github.com/iqoqo/nomad@v0.11.3-0.20200911112621-d7021c74d101/e2e/terraform/packer/windows/fix-tls.ps1

github.com/iqoqo/nomad@v0.11.3-0.20200911112621-d7021c74d101/e2e/terraform/packer/windows/fix-tls.ps1 (about)

     1  # This script hardens TLS configuration by disabling weak and broken protocols
     2  # and enabling useful protocols like TLS 1.1 and 1.2.
     3  
     4  $RunningAsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
     5  if (!$RunningAsAdmin) {
     6    Write-Error "Must be executed in Administrator level shell."
     7    exit 1
     8  }
     9  
    10  $weakProtocols = @(
    11  	'Multi-Protocol Unified Hello',
    12  	'PCT 1.0',
    13  	'SSL 2.0',
    14  	'SSL 3.0'
    15  )
    16  
    17  $strongProtocols = @(
    18  	'TLS 1.0',
    19  	'TLS 1.1',
    20  	'TLS 1.2'
    21  )
    22  
    23  $weakCiphers = @(
    24  	'DES 56/56',
    25  	'NULL',
    26  	'RC2 128/128',
    27  	'RC2 40/128',
    28  	'RC2 56/128',
    29  	'RC4 40/128',
    30  	'RC4 56/128',
    31  	'RC4 64/128',
    32  	'RC4 128/128'
    33  )
    34  
    35  $strongCiphers = @(
    36  	'AES 128/128',
    37  	'AES 256/256',
    38  	'Triple DES 168/168'
    39  )
    40  
    41  $weakHashes = @(
    42  	'MD5',
    43  	'SHA'
    44  )
    45  
    46  $strongHashes = @(
    47  	'SHA 256',
    48  	'SHA 384',
    49  	'SHA 512'
    50  )
    51  
    52  $strongKeyExchanges = @(
    53  	'Diffie-Hellman',
    54  	'ECDH',
    55  	'PKCS'
    56  )
    57  
    58  $cipherOrder = @(
    59    'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521',
    60    'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384',
    61    'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256',
    62    'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521',
    63    'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384',
    64    'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256',
    65    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521',
    66    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384',
    67    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256',
    68    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521',
    69    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384',
    70    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256',
    71    'TLS_RSA_WITH_AES_256_GCM_SHA384',
    72    'TLS_RSA_WITH_AES_128_GCM_SHA256',
    73    'TLS_RSA_WITH_AES_256_CBC_SHA256',
    74    'TLS_RSA_WITH_AES_256_CBC_SHA',
    75    'TLS_RSA_WITH_AES_128_CBC_SHA256',
    76    'TLS_RSA_WITH_AES_128_CBC_SHA',
    77    'TLS_RSA_WITH_3DES_EDE_CBC_SHA'
    78  )
    79  
    80  # Reset the protocols key
    81  New-Item 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols' -Force | Out-Null
    82  
    83  # Disable weak protocols
    84  Foreach ($protocol in $weakProtocols) {
    85    New-Item HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Server -Force | Out-Null
    86    New-Item HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Client -Force | Out-Null
    87    New-ItemProperty -path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Server -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
    88    New-ItemProperty -path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Server -name DisabledByDefault -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
    89    New-ItemProperty -path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Client -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
    90    New-ItemProperty -path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Client -name DisabledByDefault -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
    91  }
    92  
    93  # Enable strong protocols
    94  Foreach ($protocol in $strongProtocols) {
    95    New-Item HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Server -Force | Out-Null
    96    New-Item HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Client -Force | Out-Null
    97    New-ItemProperty -path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Server -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
    98    New-ItemProperty -path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Server -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
    99    New-ItemProperty -path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Client -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
   100    New-ItemProperty -path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Client -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
   101  }
   102  
   103  # Reset the ciphers key
   104  New-Item 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers' -Force | Out-Null
   105  
   106  # Disable Weak Ciphers
   107  Foreach ($cipher in $weakCiphers) {
   108    $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey($cipher)
   109    $key.SetValue('Enabled', 0, 'DWord')
   110    $key.Close()
   111  }
   112  
   113  # Enable Strong Ciphers
   114  Foreach ($cipher in $strongCiphers) {
   115    $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey($cipher)
   116    New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\$cipher" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
   117    $key.Close()
   118  }
   119  
   120  # Reset the hashes key
   121  New-Item 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes' -Force | Out-Null
   122  
   123  # Disable weak hashes
   124  Foreach ($hash in $weakHashes) {
   125    $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes", $true).CreateSubKey($hash)
   126    New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\$hash" -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
   127    $key.Close()
   128  }
   129  
   130  # Enable Hashes
   131  Foreach ($hash in $strongHashes) {
   132    $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes", $true).CreateSubKey($hash)
   133    New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\$hash" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
   134    $key.Close()
   135  }
   136  
   137  # Reset the KeyExchangeAlgorithms key
   138  New-Item 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms' -Force | Out-Null
   139  
   140  # Enable KeyExchangeAlgorithms
   141  Foreach ($keyExchange in $strongKeyExchanges) {
   142    $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms", $true).CreateSubKey($keyExchange)
   143    New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\$keyExchange" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
   144    $key.Close()
   145  }
   146  
   147  # Set cipher order
   148  $cipherOrderString = [string]::join(',', $cipherOrder)
   149  New-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -name 'Functions' -value $cipherOrderString -PropertyType 'String' -Force | Out-Null
   150  
   151  Write-Output "TLS hardened."