Description
The remote services that accept connections encrypted using TLS 1.1. TLS 1.1 lacks support for current and recommended cipher suites. Ciphers that support encryption before MAC computation, and authenticated encryption modes such as GCM cannot be used with TLS 1.1 As of March 31, 2020, Endpoints that are not enabled for TLS 1.2 and higher will no longer function properly with major web browsers and major vendors.
Solution
Enable support for TLS 1.2 and/or 1.3, and disable support for TLS 1.1 and 1.0
Also See
http://www.nessus.org/u?c8ae820d
https://datatracker.ietf.org/doc/html/rfc8996
Powershell script to Remediate. Disable TLS 1.0 and 1.1. Enable 1.2 and 1.3
This script will Log to C:\Logs, if the logs folder doesn’t exist it will create it.
<#
Name: Detect_Disable_TLS.ps1
Description: Checks for the registry values to disable TLS 1.0 & 1.1 and Enables 1.2 & 1.3
#>
$LogFile = "C:\Logs\DisableTLS.log"
$Title = "Detect_Disable_TLS"
$Error.Clear()
# Check for and create log folder if it doesn't exist
If (!(Test-Path "C:\logs")) {New-Item "C:\Logs" -ItemType Directory -ErrorAction Ignore
Write-Host "[INFO] Log file directory did not exist - Create folder"
}
else {
<# Action when all if and elseif conditions are false #>
Write-Host "[INFO] C:\logs already exists"
}
Start-Transcript $LogFile
Function NewItem {
# Manditory parameters
Param (
[Parameter(Mandatory=$true)]
[String]
$RegItem
)
# Test that the registry path exists and create it if not
if (!(Test-path $RegItem)) {Write-Host "[INFO] Registry Item Does NOT Exist - Creating Registry Item"
New-Item $RegItem -Force -ErrorAction SilentlyContinue
if ($Error) {
Write-Host "[!ERROR!] There was an error creating registry key path - $($error[0])"
Write-Error -Message "[!Error!] Creating registry path - Function NewItem"
Exit(9999)
}
} else {
<# Action when all if and elseif conditions are false #>
Write-Host "[INFO] Registry Item ""$RegItem"" DOES Exist"
}
}
Function NewItemProperty {
Param (
[Parameter(Mandatory=$true)]
[String]
$Name,
[Parameter(Mandatory=$true)]
[String]
$Value,
[Parameter(Mandatory=$true)]
[String]
$Path,
[Parameter(Mandatory=$true)]
[String]
$Type
)
# check the registry value to see if it exists.
# Will return true or false if the registry key doen't exist, without raising an erro
if (Get-ItemProperty -Path $Path -Name $Name -ErrorAction Ignore) {
Write-Host "[INFO] Registry ""$Path"" exists and returns $true"
$ItemProp = Get-ItemPropertyValue -Path $Path -Name $Name -ErrorAction SilentlyContinue
Write-Host "[INFO] Get the value of ""$name"""
} else {
<# Action when all if and elseif conditions are false #>
Write-Host "[INFO] Checking for registry property ""$path"" - ""$name"" returned $false"
}
#Check if the value is correct
if ($ItemProp -ne $Value) {Write-Host "[INFO] Registry Item ""$Name"" Does NOT equal ""$Value"" - Creating Registry Item Property Value"
Set-ItemProperty -Path $Path -Name $Name -value $Value -Type $Type
if ($Error) {
Write-Host "[!ERROR!] There was an error setting the registry value - $($error[0])"
Write-Error -Message "[!Error!] There was an error setting the registry value - Function NewItemProperty"
Exit(9999)
}
} else {
<# Action when all if and elseif conditions are false #>
Write-Host "[INFO] Registry Item ""Property"" equals ""$ItemProp"" and Exists"
}
}
########### Starting
Write-Host "[INFO] ###########################################"
Write-Host "[INFO] Starting $Title - Script Version $ScriptVersion"
Write-Host "[INFO] Started processing at [$([DateTime]::Now)]."
Write-Host "[INFO] ###########################################"
Write-Host ""
# Registry path
$v10Client = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client'
Write-Host "[INFO] Set Registry Path to $v10Client"
Write-Host "[INFO] Call function to check and create the registry path"
Write-Host ""
NewItem -RegItem $v10Client # Check and create the registry path
$v10Server = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server'
Write-Host "[INFO] Set Registry Path to $v10Server"
Write-Host "[INFO] Call function to check and create the registry path"
Write-Host ""
NewItem -RegItem $v10Server # Check and create the registry path
Write-Host "[INFO] Check Registry values for TLS 1.0 exist and are diabled"
Write-Host ""
# Check for the required values and create or update
NewItemProperty -Path $v10Client -Name 'Enabled' -Value '0' -Type 'DWORD'
NewItemProperty -Path $v10Client -name 'DisabledByDefault' -value '1' -Type 'DWORD'
NewItemProperty -Path $v10Server -name 'Enabled' -value '0' -Type 'DWORD'
NewItemProperty -Path $v10Server -name 'DisabledByDefault' -value '1' -Type 'DWORD'
$v11Client = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client'
Write-Host "[INFO] Set Registry Path to $v11Client"
Write-Host "[INFO] Call function to check and create the registry path"
Write-Host ""
NewItem -RegItem $v11Client # Check and create the registry path
$v11Server = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server'
Write-Host "[INFO] Set Registry Path to $v11Server"
Write-Host "[INFO] Call function to check and create the registry path"
Write-Host ""
NewItem -RegItem $v11Server # Check and create the registry path
Write-Host "[INFO] Check Registry values for TLS 1.1 exist and are diabled"
Write-Host ""
# Check for the required values and create or update
NewItemProperty -Path $v11Client -name 'Enabled' -value '0' -Type 'DWORD'
NewItemProperty -Path $v11Client -name 'DisabledByDefault' -value '1' -Type 'DWORD'
NewItemProperty -Path $v11Server -name 'Enabled' -value '0' -Type 'DWORD'
NewItemProperty -Path $v11Server -name 'DisabledByDefault' -value '1' -Type 'DWORD'
$v12Client = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client'
Write-Host "[INFO] Set Registry Path to $v12Client"
Write-Host "[INFO] Call function to check and create the registry path"
Write-Host ""
NewItem -RegItem $v12Client # Check and create the registry path
$v12Server = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server'
Write-Host "[INFO] Set Registry Path to $v12Server"
Write-Host "[INFO] Call function to check and create the registry path"
Write-Host ""
NewItem -RegItem $v12Server # Check and create the registry path
Write-Host "[INFO] Check Registry values for TLS 1.2 exist and are enabled"
Write-Host ""
# Check for the required values and create or update
NewItemProperty -Path $v12Client -name 'Enabled' -value '1' -Type 'DWORD'
NewItemProperty -Path $v12Client -name 'DisabledByDefault' -value '0' -Type 'DWORD'
NewItemProperty -Path $v12Server -name 'Enabled' -value '1' -Type 'DWORD'
NewItemProperty -Path $v12Server -name 'DisabledByDefault' -value '0' -Type 'DWORD'
$v13Client = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client'
Write-Host "[INFO] Set Registry Path to $v13Client"
Write-Host "[INFO] Call function to check and create the registry path"
Write-Host ""
NewItem -RegItem $v13Client # Check and create the registry path
$v13Server = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server'
Write-Host "[INFO] Set Registry Path to $v13Server"
Write-Host "[INFO] Call function to check and create the registry path"
Write-Host ""
NewItem -RegItem $v13Server # Check and create the registry path
Write-Host "[INFO] Check Registry values for TLS 1.3 exist and are enabled"
Write-Host ""
# Check for the required values and create or update
NewItemProperty -Path $v13Client -name 'Enabled' -value '1' -Type 'DWORD'
NewItemProperty -Path $v13Client -name 'DisabledByDefault' -value '0' -Type 'DWORD'
NewItemProperty -Path $v13Server -name 'Enabled' -value '1' -Type 'DWORD'
NewItemProperty -Path $v13Server -name 'DisabledByDefault' -value '0' -Type 'DWORD'
########### Completed
Write-Host ""
Write-Host "[INFO] ###########################################"
Write-Host "[INFO] Stopped processing at [$([DateTime]::Now)]."
Write-Host "[INFO] ###########################################"
Stop-Transcript