Deprecating TLS 1.0 and TLS 1.1

Deprecating TLS 1.0 and TLS 1.1

0 2761

There have been many discussions about TLS, what to enable and what to disable. Here is the bottom line, you only need to disable TLS 1.0, both TLS 1.

Create Local Administrator Account Remotely
Managing VMware Snapshots with Powershell
Remove Windows Bloatware

There have been many discussions about TLS, what to enable and what to disable. Here is the bottom line, you only need to disable TLS 1.0, both TLS 1.1 and 1.2 are secure and both are PCI DSS compliant.

If you are wondering then why even use TLS 1.1 if you can use 1.2 and it is more secure, simple, more stuff supports TLS 1.1, however I still recommend that it be disabled if you can. Remember TLS 1.3 is already knocking on your doorstep!

Then there is the discussions about whether you need the SchUseStrongCrypto keys. If you use .NET 3.5 then yes you do need them since 3.5 did not natively support TLS 1.1 and 1.2, however there was a patch a couple years ago that fixed that. If you use a newer .NET version it is NOT required to have the SchUseStrongCrypto keys UNLESS you have an application that is coded to specifically call out a version of SSL to use, like 1.0.

Here is a small Powershell script that will set all the keys that you need do the following:

  • Disable SSL 3.0 and enable Poodle protection
  • Disable TLS 1.0 for both Client and Server
  • Disable TLS 1.1 for both Client and Server
  • Enable TLS 1.2 for both Client and Server
  • Disable MD5 Hash
  • Force .NET to use Strong Crypto (to give everyone that warm fuzzy)
  • Enable Schannel logging which will send events to the system log which can be very helpful in troubleshooting.
# Function to enable SChannel logging
function Enable-SChannelLogging {
    Try {
        # Enable SChannel Event Logging
        New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL' -Name 'EventLogging' -Value 1 -PropertyType 'DWord' -Force -ErrorAction Stop
        Write-Host "SChannel Event Logging has been enabled."
    } Catch {
        Write-Host "Error enabling SChannel Event Logging: $_"
    }
}

# Call the function to enable SChannel logging
Enable-SChannelLogging

# Disable SSL 3.0 and enable "Poodle" protection for PCI Compliance.
Try {
    New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0' -Force -ErrorAction Stop
    New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force -ErrorAction Stop
    New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -Force -ErrorAction Stop
    New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Name 'Enabled' -Value 0 -PropertyType 'DWord' -Force -ErrorAction Stop
    New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Name 'DisabledByDefault' -Value 1 -PropertyType 'DWord' -Force -ErrorAction Stop
    New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -Name 'Enabled' -Value 0 -PropertyType 'DWord' -Force -ErrorAction Stop
    New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -Name 'DisabledByDefault' -Value 1 -PropertyType 'DWord' -Force -ErrorAction Stop
    Write-Host "SSL 3.0 protocol has been disabled."
} Catch {
    Write-Host "Error disabling SSL 3.0 protocol: $_"
}

# Disable TLS 1.0 entirely for compliance.
Try {
    New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0' -Force -ErrorAction Stop
    New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force -ErrorAction Stop
    New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Force -ErrorAction Stop
    New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Name 'Enabled' -Value 0 -PropertyType 'DWord' -Force -ErrorAction Stop
    New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Name 'DisabledByDefault' -Value 1 -PropertyType 'DWord' -Force -ErrorAction Stop
    New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Name 'Enabled' -Value 0 -PropertyType 'DWord' -Force -ErrorAction Stop
    New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Name 'DisabledByDefault' -Value 1 -PropertyType 'DWord' -Force -ErrorAction Stop
    Write-Host "TLS 1.0 protocol has been disabled for both SERVER and CLIENT for PCI DSS 3.2 compliance."
} Catch {
    Write-Host "Error disabling TLS 1.0 protocol: $_"
}

# Disable TLS 1.1 for client and server.
Try {
    New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1' -Force -ErrorAction Stop
    New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force -ErrorAction Stop
    New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force -ErrorAction Stop
    New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Name 'Enabled' -Value 0 -PropertyType 'DWord' -Force -ErrorAction Stop
    New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Name 'DisabledByDefault' -Value 1 -PropertyType 'DWord' -Force -ErrorAction Stop
    New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Name 'Enabled' -Value 0 -PropertyType 'DWord' -Force -ErrorAction Stop
    New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Name 'DisabledByDefault' -Value 1 -PropertyType 'DWord' -Force -ErrorAction Stop
    Write-Host "TLS 1.1 protocol has been disabled for Server and Client."
} Catch {
    Write-Host "Error disabling TLS 1.1 protocol: $_"
}

# Add and Enable TLS 1.2 for client and server.
Try {
    New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force -ErrorAction Stop
    New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force -ErrorAction Stop
    New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'Enabled' -Value 1 -PropertyType 'DWord' -Force -ErrorAction Stop
    New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'DisabledByDefault' -Value 0 -PropertyType 'DWord' -Force -ErrorAction Stop
    New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'Enabled' -Value 1 -PropertyType 'DWord' -Force -ErrorAction Stop
    New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'DisabledByDefault' -Value 0 -PropertyType 'DWord' -Force -ErrorAction Stop
    Write-Host "TLS 1.2 protocol has been enabled for Server and Client."
} Catch {
    Write-Host "Error enabling TLS 1.2 protocol: $_"
}

# Disable MD5 hash.
Try {
    New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5' -Force -ErrorAction Stop
    New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5' -Name 'Enabled' -Value 0 -PropertyType 'DWord' -Force -ErrorAction Stop
    Write-Host "MD5 hash has been disabled."
} Catch {
    Write-Host "Error disabling MD5 hash: $_"
}

# Force .NET framework to use strong crypto.
Try {
    New-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727' -Name 'SchUseStrongCrypto' -Value '1' -PropertyType 'DWord' -Force -ErrorAction Stop
    New-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -PropertyType 'DWord' -Force -ErrorAction Stop
    Write-Host "Forced .NET Framework v3.5 to use Strong Crypto."
    Write-Host "Forced .NET Framework v4 to use Strong Crypto."
} Catch {
    Write-Host "Error forcing .NET Framework to use strong crypto: $_"
}

 

Post Views: 2,253

RECOMMENDED FOR YOU

Loading...
Newer Post
Older Post

COMMENTS

WORDPRESS: 0

Leave a Reply

This site uses User Verification plugin to reduce spam. See how your comment data is processed.

This site uses Akismet to reduce spam. Learn how your comment data is processed.