Was tun wir?
- deaktivieren der unsicheren Protokolle (SSL v3 / v2)
- Aktivieren von Transport Layer Security (TLS v1.2 / v1.1 / v1.0)
- Unsichere Cipher (RC 2 / RC 4 / DES) deaktivieren / sichere aktivieren (AES / Triple DES)
- Hashes entsprechend konfigurieren (MD5 deaktivieren / SHA aktivieren)
- Sicheren Schlüsselaustausch einrichten (Diffie-Hellman / PKCS / ECDH)
- Perfect Forward Secrecy (PFS) aktivieren
- Das Script als TXT Datei befindet sich unter dem PowerShell Code
- Nach Ausführung des Scripts muss der Server neu gestartet werden
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 | # Unsichere Protokolle deaktivieren; Sichere aktivieren $key = ( get-item HKLM:\).OpenSubKey( "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" , $true ).CreateSubKey( "SSL 3.0\Server" ) $key .SetValue( "Enabled" , 0, [Microsoft.Win32.RegistryValueKind] ::DWORD) $key = ( get-item HKLM:\).OpenSubKey( "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" , $true ).CreateSubKey( "SSL 2.0\Server" ) $key .SetValue( "Enabled" , 0, [Microsoft.Win32.RegistryValueKind] ::DWORD) $key = ( get-item HKLM:\).OpenSubKey( "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" , $true ).CreateSubKey( "SSL 3.0\Client" ) $key .SetValue( "DisabledByDefault" , 1, [Microsoft.Win32.RegistryValueKind] ::DWORD) $key = ( get-item HKLM:\).OpenSubKey( "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" , $true ).CreateSubKey( "SSL 2.0\Client" ) $key .SetValue( "DisabledByDefault" , 1, [Microsoft.Win32.RegistryValueKind] ::DWORD) $key = ( get-item HKLM:\).OpenSubKey( "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" , $true ).CreateSubKey( "TLS 1.0\Server" ) $key .SetValue( "Enabled" , 0xffffffff, [Microsoft.Win32.RegistryValueKind] ::DWORD) $key .SetValue( "DisabledByDefault" , 0, [Microsoft.Win32.RegistryValueKind] ::DWORD) $key = ( get-item HKLM:\).OpenSubKey( "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" , $true ).CreateSubKey( "TLS 1.1\Server" ) $key .SetValue( "Enabled" , 0xffffffff, [Microsoft.Win32.RegistryValueKind] ::DWORD) $key .SetValue( "DisabledByDefault" , 0, [Microsoft.Win32.RegistryValueKind] ::DWORD) $key = ( get-item HKLM:\).OpenSubKey( "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" , $true ).CreateSubKey( "TLS 1.2\Server" ) $key .SetValue( "Enabled" , 0xffffffff, [Microsoft.Win32.RegistryValueKind] ::DWORD) $key .SetValue( "DisabledByDefault" , 0, [Microsoft.Win32.RegistryValueKind] ::DWORD) $key = ( get-item HKLM:\).OpenSubKey( "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0" , $true ).CreateSubKey( "Client" ) $key .SetValue( "Enabled" , 1, [Microsoft.Win32.RegistryValueKind] ::DWORD) $key .SetValue( "DisabledByDefault" , 0, [Microsoft.Win32.RegistryValueKind] ::DWORD) $key = ( get-item HKLM:\).OpenSubKey( "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1" , $true ).CreateSubKey( "Client" ) $key .SetValue( "Enabled" , 1, [Microsoft.Win32.RegistryValueKind] ::DWORD) $key .SetValue( "DisabledByDefault" , 0, [Microsoft.Win32.RegistryValueKind] ::DWORD) $key = ( get-item HKLM:\).OpenSubKey( "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2" , $true ).CreateSubKey( "Client" ) $key .SetValue( "Enabled" , 1, [Microsoft.Win32.RegistryValueKind] ::DWORD) $key .SetValue( "DisabledByDefault" , 0, [Microsoft.Win32.RegistryValueKind] ::DWORD) $key = ( get-item HKLM:\).OpenSubKey( "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" , $true ).CreateSubKey( "Multi-Protocol Unified Hello\Server" ) $key .SetValue( "Enabled" , 0, [Microsoft.Win32.RegistryValueKind] ::DWORD) $key = ( get-item HKLM:\).OpenSubKey( "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" , $true ).CreateSubKey( "PCT 1.0\Server" ) $key .SetValue( "Enabled" , 0, [Microsoft.Win32.RegistryValueKind] ::DWORD) $key = ( get-item HKLM:\).OpenSubKey( "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" , $true ) $key .SetValue( "AllowInsecureRenegoClients" , 0, [Microsoft.Win32.RegistryValueKind] ::DWORD) $key = ( get-item HKLM:\).OpenSubKey( "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" , $true ) $key .SetValue( "DisableRenegoOnServer" , 1, [Microsoft.Win32.RegistryValueKind] ::DWORD) # Unsichere Cipher deaktivieren (Win XP / >IE8); Sichere aktivieren # Unsicher $key = ( get-item HKLM:\).OpenSubKey( "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" , $true ).CreateSubKey( "Ciphers\NULL" ) $key .SetValue( "Enabled" , 0, [Microsoft.Win32.RegistryValueKind] ::DWORD) $key = ( get-item HKLM:\).OpenSubKey( "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers" , $true ).CreateSubKey( "DES 56\56" ) $key .SetValue( "Enabled" , 0, [Microsoft.Win32.RegistryValueKind] ::DWORD) $key = ( get-item HKLM:\).OpenSubKey( "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers" , $true ).CreateSubKey( "RC2 40\128" ) $key .SetValue( "Enabled" , 0, [Microsoft.Win32.RegistryValueKind] ::DWORD) $key = ( get-item HKLM:\).OpenSubKey( "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers" , $true ).CreateSubKey( "RC2 56\128" ) $key .SetValue( "Enabled" , 0, [Microsoft.Win32.RegistryValueKind] ::DWORD) $key = ( get-item HKLM:\).OpenSubKey( "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers" , $true ).CreateSubKey( "RC2 128\128" ) $key .SetValue( "Enabled" , 0, [Microsoft.Win32.RegistryValueKind] ::DWORD) $key = ( get-item HKLM:\).OpenSubKey( "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers" , $true ).CreateSubKey( "RC4 40\128" ) $key .SetValue( "Enabled" , 0, [Microsoft.Win32.RegistryValueKind] ::DWORD) $key = ( get-item HKLM:\).OpenSubKey( "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers" , $true ).CreateSubKey( "RC4 56\128" ) $key .SetValue( "Enabled" , 0, [Microsoft.Win32.RegistryValueKind] ::DWORD) $key = ( get-item HKLM:\).OpenSubKey( "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers" , $true ).CreateSubKey( "RC4 64\128" ) $key .SetValue( "Enabled" , 0, [Microsoft.Win32.RegistryValueKind] ::DWORD) $key = ( get-item HKLM:\).OpenSubKey( "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers" , $true ).CreateSubKey( "RC4 128\128" ) $key .SetValue( "Enabled" , 0, [Microsoft.Win32.RegistryValueKind] ::DWORD) # Sicher $key = ( get-item HKLM:\).OpenSubKey( "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers" , $true ).CreateSubKey( "AES 128\128" ) $key .SetValue( "Enabled" , 0xffffffff, [Microsoft.Win32.RegistryValueKind] ::DWORD) $key = ( get-item HKLM:\).OpenSubKey( "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers" , $true ).CreateSubKey( "AES 256\256" ) $key .SetValue( "Enabled" , 0xffffffff, [Microsoft.Win32.RegistryValueKind] ::DWORD) $key = ( get-item HKLM:\).OpenSubKey( "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers" , $true ).CreateSubKey( "Triple DES 168\168" ) $key .SetValue( "Enabled" , 0xffffffff, [Microsoft.Win32.RegistryValueKind] ::DWORD) # Unsichere Hashes deaktivieren; Sichere aktivieren # Unsicher $key = ( get-item HKLM:\).OpenSubKey( "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" , $true ).CreateSubKey( "Hashes\MD5" ) $key .SetValue( "Enabled" , 0, [Microsoft.Win32.RegistryValueKind] ::DWORD) # Sicher $key = ( get-item HKLM:\).OpenSubKey( "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes" , $true ).CreateSubKey( "SHA" ) $key .SetValue( "Enabled" , 0xffffffff, [Microsoft.Win32.RegistryValueKind] ::DWORD) $key = ( get-item HKLM:\).OpenSubKey( "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes" , $true ).CreateSubKey( "SHA256" ) $key .SetValue( "Enabled" , 0xffffffff, [Microsoft.Win32.RegistryValueKind] ::DWORD) $key = ( get-item HKLM:\).OpenSubKey( "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes" , $true ).CreateSubKey( "SHA384" ) $key .SetValue( "Enabled" , 0xffffffff, [Microsoft.Win32.RegistryValueKind] ::DWORD) $key = ( get-item HKLM:\).OpenSubKey( "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes" , $true ).CreateSubKey( "SHA512" ) $key .SetValue( "Enabled" , 0xffffffff, [Microsoft.Win32.RegistryValueKind] ::DWORD) # Sicheren Schlüsselaustausch aktivieren $key = ( get-item HKLM:\).OpenSubKey( "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" , $true ).CreateSubKey( "KeyExchangeAlgorithms\Diffie-Hellman" ) $key .SetValue( "Enabled" , 0xffffffff, [Microsoft.Win32.RegistryValueKind] ::DWORD) $key = ( get-item HKLM:\).OpenSubKey( "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms" , $true ).CreateSubKey( "PKCS" ) $key .SetValue( "Enabled" , 0xffffffff, [Microsoft.Win32.RegistryValueKind] ::DWORD) $key = ( get-item HKLM:\).OpenSubKey( "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms" , $true ).CreateSubKey( "ECDH" ) $key .SetValue( "Enabled" , 0xffffffff, [Microsoft.Win32.RegistryValueKind] ::DWORD) # PFS Aktivieren $key = ( get-item HKLM:\).OpenSubKey( "SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL" , $true ).CreateSubKey( "00010002" ) $key .SetValue( "Functions" , "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA" ) |
Download des Powershell Script zum absichern des IIS (Nach dem Download von .txt in .ps1 umbenennen): IIS_ab_7_5_TLS1_2_PFS
Alternativ (und vermutlich immer aktueller): IIS Crypto von Nartac.
Schreibe einen Kommentar