# Unsichere Protokolle deaktivieren; Sichere aktivieren $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("SSL 3.0\Server") $key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD) $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("SSL 2.0\Server") $key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD) $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("SSL 3.0\Client") $key.SetValue("DisabledByDefault", 1, [Microsoft.Win32.RegistryValueKind]::DWORD) $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("SSL 2.0\Client") $key.SetValue("DisabledByDefault", 1, [Microsoft.Win32.RegistryValueKind]::DWORD) $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("TLS 1.0\Server") $key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD) $key.SetValue("DisabledByDefault", 0, [Microsoft.Win32.RegistryValueKind]::DWORD) $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("TLS 1.1\Server") $key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD) $key.SetValue("DisabledByDefault", 0, [Microsoft.Win32.RegistryValueKind]::DWORD) $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("TLS 1.2\Server") $key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD) $key.SetValue("DisabledByDefault", 0, [Microsoft.Win32.RegistryValueKind]::DWORD) $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0", $true).CreateSubKey("Client") $key.SetValue("Enabled", 1, [Microsoft.Win32.RegistryValueKind]::DWORD) $key.SetValue("DisabledByDefault", 0, [Microsoft.Win32.RegistryValueKind]::DWORD) $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1", $true).CreateSubKey("Client") $key.SetValue("Enabled", 1, [Microsoft.Win32.RegistryValueKind]::DWORD) $key.SetValue("DisabledByDefault", 0, [Microsoft.Win32.RegistryValueKind]::DWORD) $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2", $true).CreateSubKey("Client") $key.SetValue("Enabled", 1, [Microsoft.Win32.RegistryValueKind]::DWORD) $key.SetValue("DisabledByDefault", 0, [Microsoft.Win32.RegistryValueKind]::DWORD) $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("Multi-Protocol Unified Hello\Server") $key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD) $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("PCT 1.0\Server") $key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD) $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true) $key.SetValue("AllowInsecureRenegoClients", 0, [Microsoft.Win32.RegistryValueKind]::DWORD) $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true) $key.SetValue("DisableRenegoOnServer", 1, [Microsoft.Win32.RegistryValueKind]::DWORD) # Unsichere Cipher deaktivieren (Win XP / >IE8); Sichere aktivieren # Unsicher $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL", $true).CreateSubKey("Ciphers\NULL") $key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD) $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("DES 56\56") $key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD) $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("RC2 40\128") $key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD) $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("RC2 56\128") $key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD) $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("RC2 128\128") $key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD) $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("RC4 40\128") $key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD) $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("RC4 56\128") $key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD) $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("RC4 64\128") $key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD) $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("RC4 128\128") $key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD) # Sicher $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("AES 128\128") $key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD) $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("AES 256\256") $key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD) $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("Triple DES 168\168") $key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD) # Unsichere Hashes deaktivieren; Sichere aktivieren # Unsicher $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL", $true).CreateSubKey("Hashes\MD5") $key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD) # Sicher $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes", $true).CreateSubKey("SHA") $key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD) $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes", $true).CreateSubKey("SHA256") $key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD) $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes", $true).CreateSubKey("SHA384") $key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD) $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes", $true).CreateSubKey("SHA512") $key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD) # Sicheren Schlüsselaustausch aktivieren $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL", $true).CreateSubKey("KeyExchangeAlgorithms\Diffie-Hellman") $key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD) $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms", $true).CreateSubKey("PKCS") $key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD) $key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms", $true).CreateSubKey("ECDH") $key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD) # PFS Aktivieren $key = (get-item HKLM:\).OpenSubKey("SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL", $true).CreateSubKey("00010002") $key.SetValue("Functions", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA")