Enforcing TLS 1.2

2 years ago
21 December 2021
3 replies
434 views

Userlevel 2

TJ_Coppola
Novice
20 replies

Evaluation:

$enabledProtocolList = @("TLS 1.2","TLS 1.3")
$disabledProtocolList = @("SSL 2.0","SSL 3.0","TLS 1.0", "TLS 1.1")
$ProtocolSubKeyList = @("Client", "Server")
$Enabled = "Enabled"
$registryPath = "HKLM:\\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\"
$evalCount = 0

foreach($Protocol in $enabledProtocolList)
{
    foreach($key in $ProtocolSubKeyList)
  {
    $currentRegPath = $registryPath + $Protocol + "\" + $key
    Write-Host "Checking" $currentRegPath
    $currentEnableValue = Get-ItemProperty -Path $currentRegPath -name $Enabled
    if($currentEnableValue.Enabled -ne 1)
    {
      $errorMsg = "[error]" + $protocol + "\" + $key + " is set to disabled. Not compliant."
      Write-Host $errorMsg
      $evalCount ++
    }
  }
}
foreach($Protocol in $disabledProtocolList)
{
  foreach($key in $ProtocolSubKeyList)
  {
    $currentRegPath = $registryPath + $Protocol + "\" + $key
    Write-Host "Checking" $currentRegPath
    $currentEnableValue = Get-ItemProperty -Path $currentRegPath -name $Enabled
    if($currentEnableValue -eq 1)
    {
      $errorMsg = "[error]" + $protocol + "\" + $key + " is set to enabled. Not compliant."
      Write-Host $errorMsg
      $evalCount ++
    }
  }
}

if($evalCount > 0)
{
  exit 1
}
else
{
  exit 0
}

Remediation:

$ProtocolList       = @("SSL 2.0","SSL 3.0","TLS 1.0", "TLS 1.1", "TLS 1.2", "TLS 1.3")
$ProtocolSubKeyList = @("Client", "Server")
$DisabledByDefault = "DisabledByDefault"
$Enabled = "Enabled"
$registryPath = "HKLM:\\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\"

foreach($Protocol in $ProtocolList)
{
  Write-Host " In 1st For loop"
  foreach($key in $ProtocolSubKeyList)
  {
    $currentRegPath = $registryPath + $Protocol + "\" + $key
    Write-Host " Current Registry Path $currentRegPath"

    if(!(Test-Path $currentRegPath))
    {
      Write-Host "creating the registry"
      New-Item -Path $currentRegPath -Force | out-Null
    }
    if($Protocol -eq "TLS 1.2")
    {
      Write-Host "Working for TLS 1.2"
      New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value "0" -PropertyType DWORD -Force | Out-Null
      New-ItemProperty -Path $currentRegPath -Name $Enabled -Value "1" -PropertyType DWORD -Force | Out-Null
    }
    if($Protocol -eq "TLS 1.3")
    {
      Write-Host "Working for TLS 1.3"
      New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value "0" -PropertyType DWORD -Force | Out-Null
      New-ItemProperty -Path $currentRegPath -Name $Enabled -Value "1" -PropertyType DWORD -Force | Out-Null
    else
    {
      Write-Host "Working for other protocol"
      New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value "1" -PropertyType DWORD -Force | Out-Null
      New-ItemProperty -Path $currentRegPath -Name $Enabled -Value "0" -PropertyType DWORD -Force | Out-Null
    }
  }
}

3 replies

bfrey
Power User
23 replies
2 years ago
23 December 2021

I get an error when running this...

I was able to get it to run successfully by clicking at the start of Line 2 > pressing Backspace once > pressing Enter once > re-running script.

Tried same thing in Worklet Evaluation Code > Saved > Ran manually > Still failed.

Any ideas?

S

this code is missing a } before the else statement.

Remediation:

$ProtocolList       = @("SSL 2.0","SSL 3.0","TLS 1.0", "TLS 1.1", "TLS 1.2", "TLS 1.3")
$ProtocolSubKeyList = @("Client", "Server")
$DisabledByDefault = "DisabledByDefault"
$Enabled = "Enabled"
$registryPath = "HKLM:\\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\"

foreach($Protocol in $ProtocolList)
{
  Write-Host " In 1st For loop"
  foreach($key in $ProtocolSubKeyList)
  {
    $currentRegPath = $registryPath + $Protocol + "\" + $key
    Write-Host " Current Registry Path $currentRegPath"

    if(!(Test-Path $currentRegPath))
    {
      Write-Host "creating the registry"
      New-Item -Path $currentRegPath -Force | out-Null
    }
    if($Protocol -eq "TLS 1.2")
    {
      Write-Host "Working for TLS 1.2"
      New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value "0" -PropertyType DWORD -Force | Out-Null
      New-ItemProperty -Path $currentRegPath -Name $Enabled -Value "1" -PropertyType DWORD -Force | Out-Null
    }
    if($Protocol -eq "TLS 1.3")
    {
      Write-Host "Working for TLS 1.3"
      New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value "0" -PropertyType DWORD -Force | Out-Null
      New-ItemProperty -Path $currentRegPath -Name $Enabled -Value "1" -PropertyType DWORD -Force | Out-Null
    }
    else
    {
      Write-Host "Working for other protocol"
      New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value "1" -PropertyType DWORD -Force | Out-Null
      New-ItemProperty -Path $currentRegPath -Name $Enabled -Value "0" -PropertyType DWORD -Force | Out-Null
    }
  }
}

C

Hi,

There’s a bug in the remediation code, it will actually deactivate TLS 1.2 instead of activating it because of a bad if/else logic!

Here’s my improved version:

$ProtocolList       = @("SSL 2.0","SSL 3.0","TLS 1.0", "TLS 1.1", "TLS 1.2", "TLS 1.3")
$ProtocolSubKeyList = @("Client", "Server")
$DisabledByDefault = "DisabledByDefault"
$Enabled = "Enabled"
$registryPath = "HKLM:\\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\"

Write-Host "Started..."
foreach($Protocol in $ProtocolList)
{
  foreach($key in $ProtocolSubKeyList)
  {
    $currentRegPath = $registryPath + $Protocol + "\" + $key
    Write-Host "Current Registry Path $currentRegPath"

    if(!(Test-Path $currentRegPath))
    {
      Write-Host "-- Adding registry entry"
      New-Item -Path $currentRegPath -Force | out-Null
    }

    if($Protocol -eq "TLS 1.2")
    {
      Write-Host "-- Activating registry entry"
      New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value "0" -PropertyType DWORD -Force | Out-Null
      New-ItemProperty -Path $currentRegPath -Name $Enabled -Value "1" -PropertyType DWORD -Force | Out-Null
    }
    elseif($Protocol -eq "TLS 1.3")
    {
      Write-Host "-- Activating registry entry"
      New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value "0" -PropertyType DWORD -Force | Out-Null
      New-ItemProperty -Path $currentRegPath -Name $Enabled -Value "1" -PropertyType DWORD -Force | Out-Null
    }
    else
    {
      Write-Host "-- Disabling registry entry"
      New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value "1" -PropertyType DWORD -Force | Out-Null
      New-ItemProperty -Path $currentRegPath -Name $Enabled -Value "0" -PropertyType DWORD -Force | Out-Null
    }
  }
}
Write-Host "Finished..."

Hope this helps!

C.

Reply

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded