44r0n7/privacy.sexy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

win: improve disabling protocols

Browse Source 
This commit groups scripts related to disabling protocols under same
category, streamlining the process for disabling protocols like NetBios,
SMBv1, and various TLS/SSL versions. It improves the documentation and
scripts of the related scripts.

Key changes:

- Introduce new category for disabling insecure protocols and move
  related scripts under it.
- Remove .NET configuration from TLS 1.0 disabling to prevent unwanted
  side effects on .NET applications, maintaining system integrity.
- Remove the script disabling DTLS 1.1 as this protocol does not exist.
- Recommend previously not recommended scripts:
  - SSL 2.0 in 'Standard' because it's already removed from Windows.
  - SSL 3.0 in 'Standard' because it's already disabled by default.
  - TLS 1.0 in 'Strict' as it's deprecated on Windows.
  - TLS 1.1 in 'Strict' as it's deprecated on Windows.
- Rename and reorder scripts for consistency and enhanced readability.
- Fix revert codes to accurately reflect successful operations, by
  adding `2>nul` on `reg delete` commands.
- Expand documentation to include detailed precautions and references,
  aiding users in understanding the implications of their actions
  (addressing user feedback from #57, #131, #183, #185).

Other supporting changes:

- Convert hexadecimal values to decimal to enhance script readability.
- Refactor scripts to utilize shared functions, improving maintainability.
- Add detailed comments within the scripts to aid in comprehension.
- Minor updates to other crypto scripts for consistency.
- Reorganize protocol listing by age for a logical script flow.
- Standardize comments across various TLS configuration scripts for
  clarity.
- Fix enabling DTLS 1.3 being categorized as disabling insecure
  connection.
This commit is contained in:
undergroundwires
2024-05-01 12:18:55 +02:00
parent 8c17396285
commit 4ef16cea56
1 changed files with 478 additions and 313 deletions
Download Patch File Download Diff File Expand all files Collapse all files

791
src/application/collections/windows.yaml
View File

@@ -6053,6 +6053,7 @@ actions:
Sizes under 1024 bits are considered weak [4] [5].
NIST in USA [4] and Federal Office for Information Security (BSI) in Germany [3] disallows usage of sizes
under 2048 bits.
NSA (National Security Agency) recommends at least 3072 bits [6].
This script hardens your system's security by using keys of adequate strength, following best practices.
@@ -6065,6 +6066,7 @@ actions:
[3]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
[4]: https://web.archive.org/web/20240402105205/https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf "NIST Special Publication 800-131A Revision 2 | Transitioning the Use of Cryptographic Algorithms and Key Lengths | nvlpubs.nist.gov"
[5]: https://web.archive.org/web/20240402112905/https://weakdh.org/ "Weak Diffie-Hellman and the Logjam Attack | weakdh.org"
[6]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov"
call:
function: RequireTLSMinimumKeySize
parameters:
@@ -6128,149 +6130,10 @@ actions:
vulnerabilities, including man-in-the-middle attacks and data breaches.
By disabling these insecure connections, these scripts follow cybersecurity best practices and recommendations.
Although Windows supports insecure connections for compatibility, prioritizing security, these scripts disable them
Although Windows supports insecure connections for compatibility, prioritizing security, these scripts disable them.
> **Caution:** This may cause compatibility issues with older devices or software.
children:
-
name: Disable unsafe SMBv1 protocol
recommend: standard # Recommended by Microsoft, very old, has significant security vulnerabilities
docs: |- # refactor-with-variables: Same **Caution** text as others.
This script improves network security by disabling the outdated SMBv1 protocol.
**SMBv1**, or **Server Message Block version 1**, is an outdated network protocol developed
for file and printer sharing across networks [1] [2].
This protocol is well-known for its vulnerabilities to cyber attacks [1] [2] [3] [4] [5].
Microsoft deprecated SMBv1 in 2014 [6] [7].
Since 2007, newer and more secure versions of this protocol have
replaced SMBv1 in modern versions of Windows [6].
It is still enabled by default in older Windows versions [1].
Microsoft advises disabling this protocol to strengthen security [1] [8].
SMB1 is not necessary for most users, as Microsoft ensures vendor support for at least SMB 2.0 [2].
The primary reasons for disabling SMBv1 include:
- It uses the outdated MD5 hash algorithm, vulnerable to security attacks [3].
- It fails to meet modern security standards set by FIPS [3], CISA (US-CERT) [5],
CIS (Department of Defense) [3], and Microsoft Security Baseline [8].
- It lacks the efficiency and performance improvements present in newer versions of the protocol [2].
- It is vulnerable to various cyber threats [1] [2] [3] [4] [5],
, including ransomware and malware [1] [2].
Disabling SMBv1 may lead to compatibility issues with older network devices and software [1] [3] [6] [9].
This may affect file sharing and print services on systems like Windows Server 2003 [3]
and some older Network Attached Storage (NAS) devices [3].
These systems are insecure and are no longer supported.
This script makes the following changes to your system:
- Removal of SMBv1 components:
- `SMB1Protocol` [2] [3] [4] [10] (also known as `FS-SMB1` [2] [11])
- `SMB1Protocol-Client` [10]
- `SMB1Protocol-Server` [10].
- Disabling the `mrxsmb10` (SMB 1.x MiniRedirector [12]) driver,
linked with SMBv1 [1] [4] [13],
and adjusting related settings to keep older systems stable [1] [4] [13].
- Disabling server side processing of SMBv1 protocol using
`HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters!SMBv1` registry key [1] [14] [15].
These changes require a system reboot to take effect [1] [4] [9].
> **Caution:** This may cause compatibility issues with older devices or software.
### Overview of default feature statuses
`SMB1Protocol`:
| | |
| ---- | --- |
| **Feature name** | `SMB1Protocol` |
| **Display name** | SMB 1.0/CIFS File Sharing Support |
| **Description** | Support for the SMB 1.0/CIFS file sharing protocol, and the Computer Browser protocol. |
| **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled |
| **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled |
`SMB1Protocol-Client`:
| | |
| ---- | --- |
| **Feature name** | `SMB1Protocol-Client` |
| **Display name** | SMB 1.0/CIFS Client |
| **Description** | Support for the SMB 1.0/CIFS client for accessing legacy servers. |
| **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled |
| **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled |
`SMB1Protocol-Server`:
| | |
| ---- | --- |
| **Feature name** | `SMB1Protocol-Server` |
| **Display name** | SMB 1.0/CIFS Server |
| **Description** | Support for the SMB 1.0/CIFS file server for sharing data with legacy clients and browsing the network neighborhood. |
| **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled |
| **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled |
### Overview of default service statuses
SMB 1.x MiniRedirector (`mrxsmb10`):
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 11 (≥ 23H2) | 🟡 Missing | N/A |
| Windows 10 (≥ 22H2) | 🟡 Missing | N/A |
[1]: https://web.archive.org/web/20240413122756/https://learn.microsoft.com/en-us/archive/blogs/secguide/disabling-smbv1-through-group-policy "Disabling SMBv1 through Group Policy | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240413124106/https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858 "Stop using SMB1 - Microsoft Community Hub | techcommunity.microsoft.com"
[3]: https://web.archive.org/web/20240413124245/https://www.stigviewer.com/stig/microsoft_windows_10/2023-09-29/finding/V-220729 "The Server Message Block (SMB) v1 protocol must be disabled on the system. | www.stigviewer.com"
[4]: https://web.archive.org/web/20240413122807/https://learn.microsoft.com/en-US/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3?tabs=server "Server | How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows | Microsoft Learn | learn.microsoft.com"
[5]: https://web.archive.org/web/20240413124050/https://www.cisa.gov/news-events/alerts/2017/01/16/smb-security-best-practices "SMB Security Best Practices | CISA | www.cisa.gov"
[6]: https://web.archive.org/web/20240413122812/https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/smbv1-not-installed-by-default-in-windows "SMBv1 is not installed by default in Windows 10 version 1709, Windows Server version 1709 and later versions | Microsoft Learn | learn.microsoft.com"
[7]: https://web.archive.org/web/20240413124101/https://learn.microsoft.com/en-us/archive/blogs/josebda/the-deprecation-of-smb1-you-should-be-planning-to-get-rid-of-this-old-smb-dialect "The Deprecation of SMB1 You should be planning to get rid of this old SMB dialect | Microsoft Learn | learn.microsoft.com"
[8]: https://web.archive.org/web/20240413122800/https://learn.microsoft.com/en-us/archive/blogs/secguide/security-baseline-for-windows-10-creators-update-v1703-draft "Security baseline for Windows 10 \"Creators Update\" (v1703) DRAFT | Microsoft Learn | learn.microsoft.com"
[9]: https://web.archive.org/web/20240413125713/https://learn.microsoft.com/en-US/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3?tabs=client "Client | How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows | Microsoft Learn | learn.microsoft.com"
[10]: https://web.archive.org/web/20240413124113/https://learn.microsoft.com/en-us/powershell/module/smbshare/remove-smbcomponent?view=windowsserver2025-ps&wt.mc_id=ps-gethelp "Remove-SmbComponent (SmbShare) | Microsoft Learn | learn.microsoft.com"
[11]: https://web.archive.org/web/20240413124320/https://www.stigviewer.com/stig/windows_server_2016/2020-06-16/finding/V-73299 "The Server Message Block (SMB) v1 protocol must be uninstalled. | www.stigviewer.com"
[12]: https://web.archive.org/web/20240413124418/https://revertservice.com/10/mrxsmb10/ "SMB 1.x MiniRedirector (mrxsmb10) Service Defaults in Windows 10 | revertservice.com"
[13]: https://web.archive.org/web/20240413124409/https://www.stigviewer.com/stig/windows_server_20122012_r2_domain_controller/2019-01-16/finding/V-73523 "The Server Message Block (SMB) v1 protocol must be disabled on the SMB client. | www.stigviewer.com"
[14]: https://web.archive.org/web/20240413124606/https://admx.help/?Category=security-compliance-toolkit&Policy=Microsoft.Policies.SecGuide::Pol_SecGuide_0001_SMBv1_Server "Configure SMB v1 server | admx.help"
[15]: https://web.archive.org/web/20240418073214/https://support.microsoft.com/en-us/topic/908332b7-49de-a86c-dba3-401b9fe8116f "Server service configuration and tuning - Microsoft Support | support.microsoft.com"
call:
-
function: DisableWindowsFeature
parameters:
featureName: SMB1Protocol # Get-WindowsOptionalFeature -FeatureName 'SMB1Protocol' -Online
disabledByDefault: true
-
function: DisableWindowsFeature
parameters:
featureName: SMB1Protocol-Client # Get-WindowsOptionalFeature -FeatureName 'SMB1Protocol-Client' -Online
disabledByDefault: true
-
function: DisableWindowsFeature
parameters:
featureName: SMB1Protocol-Server # Get-WindowsOptionalFeature -FeatureName 'SMB1Protocol-Server' -Online
disabledByDefault: true
-
function: DisableService
parameters:
serviceName: mrxsmb10 # Check: (Get-Service -Name 'mrxsmb10').StartType
defaultStartupMode: Automatic # Allowed values: Boot | System | Automatic | Manual
ignoreMissingOnRevert: true # This service is only available when SMB1 feature is installed
-
function: RunInlineCode
# This ensures that `lanmanworkstation` does not depend on `mrxsmb10` to avoid potential system issues.
# Its configuration is already the OS default on modern versions of Windows, see: `sc qc lanmanworkstation`.
parameters:
code: sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
revertCode: sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
-
function: RunInlineCode
parameters:
code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "SMBv1" /t "REG_DWORD" /d "0" /f
revertCode: >- # Key does not exist (tested: Windows 10 22H2 and Windows 11 23H2)
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "SMBv1" /f 2>nul
-
function: ShowComputerRestartSuggestion
-
category: Disable insecure ciphers
docs: |- # refactor-with-variables: Same **Caution** text as others.
@@ -6309,7 +6172,8 @@ actions:
By disabling this weak algorithm, the script improves the security of the connection.
Authorities like Microsoft [1] [2] [3], NIST (FIPS) [4], CIS [5], Federal Office for Information Security
(BSI) [6], and OWASP [7] classify this algorithm as weak and recommend against its use.
(BSI) [6], OWASP [7], and NSA (National Security Agency) [8]
classify this algorithm as weak and recommend against its use.
By disabling RC2, the script enhances network security and data integrity [5], as these ciphers are
susceptible to cryptographic attacks.
@@ -6338,6 +6202,7 @@ actions:
[5]: https://web.archive.org/web/20240421101142/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_IIS_8_Benchmark_v1_4_0.pdf "CIS Microsoft IIS 8 Benchmark v1.4.0 | paper.bobylive.com"
[6]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
[7]: https://web.archive.org/web/20240421101557/https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html "WSTG - v4.2 | OWASP Foundation | owasp.org"
[8]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov"
call:
-
function: DisableTLSCipher
@@ -6362,7 +6227,8 @@ actions:
By disabling this weak algorithm, the script improves the security of the connection.
Authorities like Microsoft [1] [2] [3] [4] [5], NIST (FIPS) [6], CIS [7], Federal Office for Information
Security (BSI) [8], and OWASP [9] classify this algorithm as weak and recommend against its use.
Security (BSI) [8], OWASP [9], and NSA (National Security Agency) [10]
classify this algorithm as weak and recommend against its use.
This script disables these cipher algorithms:
@@ -6397,6 +6263,7 @@ actions:
[7]: https://web.archive.org/web/20240421101142/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_IIS_8_Benchmark_v1_4_0.pdf "CIS Microsoft IIS 8 Benchmark v1.4.0 | paper.bobylive.com"
[8]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
[9]: https://web.archive.org/web/20240421101557/https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html "WSTG - v4.2 | OWASP Foundation | owasp.org"
[10]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov"
call:
-
function: DisableTLSCipher
@@ -6424,8 +6291,9 @@ actions:
The *SSL/TLS handshake* is a key part of establishing a secure connection over the internet.
By disabling this weak algorithm, the script improves the security of the connection.
Authorities like Microsoft [1], NIST (FIPS) [2], CIS [3], Federal Office for Information Security (BSI) [4]
and OWASP [5] consider this cipher weak and either discourage or disallow its use
Authorities like Microsoft [1], NIST (FIPS) [2], CIS [3], Federal Office for Information Security (BSI) [4],
OWASP [5], and NSA (National Security Agency) [6]
consider this cipher weak and either discourage or disallow its use
This algorithm is enabled by default on Windows [2].
@@ -6444,6 +6312,7 @@ actions:
[3]: https://web.archive.org/web/20240421101142/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_IIS_8_Benchmark_v1_4_0.pdf "CIS Microsoft IIS 8 Benchmark v1.4.0 | paper.bobylive.com"
[4]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
[5]: https://web.archive.org/web/20240421101557/https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html "WSTG - v4.2 | OWASP Foundation | owasp.org"
[6]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov"
call:
function: DisableTLSCipher
parameters:
@@ -6454,18 +6323,20 @@ actions:
recommend: strict # Considered weak and vulnerable by numerous authoritative sources, may be incompatible with third-party apps.
docs: |- # refactor-with-variables: Same • Caution • handshake • authorities • cipher suite text as others.
This script disables the `Triple DES 168` [1] [2] [3] (`Triple DES 168/168` before Windows Vista [2] [4]) cipher,
also known as *3DES* [1] [3] [5] and *The Triple Data Encryption Algorithm (TDEA)* [6].
also known as *3DES* [1] [3] [5] [6], *The Triple Data Encryption Algorithm (TDEA)* [6] [7] and **TDES** [8].
This script only afects the *SSL/TLS handshake* process.
The *SSL/TLS handshake* is a key part of establishing a secure connection over the internet.
By disabling this weak algorithm, the script improves the security of the connection.
Authorities like Apple [5], NIST [5] [6] and Federal Office for Information Security (BSI) [4]
classify this algorithm as weak and recommend against its use.
Authorities like Apple [5] [9], NIST [5] [7] Federal Office for Information Security (BSI) [4],
NSA (National Security Agency) [8], and Office of the Chief Information Security Officer [6]
classify this cipher as weak and recommend against its use.
This algorithm is enabled by default on Windows [2].
Disabling 3DES secures your communication by mitigating vulnerabilities like Sweet32 Birthday attacks [5].
Disabling 3DES secures your communication by mitigating vulnerabilities like Sweet32 Birthday attacks [5],
and the limited amount of data that can be processed under a single key [6].
Disabling this algorithm will disallow the following cipher suites:
@@ -6482,7 +6353,10 @@ actions:
[3]: https://web.archive.org/web/20240421101142/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_IIS_8_Benchmark_v1_4_0.pdf "CIS Microsoft IIS 8 Benchmark v1.4.0 | paper.bobylive.com"
[4]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
[5]: https://web.archive.org/web/20240421101545/https://sweet32.info/ "Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN"
[6]: https://web.archive.org/web/20240402105205/https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf "NIST Special Publication 800-131A Revision 2 | Transitioning the Use of Cryptographic Algorithms and Key Lengths | nvlpubs.nist.gov"
[6]: https://web.archive.org/web/20240429201312/https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf
[7]: https://web.archive.org/web/20240402105205/https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf "NIST Special Publication 800-131A Revision 2 | Transitioning the Use of Cryptographic Algorithms and Key Lengths | nvlpubs.nist.gov"
[8]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov"
[9]: https://developer.apple.com/library/archive/releasenotes/MacOSX/WhatsNewInOSX/Articles/OSXv10.html
call:
-
function: DisableTLSCipher
@@ -6505,7 +6379,8 @@ actions:
This algorithm provides no encryption [1] [5], leaving data completely unprotected.
Authorities like Microsoft [2], NIST (FIPS) [1], CIS [3], and Federal Office for
Information Security (BSI) [4] classify this algorithm as weak and recommend against its use.
Information Security (BSI) [4], NSA (National Security Agency) [6]
classify this algorithm as weak and recommend against its use.
This cipher is disabled by default [1].
@@ -6524,6 +6399,7 @@ actions:
[3]: https://web.archive.org/web/20240421101142/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_IIS_8_Benchmark_v1_4_0.pdf "CIS Microsoft IIS 8 Benchmark v1.4.0 | paper.bobylive.com"
[4]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
[5]: https://web.archive.org/web/20240421101051/https://datatracker.ietf.org/doc/html/rfc2410 "RFC 2410 - The NULL Encryption Algorithm and Its Use With IPsec | datatracker.ietf.org"
[6]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov"
call:
function: DisableTLSCipher
parameters:
@@ -6755,170 +6631,418 @@ actions:
revertCode: >- # Missing key since Windows 10 22H2 Pro and Windows 11 23H2 Pro
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "UseScsvForTls" /f 2>nul
-
name: Disable DTLS 1.0
docs: |- # refactor-with-variables: Same **Caution** text as others.
> **Caution:** This may cause compatibility issues with older devices or software.
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Server" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Client" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Server" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Server" /v "DisabledByDefault" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Client" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Client" /v "DisabledByDefault" /f
-
name: Disable DTLS 1.1
docs: |- # refactor-with-variables: Same **Caution** text as others.
> **Caution:** This may cause compatibility issues with older devices or software.
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Server" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Client" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Server" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Server" /v "DisabledByDefault" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Client" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Client" /v "DisabledByDefault" /f
-
name: Enable DTLS 1.3 # Windows 10 and Windows Server 10 version 1903 and newer support DTLS 1.3
docs: |- # refactor-with-variables: Same **Caution** text as others.
> **Caution:** This may cause compatibility issues with older devices or software.
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /f /v Enabled /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Client" /f /v Enabled /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000000
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /v "DisabledByDefault" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Client" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Client" /v "DisabledByDefault" /f
-
name: Disable TLS 1.0
docs: |- # refactor-with-variables: Same **Caution** text as others.
https://web.archive.org/web/20240314125059/https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls
category: Disable insecure protocols
docs: |- # refactor-with-variables: Same Caution • authorities as others.
This category focuses on enhancing user privacy by disabling legacy and insecure communication
protocols.
It targets protocols that expose users to security vulnerabilities due to their outdated nature.
Retaining obsolete protocols creates a false sense of security because they may seem secure but are
vulnerable to exploitation [1].
Authorities like NIST [1] (FIPS [2]), NSA (National Security Agency) [1],
Office of the Chief Information Security Officer [2], Microsoft [3], Mozilla [4],
PCI Security Standards Council [5], the Center for Internet Security [6],
and IETF [9]
recommend disabling insecure and obsolete protocols.
Most modern operating systems [3] and browsers [4] disable these protocols by default.
However, certain protocols remain active on some Windows systems [3] [7], posing security risks.
It is crucial to disable these protocols to mitigate risks from well-known attacks such as
POODLE [5] and BEAST [5].
This category excludes the following protocols:
- **DTLS 1.1**:
DTLS 1.1 does not exist [8] [9];
its numbering was skipped to align with TLS versioning [8].
- **TLS 1.2**, and **DTLS 1.2** (based on TLS 1.2 [8]):
Although TLS 1.2 and DTLS 1.2 remain active on Windows [7] and are approved by NIST [2],
they are not endorsed by the German Federal Office for Information Security due to
vulnerabilities [10].
Disabling them could affect application functionality, and earlier versions are not
widely supported by Windows [7].
> **Caution:** This may cause compatibility issues with older devices or software.
code: |- # After disabling TLS 1.0 must be (will be) activated SchUseStrongCrypto for .NET apps
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v "DisabledByDefault" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v "DisabledByDefault" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v "SystemDefaultTlsVersions" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /v "SystemDefaultTlsVersions" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /v "SystemDefaultTlsVersions" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /v "SystemDefaultTlsVersions" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v "SystemDefaultTlsVersions" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /v "SystemDefaultTlsVersions" /f
-
name: Disable TLS 1.1
docs: |- # refactor-with-variables: Same **Caution** text as others.
> **Caution:** This may cause compatibility issues with older devices or software.
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v "DisabledByDefault" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v "DisabledByDefault" /f
-
name: Disable SSLv2
docs: |- # refactor-with-variables: Same **Caution** text as others.
> **Caution:** This may cause compatibility issues with older devices or software.
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /v "DisabledByDefault" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /v "DisabledByDefault" /f
-
name: Disable SSLv3
docs: |- # refactor-with-variables: Same **Caution** text as others.
> **Caution:** This may cause compatibility issues with older devices or software.
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /v "DisabledByDefault" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /v "DisabledByDefault" /f
-
name: Disable NetBios for all interfaces
recommend: standard
docs: |- # refactor-with-variables: Same **Caution** text as others.
This script enhances your network's security by turning off NetBIOS over TCP/IP for all network interfaces.
NetBIOS is a protocol primarily used for backward compatibility with older Windows systems [1] [2].
NetBIOS and LLMNR are susceptible to hacking techniques like spoofing [1] [2] [3] [4] [5] and man-in-the-middle
attacks [1] [2] [6], risking your credentials and unauthorized network access [2] [5] [6].
[1]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov"
[2]: https://web.archive.org/web/20240429201312/https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf "IT Security Procedural Guide: SSL/TLS Implementation CIO-IT Security-14-69 | www.gsa.gov"
[3]: https://web.archive.org/web/20240429200538/https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-10-11-deprecation-in-windows "TLS 1.0 and TLS 1.1 deprecation in Windows - Win32 apps | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240429202616/https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/ "Removing Old Versions of TLS - Mozilla Security Blog | blog.mozilla.org"
[5]: https://web.archive.org/web/20240429194236/https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls "Are You Ready for 30 June 2018? Saying Goodbye to SSL/early TLS | blog.pcisecuritystandards.org"
[6]: https://web.archive.org/web/20240429201328/https://www.tenable.com/audits/items/CIS_NGINX_v2.0.1_Level_1_Webserver.audit:fc59c7d0c53f27720fcbca1df8f8fcc2 "4.1.4 Ensure only modern TLS protocols are used | Tenable® | www.tenable.com"
[7]: https://web.archive.org/web/20240429193908/https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- "Protocols in TLS/SSL (Schannel SSP) - Win32 apps | Microsoft Learn | learn.microsoft.com"
[8]: https://web.archive.org/web/20240429193737/https://datatracker.ietf.org/doc/html/rfc6347 "RFC 6347 - Datagram Transport Layer Security Version 1.2 | datatracker.ietf.org"
[9]: https://web.archive.org/web/20240429200613/https://datatracker.ietf.org/doc/html/rfc8996/ "RFC 8996 - Deprecating TLS 1.0 and TLS 1.1 | datatracker.ietf.org"
[10]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
children:
-
name: Disable insecure "SMBv1" protocol
recommend: standard # Recommended by Microsoft, very old, has significant security vulnerabilities
docs: |- # refactor-with-variables: Same **Caution** text as others.
This script improves network security by disabling the outdated SMBv1 protocol.
NetBIOS was initially created for communication between applications in small networks [1] [3] [5] [7].
Its lack of authentication makes it easy for attackers to redirect traffic or fake network services [1] [2] [3] [4] [5] [6].
**SMBv1**, or **Server Message Block version 1**, is an outdated network protocol developed
for file and printer sharing across networks [1] [2].
This protocol is well-known for its vulnerabilities to cyber attacks [1] [2] [3] [4] [5].
Microsoft deprecated SMBv1 in 2014 [6] [7].
Since 2007, newer and more secure versions of this protocol have
replaced SMBv1 in modern versions of Windows [6].
It is still enabled by default in older Windows versions [1].
Microsoft advises disabling this protocol to strengthen security [1] [8].
SMB1 is not necessary for most users, as Microsoft ensures vendor support for at least SMB 2.0 [2].
Disabling NetBIOS helps protect against these security risks and reduces the exposure of Windows-specific services
to potential attackers.
The primary reasons for disabling SMBv1 include:
The script disables NetBIOS by changing a specific registry values
(`HKLM\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\{Interface}!NetbiosOptions` [1] [8]) from their default
of `0` (enabled) [5] to `2` (disabled) [5] [8] for each network interface.
- It uses the outdated MD5 hash algorithm, vulnerable to security attacks [3].
- It fails to meet modern security standards set by FIPS [3], CISA (US-CERT) [5],
CIS (Department of Defense) [3], and Microsoft Security Baseline [8].
- It lacks the efficiency and performance improvements present in newer versions of the protocol [2].
- It is vulnerable to various cyber threats [1] [2] [3] [4] [5],
, including ransomware and malware [1] [2].
[1]: https://web.archive.org/web/20240218210552/https://bobcares.com/blog/disable-netbios-and-llmnr-protocols-in-windows-using-gpo/ "Disable NetBIOS and LLMNR Protocols in Windows Using GPO | bobcares.com"
[5]: https://web.archive.org/web/20240218210635/https://10dsecurity.com/blog-saying-goodbye-netbios.html "Saying Goodbye To NetBIOS | 10-D Security | 10dsecurity.com"
[3]: https://web.archive.org/web/20240218210736/https://4sysops.com/archives/disable-netbios-in-windows-networks/ "Disable NetBIOS in Windows networks 4sysops | 4sysops.com"
[4]: https://web.archive.org/web/20240218211817/https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning/ "Local Network Attacks: LLMNR and NBT-NS Poisoning - Stern Security | www.sternsecurity.com"
[2]: https://web.archive.org/web/20240218211748/https://en.wikipedia.org/wiki/NetBIOS_over_TCP/IP "NetBIOS over TCP/IP - Wikipedia | en.wikipedia.org"
[6]: https://web.archive.org/web/20240218210724/http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html "Packetstan: NBNS Spoofing on your way to World Domination | www.packetstan.com"
[7]: https://web.archive.org/web/20240218211730/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc940063%28v=technet.10%29?redirectedfrom=MSDN "NetBIOS Over TCP/IP | Microsoft Learn | learn.microsoft.com"
[8]: https://web.archive.org/web/20240218210626/https://learn.microsoft.com/en-us/archive/msdn-technet-forums/c5f3c095-1ad2-4963-b075-787f800b81f2 "Disabling NETBIOS via GP | Microsoft Learn | social.technet.microsoft.com"
call:
function: RunPowerShell
parameters:
code: |-
$key = 'HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces'
Get-ChildItem $key | ForEach {
Set-ItemProperty -Path "$key\$($_.PSChildName)" -Name NetbiosOptions -Value 2 -Verbose
}
revertCode: |-
$key = 'HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces'
Get-ChildItem $key | ForEach {
Set-ItemProperty -Path "$key\$($_.PSChildName)" -Name NetbiosOptions -Value 0 -Verbose
}
Disabling SMBv1 may lead to compatibility issues with older network devices and software [1] [3] [6] [9].
This may affect file sharing and print services on systems like Windows Server 2003 [3]
and some older Network Attached Storage (NAS) devices [3].
These systems are insecure and are no longer supported.
This script makes the following changes to your system:
- Removal of SMBv1 components:
- `SMB1Protocol` [2] [3] [4] [10] (also known as `FS-SMB1` [2] [11])
- `SMB1Protocol-Client` [10]
- `SMB1Protocol-Server` [10].
- Disabling the `mrxsmb10` (SMB 1.x MiniRedirector [12]) driver,
linked with SMBv1 [1] [4] [13],
and adjusting related settings to keep older systems stable [1] [4] [13].
- Disabling server side processing of SMBv1 protocol using
`HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters!SMBv1` registry key [1] [14] [15].
These changes require a system reboot to take effect [1] [4] [9].
> **Caution:** This may cause compatibility issues with older devices or software.
### Overview of default feature statuses
`SMB1Protocol`:
| | |
| ---- | --- |
| **Feature name** | `SMB1Protocol` |
| **Display name** | SMB 1.0/CIFS File Sharing Support |
| **Description** | Support for the SMB 1.0/CIFS file sharing protocol, and the Computer Browser protocol. |
| **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled |
| **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled |
`SMB1Protocol-Client`:
| | |
| ---- | --- |
| **Feature name** | `SMB1Protocol-Client` |
| **Display name** | SMB 1.0/CIFS Client |
| **Description** | Support for the SMB 1.0/CIFS client for accessing legacy servers. |
| **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled |
| **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled |
`SMB1Protocol-Server`:
| | |
| ---- | --- |
| **Feature name** | `SMB1Protocol-Server` |
| **Display name** | SMB 1.0/CIFS Server |
| **Description** | Support for the SMB 1.0/CIFS file server for sharing data with legacy clients and browsing the network neighborhood. |
| **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled |
| **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled |
### Overview of default service statuses
SMB 1.x MiniRedirector (`mrxsmb10`):
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 11 (≥ 23H2) | 🟡 Missing | N/A |
| Windows 10 (≥ 22H2) | 🟡 Missing | N/A |
[1]: https://web.archive.org/web/20240413122756/https://learn.microsoft.com/en-us/archive/blogs/secguide/disabling-smbv1-through-group-policy "Disabling SMBv1 through Group Policy | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240413124106/https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858 "Stop using SMB1 - Microsoft Community Hub | techcommunity.microsoft.com"
[3]: https://web.archive.org/web/20240413124245/https://www.stigviewer.com/stig/microsoft_windows_10/2023-09-29/finding/V-220729 "The Server Message Block (SMB) v1 protocol must be disabled on the system. | www.stigviewer.com"
[4]: https://web.archive.org/web/20240413122807/https://learn.microsoft.com/en-US/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3?tabs=server "Server | How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows | Microsoft Learn | learn.microsoft.com"
[5]: https://web.archive.org/web/20240413124050/https://www.cisa.gov/news-events/alerts/2017/01/16/smb-security-best-practices "SMB Security Best Practices | CISA | www.cisa.gov"
[6]: https://web.archive.org/web/20240413122812/https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/smbv1-not-installed-by-default-in-windows "SMBv1 is not installed by default in Windows 10 version 1709, Windows Server version 1709 and later versions | Microsoft Learn | learn.microsoft.com"
[7]: https://web.archive.org/web/20240413124101/https://learn.microsoft.com/en-us/archive/blogs/josebda/the-deprecation-of-smb1-you-should-be-planning-to-get-rid-of-this-old-smb-dialect "The Deprecation of SMB1 You should be planning to get rid of this old SMB dialect | Microsoft Learn | learn.microsoft.com"
[8]: https://web.archive.org/web/20240413122800/https://learn.microsoft.com/en-us/archive/blogs/secguide/security-baseline-for-windows-10-creators-update-v1703-draft "Security baseline for Windows 10 \"Creators Update\" (v1703) DRAFT | Microsoft Learn | learn.microsoft.com"
[9]: https://web.archive.org/web/20240413125713/https://learn.microsoft.com/en-US/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3?tabs=client "Client | How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows | Microsoft Learn | learn.microsoft.com"
[10]: https://web.archive.org/web/20240413124113/https://learn.microsoft.com/en-us/powershell/module/smbshare/remove-smbcomponent?view=windowsserver2025-ps&wt.mc_id=ps-gethelp "Remove-SmbComponent (SmbShare) | Microsoft Learn | learn.microsoft.com"
[11]: https://web.archive.org/web/20240413124320/https://www.stigviewer.com/stig/windows_server_2016/2020-06-16/finding/V-73299 "The Server Message Block (SMB) v1 protocol must be uninstalled. | www.stigviewer.com"
[12]: https://web.archive.org/web/20240413124418/https://revertservice.com/10/mrxsmb10/ "SMB 1.x MiniRedirector (mrxsmb10) Service Defaults in Windows 10 | revertservice.com"
[13]: https://web.archive.org/web/20240413124409/https://www.stigviewer.com/stig/windows_server_20122012_r2_domain_controller/2019-01-16/finding/V-73523 "The Server Message Block (SMB) v1 protocol must be disabled on the SMB client. | www.stigviewer.com"
[14]: https://web.archive.org/web/20240413124606/https://admx.help/?Category=security-compliance-toolkit&Policy=Microsoft.Policies.SecGuide::Pol_SecGuide_0001_SMBv1_Server "Configure SMB v1 server | admx.help"
[15]: https://web.archive.org/web/20240418073214/https://support.microsoft.com/en-us/topic/908332b7-49de-a86c-dba3-401b9fe8116f "Server service configuration and tuning - Microsoft Support | support.microsoft.com"
call:
-
function: DisableWindowsFeature
parameters:
featureName: SMB1Protocol # Get-WindowsOptionalFeature -FeatureName 'SMB1Protocol' -Online
disabledByDefault: true
-
function: DisableWindowsFeature
parameters:
featureName: SMB1Protocol-Client # Get-WindowsOptionalFeature -FeatureName 'SMB1Protocol-Client' -Online
disabledByDefault: true
-
function: DisableWindowsFeature
parameters:
featureName: SMB1Protocol-Server # Get-WindowsOptionalFeature -FeatureName 'SMB1Protocol-Server' -Online
disabledByDefault: true
-
function: DisableService
parameters:
serviceName: mrxsmb10 # Check: (Get-Service -Name 'mrxsmb10').StartType
defaultStartupMode: Automatic # Allowed values: Boot | System | Automatic | Manual
ignoreMissingOnRevert: true # This service is only available when SMB1 feature is installed
-
function: RunInlineCode
# This ensures that `lanmanworkstation` does not depend on `mrxsmb10` to avoid potential system issues.
# Its configuration is already the OS default on modern versions of Windows, see: `sc qc lanmanworkstation`.
parameters:
code: sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
revertCode: sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
-
function: RunInlineCode
parameters:
code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "SMBv1" /t "REG_DWORD" /d "0" /f
revertCode: >- # Key does not exist (tested: Windows 10 22H2 and Windows 11 23H2)
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "SMBv1" /f 2>nul
-
function: ShowComputerRestartSuggestion
-
name: Disable insecure "NetBios" protocol
recommend: standard
docs: |- # refactor-with-variables: Same **Caution** text as others.
This script enhances your network's security by turning off NetBIOS over TCP/IP for all network interfaces.
NetBIOS is a protocol primarily used for backward compatibility with older Windows systems [1] [2].
NetBIOS and LLMNR are susceptible to hacking techniques like spoofing [1] [2] [3] [4] [5] and man-in-the-middle
attacks [1] [2] [6], risking your credentials and unauthorized network access [2] [5] [6].
NetBIOS was initially created for communication between applications in small networks [1] [3] [5] [7].
Its lack of authentication makes it easy for attackers to redirect traffic or fake network services [1] [2] [3] [4] [5] [6].
Disabling NetBIOS helps protect against these security risks and reduces the exposure of Windows-specific services
to potential attackers.
The script disables NetBIOS by changing a specific registry values
(`HKLM\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\{Interface}!NetbiosOptions` [1] [8]) from their default
of `0` (enabled) [5] to `2` (disabled) [5] [8] for each network interface.
[1]: https://web.archive.org/web/20240218210552/https://bobcares.com/blog/disable-netbios-and-llmnr-protocols-in-windows-using-gpo/ "Disable NetBIOS and LLMNR Protocols in Windows Using GPO | bobcares.com"
[5]: https://web.archive.org/web/20240218210635/https://10dsecurity.com/blog-saying-goodbye-netbios.html "Saying Goodbye To NetBIOS | 10-D Security | 10dsecurity.com"
[3]: https://web.archive.org/web/20240218210736/https://4sysops.com/archives/disable-netbios-in-windows-networks/ "Disable NetBIOS in Windows networks 4sysops | 4sysops.com"
[4]: https://web.archive.org/web/20240218211817/https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning/ "Local Network Attacks: LLMNR and NBT-NS Poisoning - Stern Security | www.sternsecurity.com"
[2]: https://web.archive.org/web/20240218211748/https://en.wikipedia.org/wiki/NetBIOS_over_TCP/IP "NetBIOS over TCP/IP - Wikipedia | en.wikipedia.org"
[6]: https://web.archive.org/web/20240218210724/http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html "Packetstan: NBNS Spoofing on your way to World Domination | www.packetstan.com"
[7]: https://web.archive.org/web/20240218211730/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc940063%28v=technet.10%29?redirectedfrom=MSDN "NetBIOS Over TCP/IP | Microsoft Learn | learn.microsoft.com"
[8]: https://web.archive.org/web/20240218210626/https://learn.microsoft.com/en-us/archive/msdn-technet-forums/c5f3c095-1ad2-4963-b075-787f800b81f2 "Disabling NETBIOS via GP | Microsoft Learn | social.technet.microsoft.com"
call:
function: RunPowerShell
parameters:
code: |-
$key = 'HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces'
Get-ChildItem $key | ForEach {
Set-ItemProperty -Path "$key\$($_.PSChildName)" -Name NetbiosOptions -Value 2 -Verbose
}
revertCode: |-
$key = 'HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces'
Get-ChildItem $key | ForEach {
Set-ItemProperty -Path "$key\$($_.PSChildName)" -Name NetbiosOptions -Value 0 -Verbose
}
-
name: Disable insecure "SSL 2.0" protocol
recommend: standard # Outdated protocol, removed from Windows
docs: |- # refactor-with-variables: Same • Caution • identified as • authorities • previously enabled as others.
This script disables the SSL 2.0 protocol.
This protocol is identified as `SSL 2.0` on Windows [1] [2] [3],
and also known as *SSL2* [4] [5].
Modern Windows systems no longer include SSL 2.0 due to its security flaws [2] [4].
It was previously enabled by default [4],
posing significant security risks from well-known vulnerabilities [5].
Authorities like NIST (FIPS) [6], NSA (National Security Agency) [7],
PCI Security Standards Council [8], IETF [5],
and Federal Office for Information Security (BSI) [3]
recommend disabling this insecure and obsolete protocol.
> **Caution:** This may cause compatibility issues with older devices or software.
[1]: https://web.archive.org/web/20240429203554/https://admx.help/?Category=Schannel&Policy=Microsoft.Policies.SSLControl::PROTO_Enable_SSL_2_0 "Secure Sockets Layer (SSL) 2.0 | admx.help"
[2]: https://web.archive.org/web/20180228160431/https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#ssl-20 "Transport Layer Security (TLS) registry settings | Microsoft Docs | docs.microsoft.com"
[3]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
[4]: https://web.archive.org/web/20240429193908/https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- "Protocols in TLS/SSL (Schannel SSP) - Win32 apps | Microsoft Learn | learn.microsoft.com"
[5]: https://web.archive.org/web/20240429203545/https://datatracker.ietf.org/doc/html/rfc6176 "RFC 6176 - Prohibiting Secure Sockets Layer (SSL) Version 2.0 | datatracker.ietf.org"
[6]: https://web.archive.org/web/20240429201312/https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf "IT Security Procedural Guide: SSL/TLS Implementation CIO-IT Security-14-69 | www.gsa.gov"
[7]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov"
[8]: https://web.archive.org/web/20240429194236/https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls "Are You Ready for 30 June 2018? Saying Goodbye to SSL/early TLS | blog.pcisecuritystandards.org"
call:
function: DisableTLSProtocol
parameters:
protocolName: SSL 2.0
-
name: Disable insecure "SSL 3.0" protocol
recommend: standard # Outdated protocol, disabled by default
docs: |- # refactor-with-variables: Same • Caution • identified as • authorities • previously enabled as others.
This script disables the SSL 3.0.
This protocol is identified as `SSL 3.0` on Windows [1] [2] [3],
and also known as *SSL3* [4] or *SSLv3* [5].
Modern Windows systems disable SSL 3.0 by default due to its security flaws [2] [4].
It was previously enabled by default [4],
posing significant security risks from well-known vulnerabilities [6],
including the POODLE [6] [7] [8] and BEAST [7] attacks.
Authorities like NIST (FIPS) [8], IETF [6], Apple [5], PCI Security Standards Council [7],
Federal Office for Information Security (BSI) [3], Office of the Chief Information Security Officer [8]
and NSA (National Security Agency) [9]
recommend disabling this insecure and obsolete protocol.
> **Caution:** This may cause compatibility issues with older devices or software.
[1]: https://web.archive.org/web/20240429205252/https://admx.help/?Category=Schannel&Policy=Microsoft.Policies.SSLControl::PROTO_Enable_SSL_3_0 "Secure Sockets Layer (SSL) 3.0 | admx.help"
[2]: https://web.archive.org/web/20180228160431/https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#ssl-30 "Transport Layer Security (TLS) registry settings | Microsoft Docs | docs.microsoft.com"
[3]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
[4]: https://web.archive.org/web/20240429193908/https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- "Protocols in TLS/SSL (Schannel SSP) - Win32 apps | Microsoft Learn | learn.microsoft.com"
[5]: https://web.archive.org/web/20240426092153/https://developer.apple.com/library/archive/releasenotes/MacOSX/WhatsNewInOSX/Articles/OSXv10.html "macOS Sierra 10.12 | developer.apple.com"
[6]: https://web.archive.org/web/20240429205513/https://datatracker.ietf.org/doc/html/rfc7568 "RFC 7568 - Deprecating Secure Sockets Layer Version 3.0 | datatracker.ietf.org"
[7]: https://web.archive.org/web/20240429194236/https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls "Are You Ready for 30 June 2018? Saying Goodbye to SSL/early TLS | blog.pcisecuritystandards.org"
[8]: https://web.archive.org/web/20240429201312/https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf "IT Security Procedural Guide: SSL/TLS Implementation CIO-IT Security-14-69 | www.gsa.gov"
[9]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov"
call:
function: DisableTLSProtocol
parameters:
protocolName: SSL 3.0
-
name: Disable insecure "TLS 1.0" protocol
recommend: strict # Newly disabled by Microsoft, but may lead to compatibility issues
docs: |- # refactor-with-variables: Same • Caution • identified as • authorities • browsers • previously enabled as others.
This script disables the TLS 1.0 [1] [2] [3] protocol.
This protocol is identified as `TLS 1.0` on Windows [1] [2] [3].
Although deprecated and unsupported in newer Windows versions [4],
it remains enabled by default in older versions [5].
This protocol has well-documented security vulnerabilities [6],
including security attacks such as BEAST and Klima [7].
Major browsers, including Safari [8], Firefox [9], Chrome [10] and Edge [11],
now disable this protocol by default.
Authorities like NIST (FIPS) [7], IETF [6] [9], NSA (National Security Agency) [7] [12],
Apple [8], Mozilla [9], Microsoft [4] [11], Google [10], PCI Security Standards Council [13],
Federal Office for Information Security (BSI) in Germany [3], and
Office of the Chief Information Security Officer [11]
recommend disabling this insecure and obsolete protocol.
While disabling TLS 1.0 improves security, it may disrupt certain older applications that
depend on this protocol [4] [7].
> **Caution:** This may cause compatibility issues with older devices or software.
[1]: https://web.archive.org/web/20240429210356/https://admx.help/?Category=Schannel&Policy=Microsoft.Policies.SSLControl::PROTO_Enable_TLS_1_0 "Transport Layer Security (TLS) 1.0 | admx.help"
[2]: https://web.archive.org/web/20180228160431/https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#dtls-10 "Transport Layer Security (TLS) registry settings | Microsoft Docs | docs.microsoft.com"
[3]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
[4]: https://web.archive.org/web/20240429200538/https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-10-11-deprecation-in-windows "TLS 1.0 and TLS 1.1 deprecation in Windows - Win32 apps | Microsoft Learn | learn.microsoft.com"
[5]: https://web.archive.org/web/20240429193908/https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- "Protocols in TLS/SSL (Schannel SSP) - Win32 apps | Microsoft Learn | learn.microsoft.com"
[6]: https://web.archive.org/web/20240429200613/https://datatracker.ietf.org/doc/html/rfc8996/ "RFC 8996 - Deprecating TLS 1.0 and TLS 1.1 | datatracker.ietf.org"
[7]: https://web.archive.org/web/20240429201312/https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf "IT Security Procedural Guide: SSL/TLS Implementation CIO-IT Security-14-69 | www.gsa.gov"
[8]: https://web.archive.org/web/20240429210701/https://webkit.org/blog/8462/deprecation-of-legacy-tls-1-0-and-1-1-versions/ "Deprecation of Legacy TLS 1.0 and 1.1 Versions | WebKit | webkit.org"
[9]: https://web.archive.org/web/20240429202616/https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/ "Removing Old Versions of TLS - Mozilla Security Blog | blog.mozilla.org"
[10]: https://archive.ph/2024.04.26-145435/https://chromestatus.com/feature/5759116003770368 "TLS 1.0 and TLS 1.1 - Chrome Platform Status | chromestatus.com"
[11]: https://web.archive.org/web/20240429210548/https://blogs.windows.com/msedgedev/2018/10/15/modernizing-tls-edge-ie11/ "Modernizing TLS connections in Microsoft Edge and Internet Explorer 11 - Microsoft Edge Blog | blogs.windows.com"
[12]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov"
[13]: https://web.archive.org/web/20240429194236/https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls "Are You Ready for 30 June 2018? Saying Goodbye to SSL/early TLS | blog.pcisecuritystandards.org"
call:
function: DisableTLSProtocol
parameters:
protocolName: TLS 1.0
-
name: Disable insecure "TLS 1.1" protocol
recommend: strict # Deprecated by Microsoft, but may lead to compatibility issues
docs: |- # refactor-with-variables: Same • Caution • identified as • authorities • browsers • previously enabled as others.
This script disables the TLS 1.1 protocol.
This protocol is identified as `TLS 1.1` on Windows [1] [2] [3].
Although deprecated and unsupported in newer Windows versions [4],
it remains enabled by default in older versions [5].
This protocol contains fundamental well-documented security vulnerabilities [6].
Major browsers, including Safari [7], Firefox [8], Chrome [9] and Edge [10],
now disable this protocol by default.
Authorities like NIST (FIPS) [11], IETF [6] [8], NSA (National Security Agency) [11] [12],
Apple [7], Mozilla [8], Microsoft [4] [10], Google [9], PCI Security Standards Council [3],
Federal Office for Information Security (BSI) in Germany [3],
and Office of the Chief Information Security Officer [11]
recommend disabling this insecure and obsolete protocol.
While disabling TLS 1.1 improves security, it may disrupt certain older applications that
depend on this protocol [4] [11].
> **Caution:** This may cause compatibility issues with older devices or software.
[1]: https://web.archive.org/web/20240429211424/https://admx.help/?Category=Schannel&Policy=Microsoft.Policies.SSLControl::PROTO_Enable_TLS_1_1 "Transport Layer Security (TLS) 1.1 | admx.help"
[2]: https://web.archive.org/web/20180228160431/https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#tls-11 "Transport Layer Security (TLS) registry settings | Microsoft Docs | docs.microsoft.com"
[3]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
[4]: https://web.archive.org/web/20240429200538/https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-10-11-deprecation-in-windows "TLS 1.0 and TLS 1.1 deprecation in Windows - Win32 apps | Microsoft Learn | learn.microsoft.com"
[5]: https://web.archive.org/web/20240429193908/https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- "Protocols in TLS/SSL (Schannel SSP) - Win32 apps | Microsoft Learn | learn.microsoft.com"
[6]: https://web.archive.org/web/20240429200613/https://datatracker.ietf.org/doc/html/rfc8996/ "RFC 8996 - Deprecating TLS 1.0 and TLS 1.1 | datatracker.ietf.org"
[7]: https://web.archive.org/web/20240429210701/https://webkit.org/blog/8462/deprecation-of-legacy-tls-1-0-and-1-1-versions/ "Deprecation of Legacy TLS 1.0 and 1.1 Versions | WebKit | webkit.org"
[8]: https://web.archive.org/web/20240429202616/https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/ "Removing Old Versions of TLS - Mozilla Security Blog | blog.mozilla.org"
[9]: https://archive.ph/2024.04.26-145435/https://chromestatus.com/feature/5759116003770368 "TLS 1.0 and TLS 1.1 - Chrome Platform Status | chromestatus.com"
[10]: https://web.archive.org/web/20240429210548/https://blogs.windows.com/msedgedev/2018/10/15/modernizing-tls-edge-ie11/ "Modernizing TLS connections in Microsoft Edge and Internet Explorer 11 - Microsoft Edge Blog | blogs.windows.com"
[11]: https://web.archive.org/web/20240429201312/https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf "IT Security Procedural Guide: SSL/TLS Implementation CIO-IT Security-14-69 | www.gsa.gov"
[12]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov"
call:
function: DisableTLSProtocol
parameters:
protocolName: TLS 1.1
-
name: Disable insecure "DTLS 1.0" protocol
docs: |- # refactor-with-variables: Same • Caution • identified as • authorities as others.
This script disables the DTLS 1.0 protocol.
This protocol is identified as `DTLS 1.0` on Windows [1] [2].
It is enabled by default [2].
It is considered insecure [3] [4] and has been deprecated by Microsoft due to its vulnerabilities [5].
It's based on TLS 1.1 [3], which is also deprecated and insecure [3] [4] [5] [6].
Authorities like NIST (FIPS) [6], IETF [3], Microsoft [5], and NSA (National Security Agency) [4]
recommend disabling this insecure and obsolete protocol.
> **Caution:** This may cause compatibility issues with older devices or software.
[1]: https://web.archive.org/web/20180228160431/https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#dtls-10 "Transport Layer Security (TLS) registry settings | Microsoft Docs | docs.microsoft.com"
[2]: https://web.archive.org/web/20240429193908/https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- "Protocols in TLS/SSL (Schannel SSP) - Win32 apps | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240429200613/https://datatracker.ietf.org/doc/html/rfc8996/ "RFC 8996 - Deprecating TLS 1.0 and TLS 1.1 | datatracker.ietf.org"
[4]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov"
[5]: https://web.archive.org/web/20240429200538/https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-10-11-deprecation-in-windows "TLS 1.0 and TLS 1.1 deprecation in Windows - Win32 apps | Microsoft Learn | learn.microsoft.com"
[6]: https://web.archive.org/web/20240429201312/https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf "IT Security Procedural Guide: SSL/TLS Implementation CIO-IT Security-14-69 | www.gsa.gov"
call:
function: DisableTLSProtocol
parameters:
protocolName: DTLS 1.0
-
name: Enable DTLS 1.3 # Windows 10 and Windows Server 10 version 1903 and newer support DTLS 1.3
docs: |- # refactor-with-variables: Same **Caution** text as others.
> **Caution:** This may cause compatibility issues with older devices or software.
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /f /v Enabled /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Client" /f /v Enabled /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000000
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /v "DisabledByDefault" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Client" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Client" /v "DisabledByDefault" /f
-
name: Enable TLS 1.3
code: |-
@@ -20146,8 +20270,8 @@ functions:
-
function: Comment
parameters:
codeComment: Require "{{ $algorithmName }}" key exchange algorithm to have at "{{ $keySizeInBits }}" least bits keys during a TLS/SSL handshake
revertCodeComment: Restore key size requirement for "{{ $algorithmName }}" during a TLS/SSL handshake
codeComment: Require "{{ $algorithmName }}" key exchange algorithm to have at "{{ $keySizeInBits }}" least bits keys for TLS/SSL handshakes
revertCodeComment: Restore key size requirement for "{{ $algorithmName }}" for TLS/SSL handshakes
-
function: RunInlineCode
# Marked: refactor-with-if-syntax
@@ -20184,8 +20308,8 @@ functions:
-
function: Comment
parameters:
codeComment: Disable the use of "{{ $algorithmName }}" cipher algorithm during a TLS/SSL handshake
revertCodeComment: Restore the use of "{{ $algorithmName }}" cipher algorithm during a TLS/SSL handshake
codeComment: Disable the use of "{{ $algorithmName }}" cipher algorithm for TLS/SSL handshakes
revertCodeComment: Restore the use of "{{ $algorithmName }}" cipher algorithm for TLS/SSL handshakes
-
function: RunInlineCode
parameters:
@@ -20343,8 +20467,8 @@ functions:
-
function: Comment
parameters:
codeComment: Disable usage of "{{ $algorithmName }}" hash algorithm during a TLS/SSL handshake
revertCodeComment: Restore usage of "{{ $algorithmName }}" hash algorithm during a TLS/SSL handshake
codeComment: Disable usage of "{{ $algorithmName }}" hash algorithm for TLS/SSL handshakes
revertCodeComment: Restore usage of "{{ $algorithmName }}" hash algorithm for TLS/SSL handshakes
-
function: RunInlineCode
parameters:
@@ -20352,3 +20476,44 @@ functions:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\{{ $algorithmName }}" /v "Enabled" /t REG_DWORD /d "0" /f
revertCode: >- # Missing subkeys under `Hashes` since Windows 10 22H2 Pro and Windows 11 23H2 Pro
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\{{ $algorithmName }}" /v "Enabled" /f 2>nul
-
name: DisableTLSProtocol
parameters:
- name: protocolName
docs: |-
This function disables the specified TLS protocol by modifying the registry
settings under the `SCHANNEL\Protocols` subkey [1] [2] [3] [4].
This action prevents the Windows operating system from using the protocol during
SSL/TLS communications, enhancing system security by eliminating older or less secure
protocols that might be susceptible to attacks.
The function executes several commands to update the Windows registry.
It sets `Enabled` and `DisabledByDefault` for both `Server` and `Client` configurations
as recommended in various security guidelines [1] [2] [3] [4].
[1]: https://web.archive.org/web/20240423073705/https://learn.microsoft.com/en-US/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/restrict-cryptographic-algorithms-protocols-schannel "Restrict cryptographic algorithms and protocols - Windows Server | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
[3]: https://web.archive.org/web/20240402112853/https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings "Transport Layer Security (TLS) registry settings | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240426092730/https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/demystifying-schannel/ba-p/259233 "Demystifying Schannel - Microsoft Community Hub"
call:
-
function: Comment
parameters:
codeComment: Disable usage of "{{ $protocolName }}" protocol for TLS/SSL handshakes
revertCodeComment: Restore usage of "{{ $protocolName }}" protocol for TLS/SSL handshakes
-
function: RunInlineCode
parameters:
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Server" /v "Enabled" /t "REG_DWORD" /d "0" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Server" /v "DisabledByDefault" /t "REG_DWORD" /d "1" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Client" /v "Enabled" /t "REG_DWORD" /d "0" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Client" /v "DisabledByDefault" /t "REG_DWORD" /d "1" /f
# Marked: refactor-with-variables, refactor-with-if-syntax
# - `revertCode` is same as `EnableLSProtocol` (reuse it or introduce `ToggleTLSProtocolState`?)
revertCode: |- # Missing subkeys under `Ciphers` since Windows 10 22H2 Pro and Windows 11 23H2 Pro
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Server" /v "Enabled" /f 2>nul
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Server" /v "DisabledByDefault" /f 2>nul
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Client" /v "Enabled" /f 2>nul
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Client" /v "DisabledByDefault" /f 2>nul