github.com/hernad/nomad@v1.6.112/e2e/terraform/packer/windows-2016-amd64/fix-tls.ps1

github.com/hernad/nomad@v1.6.112/e2e/terraform/packer/windows-2016-amd64/fix-tls.ps1 (about)

     1  # Copyright (c) HashiCorp, Inc.
     2  # SPDX-License-Identifier: MPL-2.0
     3  
     4  # This script hardens TLS configuration by disabling weak and broken protocols
     5  # and enabling useful protocols like TLS 1.1 and 1.2.
     6  
     7  $RunningAsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
     8  if (!$RunningAsAdmin) {
     9    Write-Error "Must be executed in Administrator level shell."
    10    exit 1
    11  }
    12  
    13  $weakProtocols = @(
    14  	'Multi-Protocol Unified Hello',
    15  	'PCT 1.0',
    16  	'SSL 2.0',
    17  	'SSL 3.0'
    18  )
    19  
    20  $strongProtocols = @(
    21  	'TLS 1.0',
    22  	'TLS 1.1',
    23  	'TLS 1.2'
    24  )
    25  
    26  $weakCiphers = @(
    27  	'DES 56/56',
    28  	'NULL',
    29  	'RC2 128/128',
    30  	'RC2 40/128',
    31  	'RC2 56/128',
    32  	'RC4 40/128',
    33  	'RC4 56/128',
    34  	'RC4 64/128',
    35  	'RC4 128/128'
    36  )
    37  
    38  $strongCiphers = @(
    39  	'AES 128/128',
    40  	'AES 256/256',
    41  	'Triple DES 168/168'
    42  )
    43  
    44  $weakHashes = @(
    45  	'MD5',
    46  	'SHA'
    47  )
    48  
    49  $strongHashes = @(
    50  	'SHA 256',
    51  	'SHA 384',
    52  	'SHA 512'
    53  )
    54  
    55  $strongKeyExchanges = @(
    56  	'Diffie-Hellman',
    57  	'ECDH',
    58  	'PKCS'
    59  )
    60  
    61  $cipherOrder = @(
    62    'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521',
    63    'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384',
    64    'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256',
    65    'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521',
    66    'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384',
    67    'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256',
    68    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521',
    69    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384',
    70    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256',
    71    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521',
    72    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384',
    73    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256',
    74    'TLS_RSA_WITH_AES_256_GCM_SHA384',
    75    'TLS_RSA_WITH_AES_128_GCM_SHA256',
    76    'TLS_RSA_WITH_AES_256_CBC_SHA256',
    77    'TLS_RSA_WITH_AES_256_CBC_SHA',
    78    'TLS_RSA_WITH_AES_128_CBC_SHA256',
    79    'TLS_RSA_WITH_AES_128_CBC_SHA',
    80    'TLS_RSA_WITH_3DES_EDE_CBC_SHA'
    81  )
    82  
    83  # Reset the protocols key
    84  New-Item 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols' -Force | Out-Null
    85  
    86  # Disable weak protocols
    87  Foreach ($protocol in $weakProtocols) {
    88    New-Item HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Server -Force | Out-Null
    89    New-Item HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Client -Force | Out-Null
    90    New-ItemProperty -path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Server -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
    91    New-ItemProperty -path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Server -name DisabledByDefault -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
    92    New-ItemProperty -path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Client -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
    93    New-ItemProperty -path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Client -name DisabledByDefault -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
    94  }
    95  
    96  # Enable strong protocols
    97  Foreach ($protocol in $strongProtocols) {
    98    New-Item HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Server -Force | Out-Null
    99    New-Item HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Client -Force | Out-Null
   100    New-ItemProperty -path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Server -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
   101    New-ItemProperty -path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Server -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
   102    New-ItemProperty -path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Client -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
   103    New-ItemProperty -path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Client -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
   104  }
   105  
   106  # Reset the ciphers key
   107  New-Item 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers' -Force | Out-Null
   108  
   109  # Disable Weak Ciphers
   110  Foreach ($cipher in $weakCiphers) {
   111    $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey($cipher)
   112    $key.SetValue('Enabled', 0, 'DWord')
   113    $key.Close()
   114  }
   115  
   116  # Enable Strong Ciphers
   117  Foreach ($cipher in $strongCiphers) {
   118    $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey($cipher)
   119    New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\$cipher" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
   120    $key.Close()
   121  }
   122  
   123  # Reset the hashes key
   124  New-Item 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes' -Force | Out-Null
   125  
   126  # Disable weak hashes
   127  Foreach ($hash in $weakHashes) {
   128    $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes", $true).CreateSubKey($hash)
   129    New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\$hash" -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
   130    $key.Close()
   131  }
   132  
   133  # Enable Hashes
   134  Foreach ($hash in $strongHashes) {
   135    $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes", $true).CreateSubKey($hash)
   136    New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\$hash" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
   137    $key.Close()
   138  }
   139  
   140  # Reset the KeyExchangeAlgorithms key
   141  New-Item 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms' -Force | Out-Null
   142  
   143  # Enable KeyExchangeAlgorithms
   144  Foreach ($keyExchange in $strongKeyExchanges) {
   145    $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms", $true).CreateSubKey($keyExchange)
   146    New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\$keyExchange" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
   147    $key.Close()
   148  }
   149  
   150  # Set cipher order
   151  $cipherOrderString = [string]::join(',', $cipherOrder)
   152  New-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -name 'Functions' -value $cipherOrderString -PropertyType 'String' -Force | Out-Null
   153  
   154  Write-Output "TLS hardened."