-
-
Save gabriel-vanca/e4d6251586fa4e118cc2f012b553b649 to your computer and use it in GitHub Desktop.
Disable-SSLv3 - PowerShell script for disabling SSLv3 - Refactored
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # MS Security bulletin: https://learn.microsoft.com/en-us/security-updates/SecurityAdvisories/2015/3009008 | |
| # NOTE: This registry change requires that the system be restarted. | |
| Function Test-RegKeyExists { | |
| param ( | |
| $key | |
| ) | |
| If (!(Test-Path -Path $key)) { | |
| New-Item $key | Out-Null | |
| } | |
| } | |
| Function Set-RegKey { | |
| param ( | |
| $key, | |
| $value, | |
| $valuedata, | |
| $valuetype, | |
| $restart | |
| ) | |
| # Check for existence of registry key, and create if it does not exist | |
| Test-RegKeyExists $key | |
| # Get data of registry value, or null if it does not exist | |
| $val = (Get-ItemProperty -Path $key -Name $value -ErrorAction SilentlyContinue).$value | |
| If ($val -eq $null) { | |
| # Value does not exist - create and set to desired value | |
| New-ItemProperty -Path $key -Name $value -Value $valuedata -PropertyType $valuetype | Out-Null | |
| $restart = $True | |
| } | |
| Else { | |
| # Value does exist - if not equal to desired value, change it | |
| If ($val -ne $valuedata) { | |
| Set-ItemProperty -Path $key -Name $value -Value $valuedata | |
| $restart = $True | |
| } | |
| } | |
| return $restart | |
| } | |
| # If any settings are changed, this will change to $True and the server will reboot | |
| $reboot = $False | |
| $SSL2_Parent_Key = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0"; | |
| $SSL2_Client_Key = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client"; | |
| $SSL2_Server_Key = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server"; | |
| $SSL3_Parent_Key = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0"; | |
| $SSL3_Client_Key = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client"; | |
| $SSL3_Server_Key = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server"; | |
| # Check for existence of parent registry keys (SSL 2.0 and SSL 3.0), and create if they do not exist | |
| Test-RegKeyExists $SSL2_Parent_Key | |
| Test-RegKeyExists $SSL3_Parent_Key | |
| # Ensure SSL 2.0 disabled for client | |
| $reboot = Set-RegKey $SSL2_Client_Key DisabledByDefault 1 DWord $reboot | |
| # Ensure SSL 2.0 disabled for server | |
| $reboot = Set-RegKey $SSL2_Server_Key Enabled 0 DWord $reboot | |
| # Ensure SSL 3.0 disabled for client | |
| $reboot = Set-RegKey $SSL3_Client_Key DisabledByDefault 1 DWord $reboot | |
| # Ensure SSL 3.0 disabled for server | |
| $reboot = Set-RegKey $SSL3_Server_Key Enabled 0 DWord $reboot | |
| # If any settings were changed, reboot | |
| If ($reboot) { | |
| Write-Host "Rebooting now..." | |
| shutdown.exe /r /t 5 /c "Crypto settings changed" /f /d p:2:4 | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment