Enforcing TLS 1.2

3 years ago
December 21, 2021
3 replies
522 views

TJ_Coppola
Pro
32 replies

Evaluation:

$enabledProtocolList = @("TLS 1.2","TLS 1.3")
$disabledProtocolList = @("SSL 2.0","SSL 3.0","TLS 1.0", "TLS 1.1")
$ProtocolSubKeyList = @("Client", "Server")
$Enabled = "Enabled"
$registryPath = "HKLM:\\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\"
$evalCount = 0

foreach($Protocol in $enabledProtocolList)
{
    foreach($key in $ProtocolSubKeyList)
  {
    $currentRegPath = $registryPath + $Protocol + "\" + $key
    Write-Host "Checking" $currentRegPath
    $currentEnableValue = Get-ItemProperty -Path $currentRegPath -name $Enabled
    if($currentEnableValue.Enabled -ne 1)
    {
      $errorMsg = "[error]" + $protocol + "\" + $key + " is set to disabled. Not compliant."
      Write-Host $errorMsg
      $evalCount ++
    }
  }
}
foreach($Protocol in $disabledProtocolList)
{
  foreach($key in $ProtocolSubKeyList)
  {
    $currentRegPath = $registryPath + $Protocol + "\" + $key
    Write-Host "Checking" $currentRegPath
    $currentEnableValue = Get-ItemProperty -Path $currentRegPath -name $Enabled
    if($currentEnableValue -eq 1)
    {
      $errorMsg = "[error]" + $protocol + "\" + $key + " is set to enabled. Not compliant."
      Write-Host $errorMsg
      $evalCount ++
    }
  }
}

if($evalCount > 0)
{
  exit 1
}
else
{
  exit 0
}

Remediation:

$ProtocolList       = @("SSL 2.0","SSL 3.0","TLS 1.0", "TLS 1.1", "TLS 1.2", "TLS 1.3")
$ProtocolSubKeyList = @("Client", "Server")
$DisabledByDefault = "DisabledByDefault"
$Enabled = "Enabled"
$registryPath = "HKLM:\\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\"

foreach($Protocol in $ProtocolList)
{
  Write-Host " In 1st For loop"
  foreach($key in $ProtocolSubKeyList)
  {
    $currentRegPath = $registryPath + $Protocol + "\" + $key
    Write-Host " Current Registry Path $currentRegPath"

    if(!(Test-Path $currentRegPath))
    {
      Write-Host "creating the registry"
      New-Item -Path $currentRegPath -Force | out-Null
    }
    if($Protocol -eq "TLS 1.2")
    {
      Write-Host "Working for TLS 1.2"
      New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value "0" -PropertyType DWORD -Force | Out-Null
      New-ItemProperty -Path $currentRegPath -Name $Enabled -Value "1" -PropertyType DWORD -Force | Out-Null
    }
    if($Protocol -eq "TLS 1.3")
    {
      Write-Host "Working for TLS 1.3"
      New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value "0" -PropertyType DWORD -Force | Out-Null
      New-ItemProperty -Path $currentRegPath -Name $Enabled -Value "1" -PropertyType DWORD -Force | Out-Null
    else
    {
      Write-Host "Working for other protocol"
      New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value "1" -PropertyType DWORD -Force | Out-Null
      New-ItemProperty -Path $currentRegPath -Name $Enabled -Value "0" -PropertyType DWORD -Force | Out-Null
    }
  }
}

bfrey
Power User
23 replies
3 years ago
December 23, 2021

I get an error when running this...

I was able to get it to run successfully by clicking at the start of Line 2 > pressing Backspace once > pressing Enter once > re-running script.

Tried same thing in Worklet Evaluation Code > Saved > Ran manually > Still failed.

Any ideas?

SomeoneSomewhere
Rookie
1 reply
1 year ago
March 31, 2023

this code is missing a } before the else statement.

Remediation:

$ProtocolList       = @("SSL 2.0","SSL 3.0","TLS 1.0", "TLS 1.1", "TLS 1.2", "TLS 1.3")
$ProtocolSubKeyList = @("Client", "Server")
$DisabledByDefault = "DisabledByDefault"
$Enabled = "Enabled"
$registryPath = "HKLM:\\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\"

foreach($Protocol in $ProtocolList)
{
  Write-Host " In 1st For loop"
  foreach($key in $ProtocolSubKeyList)
  {
    $currentRegPath = $registryPath + $Protocol + "\" + $key
    Write-Host " Current Registry Path $currentRegPath"

    if(!(Test-Path $currentRegPath))
    {
      Write-Host "creating the registry"
      New-Item -Path $currentRegPath -Force | out-Null
    }
    if($Protocol -eq "TLS 1.2")
    {
      Write-Host "Working for TLS 1.2"
      New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value "0" -PropertyType DWORD -Force | Out-Null
      New-ItemProperty -Path $currentRegPath -Name $Enabled -Value "1" -PropertyType DWORD -Force | Out-Null
    }
    if($Protocol -eq "TLS 1.3")
    {
      Write-Host "Working for TLS 1.3"
      New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value "0" -PropertyType DWORD -Force | Out-Null
      New-ItemProperty -Path $currentRegPath -Name $Enabled -Value "1" -PropertyType DWORD -Force | Out-Null
    }
    else
    {
      Write-Host "Working for other protocol"
      New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value "1" -PropertyType DWORD -Force | Out-Null
      New-ItemProperty -Path $currentRegPath -Name $Enabled -Value "0" -PropertyType DWORD -Force | Out-Null
    }
  }
}

cafebabe
Rookie
1 reply
1 year ago
October 25, 2023

Hi,

There’s a bug in the remediation code, it will actually deactivate TLS 1.2 instead of activating it because of a bad if/else logic!

Here’s my improved version:

$ProtocolList       = @("SSL 2.0","SSL 3.0","TLS 1.0", "TLS 1.1", "TLS 1.2", "TLS 1.3")
$ProtocolSubKeyList = @("Client", "Server")
$DisabledByDefault = "DisabledByDefault"
$Enabled = "Enabled"
$registryPath = "HKLM:\\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\"

Write-Host "Started..."
foreach($Protocol in $ProtocolList)
{
  foreach($key in $ProtocolSubKeyList)
  {
    $currentRegPath = $registryPath + $Protocol + "\" + $key
    Write-Host "Current Registry Path $currentRegPath"

    if(!(Test-Path $currentRegPath))
    {
      Write-Host "-- Adding registry entry"
      New-Item -Path $currentRegPath -Force | out-Null
    }

    if($Protocol -eq "TLS 1.2")
    {
      Write-Host "-- Activating registry entry"
      New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value "0" -PropertyType DWORD -Force | Out-Null
      New-ItemProperty -Path $currentRegPath -Name $Enabled -Value "1" -PropertyType DWORD -Force | Out-Null
    }
    elseif($Protocol -eq "TLS 1.3")
    {
      Write-Host "-- Activating registry entry"
      New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value "0" -PropertyType DWORD -Force | Out-Null
      New-ItemProperty -Path $currentRegPath -Name $Enabled -Value "1" -PropertyType DWORD -Force | Out-Null
    }
    else
    {
      Write-Host "-- Disabling registry entry"
      New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value "1" -PropertyType DWORD -Force | Out-Null
      New-ItemProperty -Path $currentRegPath -Name $Enabled -Value "0" -PropertyType DWORD -Force | Out-Null
    }
  }
}
Write-Host "Finished..."

Hope this helps!

Reply

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

Cookie settings

We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.

Basic
Functional

Normal
Functional + analytics

Complete
Functional + analytics + social media + embedded videos

Reply

Worklet for verfiying version of TLS in enabledicon

Windows Server 2016 and TLS Client 1.2 only enabledicon

Windows Firewall whitelisticon

Customize SQL Patchingicon

🏆 Challenge: Modify a Policy to Meet Notification Requirements

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded

Cookie policy

Cookie settings