-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathSet-SchannelProtocol.ps1
103 lines (102 loc) · 4.14 KB
/
Set-SchannelProtocol.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
<#
.Synopsis
Set the SSL and TLS protocol Schannel settings in the registry.
.DESCRIPTION
Set the SSL and TLS protocol Schannel settings in the registry including
client and server components.
.PARAMETER Protocol
Specify the protocol you want to query.
.PARAMETER CommunicationMode
Specify the communication mode: server/client.
.EXAMPLE
Set-SchannelProtocol -Protocol TLS1.0 -Setting Enabled -Value 0
.EXAMPLE
Set-SchannelProtocol -Protocol TLS1.1 -CommunicationMode Server -Setting DisabledByDefault -Value 1
.NOTES
Created by: Jason Wasser
Modified: 4/3/2020
#>
function Set-SchannelProtocol {
[cmdletbinding()]
param (
[Parameter(Mandatory)]
[ValidateSet('SSL2', 'SSL3', 'TLS1.0', 'TLS1.1', 'TLS1.2', 'TLS1.3')]
[string[]]$Protocol,
[ValidateSet('Client', 'Server')]
[string[]]$CommunicationMode = ('Client', 'Server'),
[Parameter(Mandatory)]
[ValidateSet('Enabled', 'DisabledByDefault')]
[string]$Setting,
[Parameter(Mandatory)]
[ValidateSet(0, 1)]
[int]$Value
)
begin {
$SCHANNELProtocolsRegistryPath = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols'
function Set-Protocol {
param (
[ValidateSet('SSL2', 'SSL3', 'TLS1.0', 'TLS1.1', 'TLS1.2', 'TLS1.3')]
[string]$Protocol,
[ValidateSet('Client', 'Server')]
[string]$Mode,
[ValidateSet('Enabled', 'DisabledByDefault')]
[string]$Setting,
[ValidateSet(0, 1)]
[int]$Value
)
try {
Write-Verbose "Setting $Setting for Protocol $Proto $Mode at $SCHANNELProtocolsRegistryPath\$ProtocolName\$Mode to $Value"
Set-ItemProperty -Path "$SCHANNELProtocolsRegistryPath\$ProtocolName\$Mode" -Name $Setting -Value $Value -ErrorAction Stop | Out-Null
}
catch [System.Exception] {
switch ($_.Exception.GetType().FullName) {
'System.Management.Automation.ItemNotFoundException' {
Write-Verbose "Unable to set protocol status value at $SCHANNELProtocolsRegistryPath\$ProtocolName\$Mode"
}
default {
Write-Verbose "Unknown error"
}
}
}
}
}
process {
foreach ($Proto in $Protocol) {
foreach ($Mode in $CommunicationMode) {
switch ($Proto) {
'SSL2' {
$ProtocolName = 'SSL 2.0'
}
'SSL3' {
$ProtocolName = 'SSL 3.0'
}
'TLS1.0' {
$ProtocolName = 'TLS 1.0'
}
'TLS1.1' {
$ProtocolName = 'TLS 1.1'
}
'TLS1.2' {
$ProtocolName = 'TLS 1.2'
}
'TLS1.3' {
$ProtocolName = 'TLS 1.3'
}
}
Write-Verbose "Attempting to set $Setting for Protocol $Proto $Mode at $SCHANNELProtocolsRegistryPath\$ProtocolName\$Mode to $Value"
Write-Verbose "Checking if $SCHANNELProtocolsRegistryPath\$ProtocolName\$Mode exists"
if (Test-Path -Path "$SCHANNELProtocolsRegistryPath\$ProtocolName\$Mode") {
Write-Verbose "$SCHANNELProtocolsRegistryPath\$ProtocolName\$Mode exists."
Set-Protocol -Protocol $Proto -Mode $Mode -Setting $Setting -Value $Value
}
else {
Write-Verbose "$SCHANNELProtocolsRegistryPath\$ProtocolName\$Mode does not exist. Creating now."
New-Item -Path "$SCHANNELProtocolsRegistryPath\$ProtocolName\$Mode" -Force | Out-Null
Set-Protocol -Protocol $Proto -Mode $Mode -Setting $Setting -Value $Value
}
#Get-SchannelProtocol -Protocol $Proto -CommunicationMode $Mode
}
}
}
end { }
}