– Jan's Cloud – online Gedankenstütze ;)

13. Februar 2015

Windows Server 2008 R2 / Windows Server 2012 (R2) IIS 7.5 / IIS 8 Perfect Forward Secrecy / TLS 1.2 konfigurieren

Filed under: IIS,Windows Server — Schlagwörter: , , , , — Jan Mischo @ 14:51
  • deaktivieren der unsicheren Protokolle (SSL v3 / v2)
  • Aktivieren von Transport Layer Security (TLS v1.2 / v1.1 / v1.0)
  • Unsichere Cipher (RC 2 / RC 4 / DES) deaktivieren / sichere aktivieren (AES / Triple DES)
  • Hashes entsprechend konfigurieren (MD5 deaktivieren / SHA aktivieren)
  • Sicheren Schlüsselaustausch einrichten (Diffie-Hellman / PKCS / ECDH)
  • Perfect Forward Secrecy (PFS) aktivieren
  • Das Script als TXT Datei befindet sich unter dem PowerShell Code
  • Nach Ausführung des Scripts muss der Server neu gestartet werden
# Unsichere Protokolle deaktivieren; Sichere aktivieren
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("SSL 3.0\Server")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("SSL 2.0\Server")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("SSL 3.0\Client")
$key.SetValue("DisabledByDefault", 1, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("SSL 2.0\Client")
$key.SetValue("DisabledByDefault", 1, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("TLS 1.0\Server")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key.SetValue("DisabledByDefault", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("TLS 1.1\Server")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key.SetValue("DisabledByDefault", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("TLS 1.2\Server")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key.SetValue("DisabledByDefault", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0", $true).CreateSubKey("Client")
$key.SetValue("Enabled", 1, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key.SetValue("DisabledByDefault", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1", $true).CreateSubKey("Client")
$key.SetValue("Enabled", 1, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key.SetValue("DisabledByDefault", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2", $true).CreateSubKey("Client")
$key.SetValue("Enabled", 1, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key.SetValue("DisabledByDefault", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("Multi-Protocol Unified Hello\Server")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("PCT 1.0\Server")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true)
$key.SetValue("AllowInsecureRenegoClients", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true)
$key.SetValue("DisableRenegoOnServer", 1, [Microsoft.Win32.RegistryValueKind]::DWORD)

# Unsichere Cipher deaktivieren (Win XP / >IE8); Sichere aktivieren
# Unsicher
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL", $true).CreateSubKey("Ciphers\NULL")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("DES 56\56")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("RC2 40\128")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("RC2 56\128")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("RC2 128\128")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("RC4 40\128")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("RC4 56\128")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("RC4 64\128")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("RC4 128\128")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)

# Sicher
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("AES 128\128")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("AES 256\256")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("Triple DES 168\168")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)

# Unsichere Hashes deaktivieren; Sichere aktivieren
# Unsicher
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL", $true).CreateSubKey("Hashes\MD5")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)

# Sicher
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes", $true).CreateSubKey("SHA")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes", $true).CreateSubKey("SHA256")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes", $true).CreateSubKey("SHA384")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes", $true).CreateSubKey("SHA512")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)

# Sicheren Schlüsselaustausch aktivieren
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL", $true).CreateSubKey("KeyExchangeAlgorithms\Diffie-Hellman")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms", $true).CreateSubKey("PKCS")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms", $true).CreateSubKey("ECDH")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)

# PFS Aktivieren
$key = (get-item HKLM:\).OpenSubKey("SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL", $true).CreateSubKey("00010002")
$key.SetValue("Functions", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA")

Download des Powershell Script zum absichern des IIS (Nach dem Download von .txt in .ps1 umbenennen): IIS_ab_7_5_TLS1_2_PFS

Keine Kommentare »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment

Powered by WordPress