Windows Server 2008 R2 / Windows Server 2012 (R2) IIS 7.5 / IIS 8 Perfect Forward Secrecy / TLS 1.2 konfigurieren

Was tun wir?

  • deaktivieren der unsicheren Protokolle (SSL v3 / v2)
  • Aktivieren von Transport Layer Security (TLS v1.2 / v1.1 / v1.0)
  • Unsichere Cipher (RC 2 / RC 4 / DES) deaktivieren / sichere aktivieren (AES / Triple DES)
  • Hashes entsprechend konfigurieren (MD5 deaktivieren / SHA aktivieren)
  • Sicheren Schlüsselaustausch einrichten (Diffie-Hellman / PKCS / ECDH)
  • Perfect Forward Secrecy (PFS) aktivieren
  • Das Script als TXT Datei befindet sich unter dem PowerShell Code
  • Nach Ausführung des Scripts muss der Server neu gestartet werden
# Unsichere Protokolle deaktivieren; Sichere aktivieren
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("SSL 3.0\Server")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("SSL 2.0\Server")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("SSL 3.0\Client")
$key.SetValue("DisabledByDefault", 1, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("SSL 2.0\Client")
$key.SetValue("DisabledByDefault", 1, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("TLS 1.0\Server")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key.SetValue("DisabledByDefault", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("TLS 1.1\Server")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key.SetValue("DisabledByDefault", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("TLS 1.2\Server")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key.SetValue("DisabledByDefault", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0", $true).CreateSubKey("Client")
$key.SetValue("Enabled", 1, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key.SetValue("DisabledByDefault", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1", $true).CreateSubKey("Client")
$key.SetValue("Enabled", 1, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key.SetValue("DisabledByDefault", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2", $true).CreateSubKey("Client")
$key.SetValue("Enabled", 1, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key.SetValue("DisabledByDefault", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("Multi-Protocol Unified Hello\Server")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("PCT 1.0\Server")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true)
$key.SetValue("AllowInsecureRenegoClients", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true)
$key.SetValue("DisableRenegoOnServer", 1, [Microsoft.Win32.RegistryValueKind]::DWORD)
 
# Unsichere Cipher deaktivieren (Win XP / >IE8); Sichere aktivieren
# Unsicher
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL", $true).CreateSubKey("Ciphers\NULL")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("DES 56\56")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("RC2 40\128")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("RC2 56\128")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("RC2 128\128")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("RC4 40\128")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("RC4 56\128")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("RC4 64\128")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("RC4 128\128")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
 
# Sicher
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("AES 128\128")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("AES 256\256")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("Triple DES 168\168")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
 
# Unsichere Hashes deaktivieren; Sichere aktivieren
# Unsicher
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL", $true).CreateSubKey("Hashes\MD5")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
 
# Sicher
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes", $true).CreateSubKey("SHA")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes", $true).CreateSubKey("SHA256")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes", $true).CreateSubKey("SHA384")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes", $true).CreateSubKey("SHA512")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
 
# Sicheren Schlüsselaustausch aktivieren
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL", $true).CreateSubKey("KeyExchangeAlgorithms\Diffie-Hellman")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms", $true).CreateSubKey("PKCS")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms", $true).CreateSubKey("ECDH")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
 
# PFS Aktivieren
$key = (get-item HKLM:\).OpenSubKey("SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL", $true).CreateSubKey("00010002")
$key.SetValue("Functions", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA")

Download des Powershell Script zum absichern des IIS (Nach dem Download von .txt in .ps1 umbenennen): IIS_ab_7_5_TLS1_2_PFS

Alternativ (und vermutlich immer aktueller): IIS Crypto von Nartac.


Die gesuchte Lösung noch nicht gefunden oder benötigen Sie Hilfe bei anderen Themen aus meinem Blog? Nehmen Sie gerne Kontakt mit mir bzw. meinem Unternehmen Jan Mischo IT auf. Ich freue mich auf Ihre Anfrage: https://janmischo.it/kontakt/


+49 2801 7004300

info@janmischo.it


Beitrag veröffentlicht

in

,

von

Schlagwörter:

Kommentare

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.