-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathSChannelServerProtocols.psm1
More file actions
178 lines (126 loc) · 5.4 KB
/
SChannelServerProtocols.psm1
File metadata and controls
178 lines (126 loc) · 5.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
# By Martin Liversage - martin@liversage.com
Set-StrictMode -Version Latest
$ErrorActionPreference = 'Stop'
$allProtocols = @{
'SSL20' = 'SSL 2.0';
'SSL30' = 'SSL 3.0';
'TLS10' = 'TLS 1.0';
'TLS11' = 'TLS 1.1';
'TLS12' = 'TLS 1.2'
}
function GetSChannelServerProtocolState([String] $protocol) {
$registryName = $allProtocols.Item($protocol)
$registryValue = Get-ItemProperty -Path Registry::HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$registryName\Server -Name Enabled -ErrorAction SilentlyContinue
if ($registryValue -eq $null) {
return 'Default';
}
elseif ($registryValue.Enabled -eq 0) {
return 'Disabled';
}
return 'Enabled';
}
<#
.SYNOPSIS
Get the server status of the secure channel protocols.
.DESCRIPTION
The Get-SChannelServerProtocol retrieves information from the registry about the
server status of the secure channel protocols (SSL, TLS).
The status can be either Enabled or Disabled. If no status is specified in the
registry the status is Default which means that the protocol may or may not be
enabled depending on the version of the operating system.
Only the server status which affects Internet Information Services is retrieved.
The client status which affects web browsers is not retrieved.
.PARAMETER Protocols
A single protocol name or an array of protocol names to retrieve the server
status for. Valid protocol names are SSL20, SSL30, TLS10, TLS11 and TLS12. If no
protocols are specified the server status of all protocols are retrieved.
.OUTPUTS
PSObject with properties Protocol and Status.
.EXAMPLE
Get the server status of all the secure channel protocols:
Get-SChannelServerProtocol
.EXAMPLE
Get the server status of the SSL 2.0 and SLL 3.0 protocols:
Get-SChannelServerProtocol -Protocols SSL20, SSL30
.LINK
http://support.microsoft.com/kb/245030
#>
function Get-SChannelServerProtocol {
[CmdletBinding()]
param (
[Parameter(Position = 0, HelpMessage = 'Specifies the secure channel protocols.')]
[ValidateSet('SSL20', 'SSL30', 'TLS10', 'TLS11', 'TLS12')]
[String[]] $Protocols = @('SSL20', 'SSL30', 'TLS10', 'TLS11', 'TLS12')
)
PROCESS {
$Protocols | ForEach-Object -Process { New-Object -TypeName PSObject -Property @{ Protocol = $_; Status = GetSChannelServerProtocolState($_) } }
}
}
<#
.SYNOPSIS
Set the server status of the secure channel protocols.
.DESCRIPTION
The Set-SChannelServerProtocol writes information to the registry to configure
the server status of the secure channel protocols (SSL, TLS).
The status can be either Enabled, Disabled or Default. Default means that no
status is specified in the registry and the protocol may or may not be enabled
depending on the version of the operating system.
Only the server status which affects Internet Information Services is
configured. The client status which affects web browsers is not configured.
.PARAMETER Protocols
A single protocol name or an array of protocol names to set the server status
for. Valid protocol names are SSL20, SSL30, TLS10, TLS11 and TLS12.
.PARAMETER Status
The server status to set for all the protocols specified. Valid status names are
Enabled, Disabled and Default.
.PARAMETER RestartWithoutConfirmation
If specified restarts the computer immediately without confirmation.
.EXAMPLE
Set the server status the SSL 3.0 protocol to disabled:
Set-SChannelServerProtocol -Protocols SSL30 -Status Disabled
.EXAMPLE
Set the server status the SSL 2.0 and SSL 3.0 protocols to disabled and restarts
the computer without confirmation:
Set-SChannelServerProtocol -Protocols SSL20, SSL30 -Status Disabled -RestartWithoutConfirmation
.NOTES
Administrative rights are required to change the status of the secure channel
protocols.
A computer restart is required before any changes will be effective.
.LINK
http://support.microsoft.com/kb/245030
#>
function Set-SChannelServerProtocol {
[CmdletBinding()]
param (
[Parameter(Mandatory = $true, Position = 0, HelpMessage = 'Specifies the secure channel protocols.')]
[ValidateSet('SSL20', 'SSL30', 'TLS10', 'TLS11', 'TLS12')]
[String[]] $Protocols,
[Parameter(Mandatory = $true, Position = 1, HelpMessage = 'Specifies the status of the secure channel protocols.')]
[ValidateSet('Default', 'Disabled', 'Enabled')]
[String] $Status,
[Parameter(HelpMessage = 'Restarts the computer without confirmation.')]
[Switch] $RestartWithoutConfirmation
)
PROCESS {
Foreach ($protocol in $Protocols) {
$registryName = $allProtocols.Item($protocol)
$registryKey = "Registry::HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$registryName\Server"
if ($Status -eq 'Default') {
Remove-Item -Path $registryKey -Force
}
else {
$enabled = @{ 'Disabled' = 0; 'Enabled' = 1 }[$Status]
$null = New-Item -Path $registryKey -Force
Set-ItemProperty -Path $registryKey -Name Enabled -Type DWord -Value $enabled
}
}
Write-Host 'A computer restart is required before the change will be effective.'
if ($RestartWithoutConfirmation) {
Restart-Computer
}
else {
Restart-Computer -Confirm
}
}
}
Export-ModuleMember -Function Get-SChannelServerProtocol, Set-SChannelServerProtocol