------------------------------------------------------------------`n"
  163.  
  164. Write-Host -ForegroundColor Red 'A computer restart is required to apply settings. Restart computer now?'
  165. Restart-Computer -Force -Confirm
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!