44r0n7/privacy.sexy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

win: improve enabling secure connections #175

Browse Source 
This commit refines the configuration of TLS and DTLS protocols on
Windows to enhance compatibility and stability across different
Windows versions.

Changes:

- Enable TLS 1.3 exclusively on Windows 11 and newer, addressing
  stability concerns with previous Windows versions, and resolving
  issue #175.
- Enable DTLS 1.2, replacing DTLS 1.3 due to lack of support in
  Windows. DTLS is enabled only on Windows 10 version 16007 and later
  for compatibility.
- Reorganize script categories for better clarity and manageability.
- Update revert codes for registry deletions to prevent false negative
  error outputs.
- Adjust recommendation levels to encourage more scripts due to system
  stability and documentation improvements introduced in this commit.
- Remove incorrect registry keys previously set for .NET apps.
- Add missing 64-bit registry keys for .NET apps.
- Rename scripts for improved simplicity and consistency.
- Improve documentation for affected scripts, correcting the
  misleading information about DTLS 1.2 vulnerability.
- Convert hexadecimal values to decimal in scripts to improve
  clarity.
- Introduce shared functions to reduce redundancy and improve
  script maintainability.
- Add more comments in generated code and simplify existing comments.
This commit is contained in:
undergroundwires
2024-05-05 10:57:45 +02:00
parent ab25e0a066
commit c75df1c8c1
1 changed files with 466 additions and 132 deletions
Download Patch File Download Diff File Expand all files Collapse all files

598
src/application/collections/windows.yaml
View File

@@ -6040,7 +6040,7 @@ actions:
- -
name: Enable strong Diffie-Hellman key requirement name: Enable strong Diffie-Hellman key requirement
recommend: standard # Default on modern Windows, less size considered insecure recommend: standard # Default on modern Windows, less size considered insecure
docs: |- # refactor-with-variables: Same • Caution • handshake text as others. docs: |- # refactor-with-variables: Same • Caution • handshake
This script improves your security by setting the `Diffie-Hellman` [1] [2] [3] key exchange This script improves your security by setting the `Diffie-Hellman` [1] [2] [3] key exchange
to a minimum of 2048 bits. to a minimum of 2048 bits.
This is a secure way to exchange keys over public networks. This is a secure way to exchange keys over public networks.
@@ -6063,7 +6063,7 @@ actions:
[1]: https://web.archive.org/web/20240402105325/https://learn.microsoft.com/en-us/security-updates/securityadvisories/2016/3174644 "Microsoft Security Advisory 3174644 | Microsoft Learn | learn.microsoft.com" [1]: https://web.archive.org/web/20240402105325/https://learn.microsoft.com/en-us/security-updates/securityadvisories/2016/3174644 "Microsoft Security Advisory 3174644 | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240402112853/https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings "Transport Layer Security (TLS) registry settings | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240402112853/https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings "Transport Layer Security (TLS) registry settings | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de" [3]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderugen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
[4]: https://web.archive.org/web/20240402105205/https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf "NIST Special Publication 800-131A Revision 2 | Transitioning the Use of Cryptographic Algorithms and Key Lengths | nvlpubs.nist.gov" [4]: https://web.archive.org/web/20240402105205/https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf "NIST Special Publication 800-131A Revision 2 | Transitioning the Use of Cryptographic Algorithms and Key Lengths | nvlpubs.nist.gov"
[5]: https://web.archive.org/web/20240402112905/https://weakdh.org/ "Weak Diffie-Hellman and the Logjam Attack | weakdh.org" [5]: https://web.archive.org/web/20240402112905/https://weakdh.org/ "Weak Diffie-Hellman and the Logjam Attack | weakdh.org"
[6]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov" [6]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov"
@@ -6075,7 +6075,7 @@ actions:
- -
name: Enable strong RSA key requirement name: Enable strong RSA key requirement
recommend: standard # Microsoft deprecated it and will end support recommend: standard # Microsoft deprecated it and will end support
docs: |- # refactor-with-variables: Same • Caution • handshake text as others. docs: |- # refactor-with-variables: Same • Caution • handshake
This script improves your security by enforcing a minimum of 2048 bits for RSA encryption keys (`PKCS` [1] [2]). This script improves your security by enforcing a minimum of 2048 bits for RSA encryption keys (`PKCS` [1] [2]).
RSA encryption keys play a crucial role in securing communications over the internet. RSA encryption keys play a crucial role in securing communications over the internet.
The Public-Key Cryptography Standards (PKCS) define how to use RSA keys for secure communication encryption. The Public-Key Cryptography Standards (PKCS) define how to use RSA keys for secure communication encryption.
@@ -6123,7 +6123,7 @@ actions:
ignoreServerSide: true # Controlled by the specified server certificate ignoreServerSide: true # Controlled by the specified server certificate
- -
category: Disable insecure connections category: Disable insecure connections
docs: |- # refactor-with-variables: Same **Caution** text as others. docs: |- # refactor-with-variables: Same Caution
This category includes scripts designed to enhance users' security and privacy by disabling outdated or This category includes scripts designed to enhance users' security and privacy by disabling outdated or
vulnerable connections across the system. vulnerable connections across the system.
It safeguards data against interception, unauthorized access, and attacks that exploit outdated technology It safeguards data against interception, unauthorized access, and attacks that exploit outdated technology
@@ -6136,7 +6136,7 @@ actions:
children: children:
- -
category: Disable insecure ciphers category: Disable insecure ciphers
docs: |- # refactor-with-variables: Same **Caution** text as others. docs: |- # refactor-with-variables: Same Caution
This category improves network security by disabling outdated and less secure cipher suites. This category improves network security by disabling outdated and less secure cipher suites.
**Cipher suites** are sets of cryptographic algorithms used to secure network connections [1]. **Cipher suites** are sets of cryptographic algorithms used to secure network connections [1].
@@ -6164,7 +6164,7 @@ actions:
- -
name: Disable insecure "RC2" ciphers name: Disable insecure "RC2" ciphers
recommend: strict # Considered weak and vulnerable by numerous authoritative sources, may be incompatible with third-party apps. recommend: strict # Considered weak and vulnerable by numerous authoritative sources, may be incompatible with third-party apps.
docs: |- # refactor-with-variables: Same • Caution • handshake • authorities • cipher suite text as others. docs: |- # refactor-with-variables: Same • Caution • handshake • authorities • cipher suite
This script disables RC2 ciphers. This script disables RC2 ciphers.
This script only afects the *SSL/TLS handshake* process. This script only afects the *SSL/TLS handshake* process.
@@ -6219,7 +6219,7 @@ actions:
- -
name: Disable insecure "RC4" ciphers name: Disable insecure "RC4" ciphers
recommend: strict # Considered weak and vulnerable by numerous authoritative sources, may be incompatible with third-party apps. recommend: strict # Considered weak and vulnerable by numerous authoritative sources, may be incompatible with third-party apps.
docs: |- # refactor-with-variables: Same • Caution • handshake • authorities • cipher suite text as others. docs: |- # refactor-with-variables: Same • Caution • handshake • authorities • cipher suite
This script disables the RC4 ciphers. This script disables the RC4 ciphers.
This script only afects the *SSL/TLS handshake* process. This script only afects the *SSL/TLS handshake* process.
@@ -6284,7 +6284,7 @@ actions:
- -
name: Disable insecure "DES" cipher name: Disable insecure "DES" cipher
recommend: strict # Considered weak and vulnerable by numerous authoritative sources, may be incompatible with third-party apps. recommend: strict # Considered weak and vulnerable by numerous authoritative sources, may be incompatible with third-party apps.
docs: |- # refactor-with-variables: Same • Caution • handshake • authorities • cipher suite text as others. docs: |- # refactor-with-variables: Same • Caution • handshake • authorities • cipher suite
This script disables the `DES 56/56` [1] [2] [3] [4] cipher, also known as *DES 56* [2] or *56-bit DES* [2]. This script disables the `DES 56/56` [1] [2] [3] [4] cipher, also known as *DES 56* [2] or *56-bit DES* [2].
This script only afects the *SSL/TLS handshake* process. This script only afects the *SSL/TLS handshake* process.
@@ -6321,7 +6321,7 @@ actions:
- -
name: Disable insecure "Triple DES" cipher name: Disable insecure "Triple DES" cipher
recommend: strict # Considered weak and vulnerable by numerous authoritative sources, may be incompatible with third-party apps. recommend: strict # Considered weak and vulnerable by numerous authoritative sources, may be incompatible with third-party apps.
docs: |- # refactor-with-variables: Same • Caution • handshake • authorities • cipher suite text as others. docs: |- # refactor-with-variables: Same • Caution • handshake • authorities • cipher suite
This script disables the `Triple DES 168` [1] [2] [3] (`Triple DES 168/168` before Windows Vista [2] [4]) cipher, This script disables the `Triple DES 168` [1] [2] [3] (`Triple DES 168/168` before Windows Vista [2] [4]) cipher,
also known as *3DES* [1] [3] [5] [6], *The Triple Data Encryption Algorithm (TDEA)* [6] [7] and **TDES** [8]. also known as *3DES* [1] [3] [5] [6], *The Triple Data Encryption Algorithm (TDEA)* [6] [7] and **TDES** [8].
@@ -6353,10 +6353,10 @@ actions:
[3]: https://web.archive.org/web/20240421101142/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_IIS_8_Benchmark_v1_4_0.pdf "CIS Microsoft IIS 8 Benchmark v1.4.0 | paper.bobylive.com" [3]: https://web.archive.org/web/20240421101142/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_IIS_8_Benchmark_v1_4_0.pdf "CIS Microsoft IIS 8 Benchmark v1.4.0 | paper.bobylive.com"
[4]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de" [4]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
[5]: https://web.archive.org/web/20240421101545/https://sweet32.info/ "Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN" [5]: https://web.archive.org/web/20240421101545/https://sweet32.info/ "Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN"
[6]: https://web.archive.org/web/20240429201312/https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf [6]: https://web.archive.org/web/20240429201312/https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf "IT Security Procedural Guide: SSL/TLS Implementation CIO-IT Security-14-69 | www.gsa.gov"
[7]: https://web.archive.org/web/20240402105205/https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf "NIST Special Publication 800-131A Revision 2 | Transitioning the Use of Cryptographic Algorithms and Key Lengths | nvlpubs.nist.gov" [7]: https://web.archive.org/web/20240402105205/https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf "NIST Special Publication 800-131A Revision 2 | Transitioning the Use of Cryptographic Algorithms and Key Lengths | nvlpubs.nist.gov"
[8]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov" [8]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov"
[9]: https://developer.apple.com/library/archive/releasenotes/MacOSX/WhatsNewInOSX/Articles/OSXv10.html [9]: https://web.archive.org/web/20240426092153/https://developer.apple.com/library/archive/releasenotes/MacOSX/WhatsNewInOSX/Articles/OSXv10.html "macOS Sierra 10.12 | developer.apple.com"
call: call:
- -
function: DisableTLSCipher function: DisableTLSCipher
@@ -6369,7 +6369,7 @@ actions:
- -
name: Disable insecure "NULL" cipher name: Disable insecure "NULL" cipher
recommend: standard # Disables encryption, turned off by default. recommend: standard # Disables encryption, turned off by default.
docs: |- # refactor-with-variables: Same • Caution • handshake • authorities • cipher suite text as others. docs: |- # refactor-with-variables: Same • Caution • handshake • authorities • cipher suite
This script disables the `NULL` [1] [2] [3] [4] cipher. This script disables the `NULL` [1] [2] [3] [4] cipher.
This script only afects the *SSL/TLS handshake* process. This script only afects the *SSL/TLS handshake* process.
@@ -6406,7 +6406,7 @@ actions:
algorithmName: 'NULL' algorithmName: 'NULL'
- -
category: Disable insecure hashes category: Disable insecure hashes
docs: |- # refactor-with-variables: Same • Caution • vulnerability text as others. docs: |- # refactor-with-variables: Same • Caution • vulnerability
This category includes scripts to disable insecure hash algorithms during cryptographic operations. This category includes scripts to disable insecure hash algorithms during cryptographic operations.
Hash algorithms are essential for internet security, electronic banking, and document signing. Hash algorithms are essential for internet security, electronic banking, and document signing.
@@ -6425,7 +6425,7 @@ actions:
- -
name: Disable insecure "MD5" hash name: Disable insecure "MD5" hash
recommend: strict # Considered weak and vulnerable by numerous authoritative sources, incompatible with third-party apps such as MEGA. recommend: strict # Considered weak and vulnerable by numerous authoritative sources, incompatible with third-party apps such as MEGA.
docs: |- # refactor-with-variables: Same • Caution • handshake • vulnerability • authorities • cipher suite text as others. docs: |- # refactor-with-variables: Same • Caution • handshake • vulnerability • authorities • cipher suite
This script disables the use of the `MD5` [1] [2] [3] hash algorithm during the SSL/TLS handshake process. This script disables the use of the `MD5` [1] [2] [3] hash algorithm during the SSL/TLS handshake process.
This script only afects the *SSL/TLS handshake* process. This script only afects the *SSL/TLS handshake* process.
@@ -6478,7 +6478,7 @@ actions:
- -
name: Disable insecure "SHA-1" hash name: Disable insecure "SHA-1" hash
recommend: strict # Considered weak and vulnerable by numerous authoritative sources, may be incompatible with third-party apps recommend: strict # Considered weak and vulnerable by numerous authoritative sources, may be incompatible with third-party apps
docs: |- # refactor-with-variables: Same • Caution • handshake • vulnerability • authorities • cipher suite text as others. docs: |- # refactor-with-variables: Same • Caution • handshake • vulnerability • authorities • cipher suite
This script disables `SHA` [1] [2] [3] hash algorithm, also known as *Secure Hash Algorithm (SHA-1)* [2]. This script disables `SHA` [1] [2] [3] hash algorithm, also known as *Secure Hash Algorithm (SHA-1)* [2].
This script only afects the *SSL/TLS handshake* process. This script only afects the *SSL/TLS handshake* process.
@@ -6549,7 +6549,7 @@ actions:
- -
name: Disable insecure renegotiation name: Disable insecure renegotiation
recommend: strict # Important security improvement, but may limit compatibility with older software. recommend: strict # Important security improvement, but may limit compatibility with older software.
docs: |- # refactor-with-variables: Same **Caution** text as others. docs: |- # refactor-with-variables: Same Caution
This script enhances your security by reducing risks associated with secure communications. This script enhances your security by reducing risks associated with secure communications.
By running this script, you proactively enhance your online privacy and secure against By running this script, you proactively enhance your online privacy and secure against
well-known TLS vulnerabilities. well-known TLS vulnerabilities.
@@ -6632,7 +6632,7 @@ actions:
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "UseScsvForTls" /f 2>nul reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "UseScsvForTls" /f 2>nul
- -
category: Disable insecure protocols category: Disable insecure protocols
docs: |- # refactor-with-variables: Same • Caution • authorities as others. docs: |- # refactor-with-variables: Same • Caution • authorities
This category focuses on enhancing user privacy by disabling legacy and insecure communication This category focuses on enhancing user privacy by disabling legacy and insecure communication
protocols. protocols.
It targets protocols that expose users to security vulnerabilities due to their outdated nature. It targets protocols that expose users to security vulnerabilities due to their outdated nature.
@@ -6657,11 +6657,10 @@ actions:
DTLS 1.1 does not exist [8] [9]; DTLS 1.1 does not exist [8] [9];
its numbering was skipped to align with TLS versioning [8]. its numbering was skipped to align with TLS versioning [8].
- **TLS 1.2**, and **DTLS 1.2** (based on TLS 1.2 [8]): - **TLS 1.2**, and **DTLS 1.2** (based on TLS 1.2 [8]):
Although TLS 1.2 and DTLS 1.2 remain active on Windows [7] and are approved by NIST [2], TLS 1.2 and DTLS 1.2 are enabled by default on Windows [7] and are approved by authorities like
they are not endorsed by the German Federal Office for Information Security due to NIST [2], and German Federal Office for Information Security [10].
vulnerabilities [10].
Disabling them could affect application functionality, and earlier versions are not Disabling them could affect application functionality, and earlier versions are not
widely supported by Windows [7]. widely supported by Windows [7] [10].
> **Caution:** This may cause compatibility issues with older devices or software. > **Caution:** This may cause compatibility issues with older devices or software.
@@ -6679,7 +6678,7 @@ actions:
- -
name: Disable insecure "SMBv1" protocol name: Disable insecure "SMBv1" protocol
recommend: standard # Recommended by Microsoft, very old, has significant security vulnerabilities recommend: standard # Recommended by Microsoft, very old, has significant security vulnerabilities
docs: |- # refactor-with-variables: Same **Caution** text as others. docs: |- # refactor-with-variables: Same Caution
This script improves network security by disabling the outdated SMBv1 protocol. This script improves network security by disabling the outdated SMBv1 protocol.
**SMBv1**, or **Server Message Block version 1**, is an outdated network protocol developed **SMBv1**, or **Server Message Block version 1**, is an outdated network protocol developed
@@ -6818,7 +6817,7 @@ actions:
- -
name: Disable insecure "NetBios" protocol name: Disable insecure "NetBios" protocol
recommend: standard recommend: standard
docs: |- # refactor-with-variables: Same **Caution** text as others. docs: |- # refactor-with-variables: Same Caution
This script enhances your network's security by turning off NetBIOS over TCP/IP for all network interfaces. This script enhances your network's security by turning off NetBIOS over TCP/IP for all network interfaces.
NetBIOS is a protocol primarily used for backward compatibility with older Windows systems [1] [2]. NetBIOS is a protocol primarily used for backward compatibility with older Windows systems [1] [2].
@@ -6859,7 +6858,7 @@ actions:
- -
name: Disable insecure "SSL 2.0" protocol name: Disable insecure "SSL 2.0" protocol
recommend: standard # Outdated protocol, removed from Windows recommend: standard # Outdated protocol, removed from Windows
docs: |- # refactor-with-variables: Same • Caution • identified as • authorities • previously enabled as others. docs: |- # refactor-with-variables: Same • Caution • identified as • authorities • previously enabled
This script disables the SSL 2.0 protocol. This script disables the SSL 2.0 protocol.
This protocol is identified as `SSL 2.0` on Windows [1] [2] [3], This protocol is identified as `SSL 2.0` on Windows [1] [2] [3],
and also known as *SSL2* [4] [5]. and also known as *SSL2* [4] [5].
@@ -6890,19 +6889,19 @@ actions:
- -
name: Disable insecure "SSL 3.0" protocol name: Disable insecure "SSL 3.0" protocol
recommend: standard # Outdated protocol, disabled by default recommend: standard # Outdated protocol, disabled by default
docs: |- # refactor-with-variables: Same • Caution • identified as • authorities • previously enabled as others. docs: |- # refactor-with-variables: Same • Caution • identified as • authorities • previously enabled
This script disables the SSL 3.0. This script disables the SSL 3.0.
This protocol is identified as `SSL 3.0` on Windows [1] [2] [3], This protocol is identified as `SSL 3.0` on Windows [1] [2] [3],
and also known as *SSL3* [4] or *SSLv3* [5]. and also known as *SSL3* [4] or *SSLv3* [5].
Modern Windows systems disable SSL 3.0 by default due to its security flaws [2] [4]. Modern Windows systems disable SSL 3.0 by default due to its security flaws [2] [4].
It was previously enabled by default [4], It was previously enabled by default [4],
posing significant security risks from well-known vulnerabilities [6], posing significant security risks from well-known vulnerabilities,
including the POODLE [6] [7] [8] and BEAST [7] attacks. including the POODLE [6] [7] [8] [9] and BEAST [7] attacks.
Authorities like NIST (FIPS) [8], IETF [6], Apple [5], PCI Security Standards Council [7], Authorities like NIST (FIPS) [8] [9], IETF [6], Apple [5], PCI Security Standards Council [7],
Federal Office for Information Security (BSI) [3], Office of the Chief Information Security Officer [8] Federal Office for Information Security (BSI) [3], Office of the Chief Information Security Officer [8]
and NSA (National Security Agency) [9] NSA (National Security Agency) [10], and The Center for Internet Security (CIS) [9]
recommend disabling this insecure and obsolete protocol. recommend disabling this insecure and obsolete protocol.
> **Caution:** This may cause compatibility issues with older devices or software. > **Caution:** This may cause compatibility issues with older devices or software.
@@ -6915,7 +6914,8 @@ actions:
[6]: https://web.archive.org/web/20240429205513/https://datatracker.ietf.org/doc/html/rfc7568 "RFC 7568 - Deprecating Secure Sockets Layer Version 3.0 | datatracker.ietf.org" [6]: https://web.archive.org/web/20240429205513/https://datatracker.ietf.org/doc/html/rfc7568 "RFC 7568 - Deprecating Secure Sockets Layer Version 3.0 | datatracker.ietf.org"
[7]: https://web.archive.org/web/20240429194236/https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls "Are You Ready for 30 June 2018? Saying Goodbye to SSL/early TLS | blog.pcisecuritystandards.org" [7]: https://web.archive.org/web/20240429194236/https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls "Are You Ready for 30 June 2018? Saying Goodbye to SSL/early TLS | blog.pcisecuritystandards.org"
[8]: https://web.archive.org/web/20240429201312/https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf "IT Security Procedural Guide: SSL/TLS Implementation CIO-IT Security-14-69 | www.gsa.gov" [8]: https://web.archive.org/web/20240429201312/https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf "IT Security Procedural Guide: SSL/TLS Implementation CIO-IT Security-14-69 | www.gsa.gov"
[9]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov" [9]: https://web.archive.org/web/20240429201328/https://www.tenable.com/audits/items/CIS_NGINX_v2.0.1_Level_1_Webserver.audit:fc59c7d0c53f27720fcbca1df8f8fcc2 "4.1.4 Ensure only modern TLS protocols are used | Tenable® | www.tenable.com"
[10]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov"
call: call:
function: DisableTLSProtocol function: DisableTLSProtocol
parameters: parameters:
@@ -6923,7 +6923,7 @@ actions:
- -
name: Disable insecure "TLS 1.0" protocol name: Disable insecure "TLS 1.0" protocol
recommend: strict # Newly disabled by Microsoft, but may lead to compatibility issues recommend: strict # Newly disabled by Microsoft, but may lead to compatibility issues
docs: |- # refactor-with-variables: Same • Caution • identified as • authorities • browsers • previously enabled as others. docs: |- # refactor-with-variables: Same • Caution • identified as • authorities • browsers • previously enabled
This script disables the TLS 1.0 [1] [2] [3] protocol. This script disables the TLS 1.0 [1] [2] [3] protocol.
This protocol is identified as `TLS 1.0` on Windows [1] [2] [3]. This protocol is identified as `TLS 1.0` on Windows [1] [2] [3].
@@ -6936,9 +6936,10 @@ actions:
now disable this protocol by default. now disable this protocol by default.
Authorities like NIST (FIPS) [7], IETF [6] [9], NSA (National Security Agency) [7] [12], Authorities like NIST (FIPS) [7], IETF [6] [9], NSA (National Security Agency) [7] [12],
Apple [8], Mozilla [9], Microsoft [4] [11], Google [10], PCI Security Standards Council [13], Apple [8], Mozilla [9], Microsoft [4] [11], Google [10], PCI Security Standards Council [13] [14],
Federal Office for Information Security (BSI) in Germany [3], and Federal Office for Information Security (BSI) in Germany [3],
Office of the Chief Information Security Officer [11] Office of the Chief Information Security Officer [11],
and The Center for Internet Security (CIS) [14]
recommend disabling this insecure and obsolete protocol. recommend disabling this insecure and obsolete protocol.
While disabling TLS 1.0 improves security, it may disrupt certain older applications that While disabling TLS 1.0 improves security, it may disrupt certain older applications that
@@ -6956,9 +6957,10 @@ actions:
[8]: https://web.archive.org/web/20240429210701/https://webkit.org/blog/8462/deprecation-of-legacy-tls-1-0-and-1-1-versions/ "Deprecation of Legacy TLS 1.0 and 1.1 Versions | WebKit | webkit.org" [8]: https://web.archive.org/web/20240429210701/https://webkit.org/blog/8462/deprecation-of-legacy-tls-1-0-and-1-1-versions/ "Deprecation of Legacy TLS 1.0 and 1.1 Versions | WebKit | webkit.org"
[9]: https://web.archive.org/web/20240429202616/https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/ "Removing Old Versions of TLS - Mozilla Security Blog | blog.mozilla.org" [9]: https://web.archive.org/web/20240429202616/https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/ "Removing Old Versions of TLS - Mozilla Security Blog | blog.mozilla.org"
[10]: https://archive.ph/2024.04.26-145435/https://chromestatus.com/feature/5759116003770368 "TLS 1.0 and TLS 1.1 - Chrome Platform Status | chromestatus.com" [10]: https://archive.ph/2024.04.26-145435/https://chromestatus.com/feature/5759116003770368 "TLS 1.0 and TLS 1.1 - Chrome Platform Status | chromestatus.com"
[11]: https://web.archive.org/web/20240429210548/https://blogs.windows.com/msedgedev/2018/10/15/modernizing-tls-edge-ie11/ "Modernizing TLS connections in Microsoft Edge and Internet Explorer 11 - Microsoft Edge Blog | blogs.windows.com" [11]: https://web.archive.org/web/20240029210517/https://blogs.windows.com/msedgedev/2018/10/15/modernizing-tls-edge-ie11/ "Modernizing TLS connections in Microsoft Edge and Internet Explorer 11 - Microsoft Edge Blog | blogs.windows.com"
[12]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov" [12]: https://web.archive.org/web/20240429104097/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov"
[13]: https://web.archive.org/web/20240429194236/https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls "Are You Ready for 30 June 2018? Saying Goodbye to SSL/early TLS | blog.pcisecuritystandards.org" [13]: https://web.archive.org/web/20240029194213/https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls "Are You Ready for 30 June 2018? Saying Goodbye to SSL/early TLS | blog.pcisecuritystandards.org"
[14]: https://web.archive.org/web/20240429201328/https://www.tenable.com/audits/items/CIS_NGINX_v2.0.1_Level_1_Webserver.audit:fc59c7d0c53f27720fcbca1df8f8fcc2 "4.1.4 Ensure only modern TLS protocols are used | Tenable® | www.tenable.com"
call: call:
function: DisableTLSProtocol function: DisableTLSProtocol
parameters: parameters:
@@ -6966,25 +6968,25 @@ actions:
- -
name: Disable insecure "TLS 1.1" protocol name: Disable insecure "TLS 1.1" protocol
recommend: strict # Deprecated by Microsoft, but may lead to compatibility issues recommend: strict # Deprecated by Microsoft, but may lead to compatibility issues
docs: |- # refactor-with-variables: Same • Caution • identified as • authorities • browsers • previously enabled as others. docs: |- # refactor-with-variables: Same • Caution • identified as • authorities • browsers • previously enabled
This script disables the TLS 1.1 protocol.
This protocol is identified as `TLS 1.1` on Windows [1] [2] [3]. This protocol is identified as `TLS 1.1` on Windows [1] [2] [3].
Although deprecated and unsupported in newer Windows versions [4], Although deprecated and unsupported in newer Windows versions [4],
it remains enabled by default in older versions [5]. it remains enabled by default in older versions [5].
This protocol contains fundamental well-documented security vulnerabilities [6]. This protocol contains fundamental well-documented security vulnerabilities [6].
Major browsers, including Safari [7], Firefox [8], Chrome [9] and Edge [10], Major browsers [7], including Safari [8], Firefox [9], Chrome [10] and Edge [11],
now disable this protocol by default. now disable this protocol by default.
Authorities like NIST (FIPS) [11], IETF [6] [8], NSA (National Security Agency) [11] [12], Authorities like NIST (FIPS) [12], IETF [6] [9], NSA (National Security Agency) [12] [13],
Apple [7], Mozilla [8], Microsoft [4] [10], Google [9], PCI Security Standards Council [3], Apple [8], Mozilla [9], Microsoft [4] [11], Google [10], PCI Security Standards Council [3],
Federal Office for Information Security (BSI) in Germany [3], Federal Office for Information Security (BSI) in Germany [3],
and Office of the Chief Information Security Officer [11] Office of the Chief Information Security Officer [12],
and The Center for Internet Security (CIS) [7]
recommend disabling this insecure and obsolete protocol. recommend disabling this insecure and obsolete protocol.
While disabling TLS 1.1 improves security, it may disrupt certain older applications that While disabling TLS 1.1 improves security, it may disrupt certain older applications that
depend on this protocol [4] [11]. depend on this protocol [4] [12].
> **Caution:** This may cause compatibility issues with older devices or software. > **Caution:** This may cause compatibility issues with older devices or software.
@@ -6994,96 +6996,220 @@ actions:
[4]: https://web.archive.org/web/20240429200538/https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-10-11-deprecation-in-windows "TLS 1.0 and TLS 1.1 deprecation in Windows - Win32 apps | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240429200538/https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-10-11-deprecation-in-windows "TLS 1.0 and TLS 1.1 deprecation in Windows - Win32 apps | Microsoft Learn | learn.microsoft.com"
[5]: https://web.archive.org/web/20240429193908/https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- "Protocols in TLS/SSL (Schannel SSP) - Win32 apps | Microsoft Learn | learn.microsoft.com" [5]: https://web.archive.org/web/20240429193908/https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- "Protocols in TLS/SSL (Schannel SSP) - Win32 apps | Microsoft Learn | learn.microsoft.com"
[6]: https://web.archive.org/web/20240429200613/https://datatracker.ietf.org/doc/html/rfc8996/ "RFC 8996 - Deprecating TLS 1.0 and TLS 1.1 | datatracker.ietf.org" [6]: https://web.archive.org/web/20240429200613/https://datatracker.ietf.org/doc/html/rfc8996/ "RFC 8996 - Deprecating TLS 1.0 and TLS 1.1 | datatracker.ietf.org"
[7]: https://web.archive.org/web/20240429210701/https://webkit.org/blog/8462/deprecation-of-legacy-tls-1-0-and-1-1-versions/ "Deprecation of Legacy TLS 1.0 and 1.1 Versions | WebKit | webkit.org" [7]: https://web.archive.org/web/20240429201328/https://www.tenable.com/audits/items/CIS_NGINX_v2.0.1_Level_1_Webserver.audit:fc59c7d0c53f27720fcbca1df8f8fcc2 "4.1.4 Ensure only modern TLS protocols are used | Tenable® | www.tenable.com"
[8]: https://web.archive.org/web/20240429202616/https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/ "Removing Old Versions of TLS - Mozilla Security Blog | blog.mozilla.org" [8]: https://web.archive.org/web/20240429210701/https://webkit.org/blog/8462/deprecation-of-legacy-tls-1-0-and-1-1-versions/ "Deprecation of Legacy TLS 1.0 and 1.1 Versions | WebKit | webkit.org"
[9]: https://archive.ph/2024.04.26-145435/https://chromestatus.com/feature/5759116003770368 "TLS 1.0 and TLS 1.1 - Chrome Platform Status | chromestatus.com" [9]: https://web.archive.org/web/20240429202616/https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/ "Removing Old Versions of TLS - Mozilla Security Blog | blog.mozilla.org"
[10]: https://web.archive.org/web/20240429210548/https://blogs.windows.com/msedgedev/2018/10/15/modernizing-tls-edge-ie11/ "Modernizing TLS connections in Microsoft Edge and Internet Explorer 11 - Microsoft Edge Blog | blogs.windows.com" [10]: https://archive.ph/2024.04.26-145435/https://chromestatus.com/feature/5759116003770368 "TLS 1.0 and TLS 1.1 - Chrome Platform Status | chromestatus.com"
[11]: https://web.archive.org/web/20240429201312/https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf "IT Security Procedural Guide: SSL/TLS Implementation CIO-IT Security-14-69 | www.gsa.gov" [11]: https://web.archive.org/web/20240429210548/https://blogs.windows.com/msedgedev/2018/10/15/modernizing-tls-edge-ie11/ "Modernizing TLS connections in Microsoft Edge and Internet Explorer 11 - Microsoft Edge Blog | blogs.windows.com"
[12]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov" [12]: https://web.archive.org/web/20240429201312/https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf "IT Security Procedural Guide: SSL/TLS Implementation CIO-IT Security-14-69 | www.gsa.gov"
[13]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov"
call: call:
function: DisableTLSProtocol function: DisableTLSProtocol
parameters: parameters:
protocolName: TLS 1.1 protocolName: TLS 1.1
- -
name: Disable insecure "DTLS 1.0" protocol name: Disable insecure "DTLS 1.0" protocol
docs: |- # refactor-with-variables: Same • Caution • identified as • authorities as others. docs: |- # refactor-with-variables: Same • Caution • identified as • authorities • DTLS explanation
This script disables the DTLS 1.0 protocol. This script disables the DTLS 1.0 protocol.
This protocol is identified as `DTLS 1.0` on Windows [1] [2]. This protocol is identified as `DTLS 1.0` on Windows [1] [2].
It is enabled by default [2]. It is enabled by default [2].
It is considered insecure [3] [4] and has been deprecated by Microsoft due to its vulnerabilities [5]. DTLS (*Datagram Transport Layer Security*) provides secure communication over the UDP protocol [3].
It's based on TLS 1.1 [3], which is also deprecated and insecure [3] [4] [5] [6]. Based on the TLS protocol, DTLS offers equivalent security measures [3].
Common uses include online gaming, DNS lookups, and VPN services.
Authorities like NIST (FIPS) [6], IETF [3], Microsoft [5], and NSA (National Security Agency) [4] It is considered insecure [4] [5] and has been deprecated by Microsoft due to its vulnerabilities [6].
It's based on TLS 1.1 [4], which is also deprecated and insecure [4] [5] [6] [7].
Authorities like NIST (FIPS) [7], IETF [4], Microsoft [6], and NSA (National Security Agency) [5]
recommend disabling this insecure and obsolete protocol. recommend disabling this insecure and obsolete protocol.
> **Caution:** This may cause compatibility issues with older devices or software. > **Caution:** This may cause compatibility issues with older devices or software.
[1]: https://web.archive.org/web/20180228160431/https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#dtls-10 "Transport Layer Security (TLS) registry settings | Microsoft Docs | docs.microsoft.com" [1]: https://web.archive.org/web/20180228160431/https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#dtls-10 "Transport Layer Security (TLS) registry settings | Microsoft Docs | docs.microsoft.com"
[2]: https://web.archive.org/web/20240429193908/https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- "Protocols in TLS/SSL (Schannel SSP) - Win32 apps | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240429193908/https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- "Protocols in TLS/SSL (Schannel SSP) - Win32 apps | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240429200613/https://datatracker.ietf.org/doc/html/rfc8996/ "RFC 8996 - Deprecating TLS 1.0 and TLS 1.1 | datatracker.ietf.org" [3]: https://web.archive.org/web/20240503122222/https://learn.microsoft.com/en-us/windows-server/security/tls/datagram-transport-layer-security-protocol "Datagram Transport Layer Security protocol | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov" [4]: https://web.archive.org/web/20240429200613/https://datatracker.ietf.org/doc/html/rfc8996/ "RFC 8996 - Deprecating TLS 1.0 and TLS 1.1 | datatracker.ietf.org"
[5]: https://web.archive.org/web/20240429200538/https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-10-11-deprecation-in-windows "TLS 1.0 and TLS 1.1 deprecation in Windows - Win32 apps | Microsoft Learn | learn.microsoft.com" [5]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov"
[6]: https://web.archive.org/web/20240429201312/https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf "IT Security Procedural Guide: SSL/TLS Implementation CIO-IT Security-14-69 | www.gsa.gov" [6]: https://web.archive.org/web/20240429200538/https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-10-11-deprecation-in-windows "TLS 1.0 and TLS 1.1 deprecation in Windows - Win32 apps | Microsoft Learn | learn.microsoft.com"
[7]: https://web.archive.org/web/20240429201312/https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf "IT Security Procedural Guide: SSL/TLS Implementation CIO-IT Security-14-69 | www.gsa.gov"
call: call:
function: DisableTLSProtocol function: DisableTLSProtocol
parameters: parameters:
protocolName: DTLS 1.0 protocolName: DTLS 1.0
-
name: Disable insecure connections from .NET apps
recommend: strict # Default since .NET 4.6 and above, absence considered vulnerabiltiy, but can still break legacy apps
docs: |- # refactor-with-variables: Same • authorities • applies to all .NET
This script improves security by enforcing secure network connections across all .NET applications.
By setting the `SchUseStrongCrypto` configuration [1] [2] [3] [4], it prevents the use of outdated
and insecure connections, including:
- Protocols weaker than TLS 1.1 [1] [4] and TLS 1.2 [1] [2] [4].
- Cipher algorithms such as RC4 [4] [5], NULL [6], DES [6], and export suites [6].
- Hash algorithms like MD5 [6].
Authorities like Microsoft [1], and Department of Defense (DoD) [3]
recommend this configuration as part of their security guidelines.
This script applies to all .NET applications on the system [1].
A ***.NET application*** is any software developed using Microsoft's .NET platform [7].
This includes many third-party and system applications on Windows, like PowerShell [8].
A .NET application can be various of types, ranging from mobile apps to cloud services [7].
This script affects only the client-side (outgoing) connections of an application [1].
It secures outgoing data from the application without changing how incoming data is handled.
You must restart your system after running this script to activate the security improvements [2] [5].
> **Caution:** This script may disrupt applications relying on legacy services that lack support for
> modern cryptographic standards [1].
[1]: https://web.archive.org/web/20240503121044/https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls "Transport Layer Security (TLS) best practices with .NET Framework | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240503121339/https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enabling-strong-authentication-for-net-applications "Manage SSL/TLS protocols and cipher suites for AD FS | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240503121520/https://www.stigviewer.com/stig/tanium_7.x/2022-08-24/finding/V-253876 "The SchUseStrongCrypto registry value must be set. | www.stigviewer.com"
[4]: https://web.archive.org/web/20240503121100/https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client "How to enable Transport Layer Security (TLS) 1.2 on clients - Configuration Manager | Microsoft Learn | learn.microsoft.com"
[5]: https://web.archive.org/web/20240503121456/https://learn.microsoft.com/en-us/security-updates/SecurityAdvisories/2015/2960358 "Microsoft Security Advisory 2960358 | Microsoft Learn | learn.microsoft.com"
[6]: https://web.archive.org/web/20240503121605/https://learn.microsoft.com/en-us/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server#sch_use_strong_crypto-option-changes "TLS (Schannel SSP) | Microsoft Learn"
[7]: https://web.archive.org/web/20240503121040/https://en.wikipedia.org/wiki/.NET ".NET - Wikipedia | en.wikipedia.org"
[8]: https://web.archive.org/web/20240503103126/https://learn.microsoft.com/en-us/powershell/scripting/overview?view=powershell-7.4 "What is PowerShell? - PowerShell | Microsoft Learn | learn.microsoft.com"
call:
-
function: SetDotNetRegistryKey
parameters:
valueName: SchUseStrongCrypto
valueData: '1'
-
function: ShowComputerRestartSuggestion
- -
name: Enable DTLS 1.3 # Windows 10 and Windows Server 10 version 1903 and newer support DTLS 1.3 category: Enable secure connections
docs: |- # refactor-with-variables: Same **Caution** text as others. docs: |- # refactor-with-variables: Same Caution
> **Caution:** This may cause compatibility issues with older devices or software. This category configures essential security settings to protect network communications.
code: |- Newer security standards offer improved protection against vulnerabilities found in older versions [1].
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /f /v Enabled /t REG_DWORD /d 0x00000001 Scripts within this category enhance your privacy and security by enabling these standards to
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000000 maintain the integrity of network communications.
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Client" /f /v Enabled /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000000 [1]: https://web.archive.org/web/20240429201328/https://www.tenable.com/audits/items/CIS_NGINX_v2.0.1_Level_1_Webserver.audit:fc59c7d0c53f27720fcbca1df8f8fcc2 "4.1.4 Ensure only modern TLS protocols are used | Tenable® | www.tenable.com"
revertCode: |- children:
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /v "Enabled" /f -
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /v "DisabledByDefault" /f name: Enable secure "DTLS 1.2" protocol
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Client" /v "Enabled" /f recommend: standard # Enabled by default ≥ Windows 10, version 1607, script does not run on older versions
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Client" /v "DisabledByDefault" /f docs: |- # refactor-with-variables: Same • Caution • DTLS explanation • minimum version safeguard
- This script enables the DTLS 1.2 protocol.
name: Enable TLS 1.3 This protocol is identified as `DTLS 1.2` on Windows [1] [2].
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /f /v Enabled /t REG_DWORD /d 0x00000001 DTLS (*Datagram Transport Layer Security*) provides secure communication over the UDP protocol [3].
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000000 Based on the TLS protocol, DTLS offers equivalent security measures [3].
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /f /v Enabled /t REG_DWORD /d 0x00000001 Common uses include online gaming, DNS lookups, and VPN services.
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000000
revertCode: |- Despite being superseded by the more secure DTLS 1.3 [4],
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /v "Enabled" /f DTLS 1.2 is still approved by authorities like NIST [5], NSA [6],
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /v "DisabledByDefault" /f and the German Federal Office for Information Security [2].
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /v "DisabledByDefault" /f DTLS 1.2 is based on TLS 1.2 [7].
- It's supported by Windows since Windows 10 version 1607 and by Windows Server 2016 Standard [8] [9].
name: Enable strong authentication for .NET applications using TLS 1.2 privacy.sexy chooses DTLS 1.2 over DTLS 1.3 due to the lack of support for DTLS 1.3 on Windows platforms [8].
docs: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enabling-strong-authentication-for-net-applications
code: |- This script only works on Windows 10 version 1607 or newer.
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 This restriction is in place to maintain system stability
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 by allowing only supported Windows versions to use the protocol.
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 > **Caution:** This may cause compatibility issues with older devices or software.
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 [1]: https://web.archive.org/web/20240402112853/https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#tls-dtls-and-ssl-protocol-version-settings "Transport Layer Security (TLS) registry settings | Microsoft Learn | learn.microsoft.com"
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 [2]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 [3]: https://web.archive.org/web/20240503122222/https://learn.microsoft.com/en-us/windows-server/security/tls/datagram-transport-layer-security-protocol "Datagram Transport Layer Security protocol | Microsoft Learn | learn.microsoft.com"
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 [4]: https://web.archive.org/web/20240503121839/https://datatracker.ietf.org/doc/html/rfc9147 "RFC 9147 - The Datagram Transport Layer Security (DTLS) Protocol Version 1.3 | datatracker.ietf.org"
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 [5]: https://web.archive.org/web/20240503122007/https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf "Implementation Guidance for FIPS 140-3 and the Cryptographic Module Validation Program | National Institute of Standards and Technology Canadian Centre for Cyber Security | csrc.nist.gov"
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 [6]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov"
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 [7]: https://web.archive.org/web/20240429193737/https://datatracker.ietf.org/doc/html/rfc6347 "RFC 6347 - Datagram Transport Layer Security Version 1.2 | datatracker.ietf.org"
revertCode: |- [8]: https://web.archive.org/web/20240429193908/https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- "Protocols in TLS/SSL (Schannel SSP) - Win32 apps | Microsoft Learn | learn.microsoft.com"
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v "SchUseStrongCrypto" /f [9]: https://web.archive.org/web/20240503121605/https://learn.microsoft.com/en-us/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server#dtls-12 "TLS (Schannel SSP) | Microsoft Learn"
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v "SystemDefaultTlsVersions" /f call:
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /v "SchUseStrongCrypto" /f function: EnableTLSProtocol
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /v "SystemDefaultTlsVersions" /f parameters:
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /v "SchUseStrongCrypto" /f protocolName: DTLS 1.2
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /v "SystemDefaultTlsVersions" /f minimumWindowsVersion: Windows10-1607
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /v "SchUseStrongCrypto" /f -
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /v "SystemDefaultTlsVersions" /f name: Enable secure "TLS 1.3" protocol
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v "SchUseStrongCrypto" /f recommend: standard # Enabled by default ≥ Windows 11, script does not run on older versions
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v "SystemDefaultTlsVersions" /f docs: |- # refactor-with-variables: Same • Caution • Authorities • minimum version safeguard
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /v "SchUseStrongCrypto" /f This script enables the TLS 1.3 protocol.
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /v "SystemDefaultTlsVersions" /f This protocol is identified as `TLS 1.3` on Windows [1].
TLS 1.3 is the latest and most secure version of the TLS protocol [2].
It is supported starting with Windows 11 and Windows Server 2022 [3] [4].
On these systems, TLS 1.3 is enabled by default [3].
Authorities like NSA (National Security Agency) [5] [6], Federal Office for Information Security
(BSI) [1], The Center for Internet Security [7], NIST [8], Microsoft [9], Mozilla [10],
and Apple [11]
recommend using this protocol for its enhanced security.
This script only works on Windows 11 or newer.
This restriction is in place to maintain system stability [3] [4]
by allowing only supported Windows versions to use the protocol.
> **Caution:** This may cause compatibility issues with older devices or software.
[1]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
[2]: https://web.archive.org/web/20240503122214/https://datatracker.ietf.org/doc/html/rfc8446 "RFC 8446 - The Transport Layer Security (TLS) Protocol Version 1.3 | datatracker.ietf.org"
[3]: https://web.archive.org/web/20240429193908/https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- "Protocols in TLS/SSL (Schannel SSP) - Win32 apps | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240503122422/https://github.com/undergroundwires/privacy.sexy/issues/175 "Add TLS 1.3 support warning · Issue #175 · undergroundwires/privacy.sexy | github.com"
[5]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov"
[6]: https://web.archive.org/web/20240503122227/https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf "NIST SP 800-52 Rev. 2: Guidelines for the Selection, Configuration, and Use of Transport | nvlpubs.nist.gov"
[7]: https://web.archive.org/web/20240429201328/https://www.tenable.com/audits/items/CIS_NGINX_v2.0.1_Level_1_Webserver.audit:fc59c7d0c53f27720fcbca1df8f8fcc2 "4.1.4 Ensure only modern TLS protocols are used | Tenable® | www.tenable.com"
[8]: https://web.archive.org/web/20240429201312/https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf "IT Security Procedural Guide: SSL/TLS Implementation CIO-IT Security-14-69 | www.gsa.gov"
[9]: https://web.archive.org/web/20240429200538/https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-10-11-deprecation-in-windows "TLS 1.0 and TLS 1.1 deprecation in Windows - Win32 apps | Microsoft Learn | learn.microsoft.com"
[10]: https://web.archive.org/web/20240429202616/https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/ "Removing Old Versions of TLS - Mozilla Security Blog | blog.mozilla.org"
[11]: https://web.archive.org/web/20240429210701/https://webkit.org/blog/8462/deprecation-of-legacy-tls-1-0-and-1-1-versions/ "Deprecation of Legacy TLS 1.0 and 1.1 Versions | WebKit | webkit.org"
call:
function: EnableTLSProtocol
parameters:
protocolName: TLS 1.3
minimumWindowsVersion: Windows11
-
name: Enable secure connections for legacy .NET apps
recommend: strict # Default since .NET 4.6 and above, but can still break legacy apps
docs: |- # refactor-with-variables: Same • Caution • applies to all .NET
This script provides secure connections for older .NET Framework applications.
It enables the automatic adoption of newer, more secure protocols as supported by the operating system [1].
If the operating system supports newer TLS versions, applications will automatically use these without
any need for modifications to the application code or .NET Framework settings [1] [2] [3].
For example, this configuration enables .NET Framework 3.5 applications, which do not natively support
TLS 1.2, to adopt TLS 1.2 [2].
This script applies to all .NET applications on the system [1].
A ***.NET application*** is any software developed using Microsoft's .NET platform [4].
This includes many third-party and system applications on Windows, like PowerShell [5].
A .NET application can be various of types, ranging from mobile apps to cloud services [4].
This script modifies the `SystemDefaultTlsVersions` configuration [1] [2] [3] [6] [7].
This setting enables the operating system to automatically select the most secure available protocol for
.NET applications [1].
Thus, applications automatically benefit from future security enhancements and new protocols added to the
operating system, without the need for updates [1].
This maintains ongoing security as new TLS versions emerge and older ones are retired [1].
It may also resolve compatibility issues with older devices or software [7].
However, it may also result in compatibility issues if the system defaults are too restrictive [8].
> **Caution**: This may cause compatibility issues with older devices or software.
[1]: https://web.archive.org/web/20240503121044/https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls "Transport Layer Security (TLS) best practices with .NET Framework | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240503120928/https://support.microsoft.com/en-us/topic/cumulative-update-for-windows-10-version-1511-and-windows-server-2016-technical-preview-4-may-10-2016-aaff80d8-b207-2238-fc9c-bf13fea1c566 "Cumulative Update for Windows 10 Version 1511 and Windows Server 2016 Technical Preview 4: May 10, 2016 - Microsoft Support | support.microsoft.com"
[3]: https://web.archive.org/web/20240503120718/https://support.microsoft.com/en-us/topic/support-for-tls-system-default-versions-included-in-the-net-framework-3-5-on-windows-8-1-and-windows-server-2012-r2-499ff5ef-a88a-128b-c639-ed038b7d2d5f "Support for TLS System Default Versions included in the .NET Framework 3.5 on Windows 8.1 and Windows Server 2012 R2 - Microsoft Support | support.microsoft.com"
[4]: https://web.archive.org/web/20240503121040/https://en.wikipedia.org/wiki/.NET ".NET - Wikipedia | en.wikipedia.org"
[5]: https://web.archive.org/web/20240503103126/https://learn.microsoft.com/en-us/powershell/scripting/overview?view=powershell-7.4 "What is PowerShell? - PowerShell | Microsoft Learn | learn.microsoft.com"
[6]: https://web.archive.org/web/20240503121100/https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client "How to enable Transport Layer Security (TLS) 1.2 on clients - Configuration Manager | Microsoft Learn | learn.microsoft.com"
[7]: https://web.archive.org/web/20240503121004/https://learn.microsoft.com/en-us/security/engineering/solving-tls1-problem "Solving the TLS 1.0 Problem | Microsoft Learn | learn.microsoft.com"
[8]: https://web.archive.org/web/20240503121004/https://learn.microsoft.com/en-us/answers/questions/717566/schusestrongcrypto-registry-value-does-windows-neg#answer-719469 "SchUseStrongCrypto registry value: does WIndows negotiation include older TLS versions? - Microsoft Q&A | learn.microsoft.com"
call:
function: SetDotNetRegistryKey
parameters:
valueName: SystemDefaultTlsVersions
valueData: '1'
- -
category: Block tracking hosts category: Block tracking hosts
docs: |- docs: |-
@@ -7431,7 +7557,7 @@ actions:
domain: telemetry.v.dropbox.com domain: telemetry.v.dropbox.com
- -
name: Block Spotify Live Tile hosts name: Block Spotify Live Tile hosts
docs: |- # refactor-with-variables: • live tiles docs: |- # refactor-with-variables: Same • live tiles
This script enhances privacy by preventing the Spotify application from fetching and displaying live updates on its Live Tile [1]. This script enhances privacy by preventing the Spotify application from fetching and displaying live updates on its Live Tile [1].
Spotify, known for being pre-installed with Windows [2], can collect data in the background without user consent. Spotify, known for being pre-installed with Windows [2], can collect data in the background without user consent.
@@ -7662,7 +7788,7 @@ actions:
domain: query.prod.cms.rt.microsoft.com domain: query.prod.cms.rt.microsoft.com
- -
name: Block Cortana and Live Tiles hosts name: Block Cortana and Live Tiles hosts
recommend: strict # refactor-with-variables: • Same excluded host: `r.bing.com` • live tiles recommend: strict # refactor-with-variables: Same • Same excluded host: `r.bing.com` • live tiles
docs: |- docs: |-
This script blocks specific hosts associated with Cortana and Live Tiles, This script blocks specific hosts associated with Cortana and Live Tiles,
thereby enhancing your preventing updates to Cortana's greetings, tips, and Live Tiles [1]. thereby enhancing your preventing updates to Cortana's greetings, tips, and Live Tiles [1].
@@ -7863,7 +7989,7 @@ actions:
domain: evoke-windowsservices-tas.msedge.net domain: evoke-windowsservices-tas.msedge.net
- -
name: Block OneNote Live Tile hosts name: Block OneNote Live Tile hosts
recommend: strict # refactor-with-variables: • live tiles recommend: strict # refactor-with-variables: Same • live tiles
docs: |- docs: |-
This script blocks the communication used by OneNote Live Tile [1]. This script blocks the communication used by OneNote Live Tile [1].
@@ -7897,7 +8023,7 @@ actions:
domain: cdn.onenote.net domain: cdn.onenote.net
- -
name: Block Weather Live Tile hosts name: Block Weather Live Tile hosts
recommend: strict # refactor-with-variables: • live tiles recommend: strict # refactor-with-variables: Same • live tiles
docs: |- docs: |-
This script blocks the communication used by Weather app [1] [2] and its Live Tile feature [3]. This script blocks the communication used by Weather app [1] [2] and its Live Tile feature [3].
@@ -16802,7 +16928,7 @@ actions:
capabilityName: Msix.PackagingTool.Driver capabilityName: Msix.PackagingTool.Driver
- -
category: Remove networking capabilities category: Remove networking capabilities
docs: |- # refactor-with-variables: Same **Caution** text as others. docs: |- # refactor-with-variables: **Caution**
This category focuses on the removal of certain networking capabilities. This category focuses on the removal of certain networking capabilities.
These capabilities are usually not pre-installed on Windows [1]. These capabilities are usually not pre-installed on Windows [1].
@@ -16822,7 +16948,7 @@ actions:
children: children:
- -
name: Remove "RAS Connection Manager Administration Kit (CMAK)" capability name: Remove "RAS Connection Manager Administration Kit (CMAK)" capability
docs: |- # refactor-with-variables: Same **Caution** text as others. docs: |- # refactor-with-variables: Same Caution
This script removes the "RAS Connection Manager Administration Kit (CMAK)" (`RasCMAK.Client` [1]) capability. This script removes the "RAS Connection Manager Administration Kit (CMAK)" (`RasCMAK.Client` [1]) capability.
CMAK is a tool that allows the creation of profiles for connecting to remote servers and networks [1]. CMAK is a tool that allows the creation of profiles for connecting to remote servers and networks [1].
@@ -16841,7 +16967,7 @@ actions:
capabilityName: RasCMAK.Client capabilityName: RasCMAK.Client
- -
name: Remove "RIP Listener" capability name: Remove "RIP Listener" capability
docs: |- # refactor-with-variables: Same **Caution** text as others. docs: |- # refactor-with-variables: *Caution**
This script removes the "RIP Listener" (`RIP.Listener` [1]) capability. This script removes the "RIP Listener" (`RIP.Listener` [1]) capability.
The RIP Listener listens for route updates from routers using the Routing Information Protocol version 1 (RIPV1) [1]. The RIP Listener listens for route updates from routers using the Routing Information Protocol version 1 (RIPV1) [1].
@@ -16861,7 +16987,7 @@ actions:
capabilityName: RIP.Listener capabilityName: RIP.Listener
- -
name: Remove "Simple Network Management Protocol (SNMP)" capability name: Remove "Simple Network Management Protocol (SNMP)" capability
docs: |- # refactor-with-variables: Same **Caution** text as others. docs: |- # refactor-with-variables: Same Caution
This script removes the "Simple Network Management Protocol (SNMP)" (`SNMP.Client` [1]) capability. This script removes the "Simple Network Management Protocol (SNMP)" (`SNMP.Client` [1]) capability.
SNMP is used for monitoring and managing network devices [1]. SNMP is used for monitoring and managing network devices [1].
@@ -16880,7 +17006,7 @@ actions:
capabilityName: SNMP.Client capabilityName: SNMP.Client
- -
name: Remove "SNMP WMI Provider" capability name: Remove "SNMP WMI Provider" capability
docs: |- # refactor-with-variables: Same **Caution** text as others. docs: |- # refactor-with-variables: Same Caution
This script removes the "SNMP WMI Provider" (`WMI-SNMP-Provider.Client` [1]) capability. This script removes the "SNMP WMI Provider" (`WMI-SNMP-Provider.Client` [1]) capability.
This feature enables Windows Management Instrumentation (WMI) clients to access SNMP information [1]. This feature enables Windows Management Instrumentation (WMI) clients to access SNMP information [1].
@@ -20154,7 +20280,7 @@ functions:
} }
codeComment: '{{ with $codeComment }}{{ . }}{{ end }}' codeComment: '{{ with $codeComment }}{{ . }}{{ end }}'
revertCodeComment: '{{ with $revertCodeComment }}{{ . }}{{ end }}' revertCodeComment: '{{ with $revertCodeComment }}{{ . }}{{ end }}'
- -
name: DeleteRegistryKey name: DeleteRegistryKey
parameters: parameters:
- name: keyName # Full path of the subkey or entry to be added. - name: keyName # Full path of the subkey or entry to be added.
@@ -20368,8 +20494,8 @@ functions:
- -
function: Comment function: Comment
parameters: parameters:
codeComment: Require "{{ $algorithmName }}" key exchange algorithm to have at "{{ $keySizeInBits }}" least bits keys for TLS/SSL handshakes codeComment: Require "{{ $algorithmName }}" key exchange algorithm to have at "{{ $keySizeInBits }}" least bits keys for TLS/SSL connections
revertCodeComment: Restore key size requirement for "{{ $algorithmName }}" for TLS/SSL handshakes revertCodeComment: Restore key size requirement for "{{ $algorithmName }}" for TLS/SSL connections
- -
function: RunInlineCode function: RunInlineCode
# Marked: refactor-with-if-syntax # Marked: refactor-with-if-syntax
@@ -20406,8 +20532,8 @@ functions:
- -
function: Comment function: Comment
parameters: parameters:
codeComment: Disable the use of "{{ $algorithmName }}" cipher algorithm for TLS/SSL handshakes codeComment: Disable the use of "{{ $algorithmName }}" cipher algorithm for TLS/SSL connections
revertCodeComment: Restore the use of "{{ $algorithmName }}" cipher algorithm for TLS/SSL handshakes revertCodeComment: Restore the use of "{{ $algorithmName }}" cipher algorithm for TLS/SSL connections
- -
function: RunInlineCode function: RunInlineCode
parameters: parameters:
@@ -20565,8 +20691,8 @@ functions:
- -
function: Comment function: Comment
parameters: parameters:
codeComment: Disable usage of "{{ $algorithmName }}" hash algorithm for TLS/SSL handshakes codeComment: Disable usage of "{{ $algorithmName }}" hash algorithm for TLS/SSL connections
revertCodeComment: Restore usage of "{{ $algorithmName }}" hash algorithm for TLS/SSL handshakes revertCodeComment: Restore usage of "{{ $algorithmName }}" hash algorithm for TLS/SSL connections
- -
function: RunInlineCode function: RunInlineCode
parameters: parameters:
@@ -20598,8 +20724,10 @@ functions:
- -
function: Comment function: Comment
parameters: parameters:
codeComment: Disable usage of "{{ $protocolName }}" protocol for TLS/SSL handshakes codeComment: Disable usage of "{{ $protocolName }}" protocol for TLS/SSL connections
revertCodeComment: Restore usage of "{{ $protocolName }}" protocol for TLS/SSL handshakes revertCodeComment: Restore usage of "{{ $protocolName }}" protocol for TLS/SSL connections
# Marked: refactor-with-if-syntax
# - Rest of this function does the opposite of `EnableTLSProtocol`, introduce `ToggleTLSProtocolState`?
- -
function: RunInlineCode function: RunInlineCode
parameters: parameters:
@@ -20608,10 +20736,216 @@ functions:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Server" /v "DisabledByDefault" /t "REG_DWORD" /d "1" /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Server" /v "DisabledByDefault" /t "REG_DWORD" /d "1" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Client" /v "Enabled" /t "REG_DWORD" /d "0" /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Client" /v "Enabled" /t "REG_DWORD" /d "0" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Client" /v "DisabledByDefault" /t "REG_DWORD" /d "1" /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Client" /v "DisabledByDefault" /t "REG_DWORD" /d "1" /f
# Marked: refactor-with-variables, refactor-with-if-syntax
# - `revertCode` is same as `EnableLSProtocol` (reuse it or introduce `ToggleTLSProtocolState`?)
revertCode: |- # Missing subkeys under `Ciphers` since Windows 10 22H2 Pro and Windows 11 23H2 Pro revertCode: |- # Missing subkeys under `Ciphers` since Windows 10 22H2 Pro and Windows 11 23H2 Pro
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Server" /v "Enabled" /f 2>nul reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Server" /v "Enabled" /f 2>nul
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Server" /v "DisabledByDefault" /f 2>nul reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Server" /v "DisabledByDefault" /f 2>nul
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Client" /v "Enabled" /f 2>nul reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Client" /v "Enabled" /f 2>nul
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Client" /v "DisabledByDefault" /f 2>nul reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Client" /v "DisabledByDefault" /f 2>nul
-
name: RunPowerShellWithSetup
# 💡 Purpose:
# Runs the same setup code before both the main code and any revert code.
parameters:
- name: code
- name: revertCode
optional: true
- name: setupCode # Optional PowerShell code to be executed before `code`, and before `revertCode` if `revertCode` is used.
optional: true
call:
function: RunPowerShell
parameters:
code: |-
{{ with $setupCode }}{{ . }}{{ end }}
{{ $code }}
revertCode: |-
{{ with $revertCode }}
{{ with $setupCode }}{{ . }}{{ end }}
{{ . }}
{{ end }}
-
name: SetRegistryValue
# 💡 Purpose:
# Create or modify a registry entry at a specified path.
# Use this function for a consistent approach instead of directly using `reg add` or `reg delete` commands.
parameters:
- name: keyPath # Full path of the subkey or entry to be added.
- name: valueName # Name of the add registry entry.
- name: dataType # Type for the registry entry.
- name: data # Data for the new registry entry.
- name: deleteOnRevert # Set to 'true' to revert to the initial state by deleting the registry key.
optional: true
- name: minimumWindowsVersion # Ensures the script executes only on specified Windows versions or newer.
optional: true # Allowed values: Windows11, Windows10-1607
call:
function: RunPowerShellWithSetup
parameters:
# Marked: refactor-with-if-syntax
# If checks can be handled during compile time.
setupCode: |-
{{ with $minimumWindowsVersion }}
$targetWindowsVersion = '{{ . }}'
$parsedVersion=$null
if ($targetWindowsVersion -eq 'Windows11') {
$parsedVersion=[System.Version]::Parse('10.0.22000')
} elseif ($targetWindowsVersion -eq 'Windows10-1607') {
$parsedVersion=[System.Version]::Parse('10.0.14393')
}
if ([System.Environment]::OSVersion.Version -lt $parsedVersion) {
Write-Output "Skipping, versions before $parsedVersion are not supported."
exit 0
}
{{ end }}
code: |-
reg add '{{ $keyPath }}' `
/v '{{ $valueName }}' `
/t '{{ $dataType }}' `
/d '{{ $data }}' `
/f
revertCode: |-
{{ with $deleteOnRevert }}
reg delete '{{ $keyPath }}' `
/v '{{ $valueName }}' `
/f 2>$null
{{ end }}
-
name: EnableTLSProtocol
parameters:
- name: protocolName
- name: minimumWindowsVersion # Defines the minimum Windows version required to support this protocol. The script will not execute on unsupported versions.
optional: true # Allowed values: Windows11, Windows10-1607
docs: |-
This function enables of specific TLS protocols by modifying registry entries at
`HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols` [1] [2].
By setting the `DisabledByDefault` registry key to `0`, the it enables the system to negotiate
the use of protocols that might otherwise not be used by default [1].
By setting the `Enabled` registry key to '1', it explicitly allows the use of the protocol [1], overriding
any system defaults that might otherwise prohibit its use [3].
On reverting the changes, it deletes the registry values, effectively restoring the original protocol settings.
The default Windows installation does not include values under the `HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols`
registry subtree, as confirmed by tests on Windows 10 22H2 Pro and Windows 11 23H2 Pro.
> **Caution**: Enabling a TLS protocol may not always be safe on certain Windows versions, as experimental support
> for some protocols can lead to system instability [4] [5].
[1]: https://web.archive.org/web/20240423073705/https://learn.microsoft.com/en-US/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/restrict-cryptographic-algorithms-protocols-schannel "Restrict cryptographic algorithms and protocols - Windows Server | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
[3]: https://web.archive.org/web/20240402112853/https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#tls-dtls-and-ssl-protocol-version-settings "Transport Layer Security (TLS) registry settings | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240503122422/https://github.com/undergroundwires/privacy.sexy/issues/175 "Add TLS 1.3 support warning · Issue #175 · undergroundwires/privacy.sexy | github.com"
[5]: https://web.archive.org/web/20240429193908/https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- "Protocols in TLS/SSL (Schannel SSP) - Win32 apps | Microsoft Learn | learn.microsoft.com"
call:
-
function: Comment
parameters:
codeComment: Enable "{{ $protocolName }}" protocol as default for TLS/SSL connections
revertCodeComment: Restore "{{ $protocolName }}" protocol defaults for TLS/SSL handshake
# Marked: refactor-with-if-syntax
# - Rest of this function does the opposite of `DisableTLSProtocol`, introduce `ToggleTLSProtocolState`?
- # Server -> Enable
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Server
valueName: Enabled
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing key since Windows 10 Pro 22H2 an Windows 11 Pro 23H3
minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}'
- # Server -> Do not disable
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Server
valueName: DisabledByDefault
dataType: REG_DWORD
data: '0'
deleteOnRevert: 'true' # Missing key since Windows 10 Pro 22H2 an Windows 11 Pro 23H3
minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}'
- # Client -> Enable
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Client
valueName: Enabled
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing key since Windows 10 Pro 22H2 an Windows 11 Pro 23H3
minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}'
- # Client -> Do not disable
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Client
valueName: DisabledByDefault
dataType: REG_DWORD
data: '0'
deleteOnRevert: 'true' # Missing key since Windows 10 Pro 22H2 an Windows 11 Pro 23H3
minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}'
-
name: SetDotNetRegistryKey
parameters:
- name: valueName
- name: valueData
docs: |-
This function configuresregistry settings specifically for .NET Framework applications by setting values within the Windows Registry
at the `HKLM\SOFTWARE\[Wow6432Node\]Microsoft\.NETFramework\<VERSION>\{{ valueName }}!{{ valueData }}` keys [1] [2] [3].
It affects the following .NET Framework versions:
- `v4.0.30319`: Used for configurations pertaining to .NET Framework 4 and later versions [1] [2] [3].
- `v2.0.50727`: Targets .NET Framework 3.5 settings [1] [3].
Note that there are no version-based keys such as `v3.0` or `v3.5`, ensuring that only recognized versions are configured.
The `Wow6432Node` within the registry path indicates compatibility adjustments for 32-bit applications running on 64-bit machines
it is absent in purely 32-bit environments [4].
These settings are applied globally, affecting all .NET applications on the system.
The configurations include enabling features or protocols that might not be active by default, depending on the framework version.
It configures settings globally, affecting all .NET applications [1].
When reverting changes, the function removes the specified keys to restore settings to their original state.
On standard Windows installations, no other subkeys exist under the `.NETFramework\{version}\` registry path besides
`v4.0.30319\AspNetEnforceViewStateMac!AspNetEnforceViewStateMac` [3], as tested since Windows 10 Pro 22H2 and Windows 11 23H2 Pro.
[1]: https://web.archive.org/web/20240503121044/https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls "Transport Layer Security (TLS) best practices with .NET Framework | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240504125305/https://learn.microsoft.com/en-us/officeonlineserver/enable-tls-1-1-and-tls-1-2-support-in-office-online-server#enable-strong-cryptography-in-net-framework-45-or-higher "Enable TLS 1.1 and TLS 1.2 support in Office Online Server - Office Online Server | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240504125553/https://learn.microsoft.com/en-us/troubleshoot/sql/database-engine/connect/ssl-pe-no-cipher-error-endpoint-5022 "SSL_PE_NO_CIPHER error at endpoint 5022 - SQL Server | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240504125535/https://learn.microsoft.com/en-us/troubleshoot/windows-client/application-management/wow6432node-registry-key-present-32-bit-machine "WOW6432Node listed in 32-bit version of Windows - Windows Client | Microsoft Learn | learn.microsoft.com"
call:
-
function: Comment
parameters:
codeComment: Configure "{{ $valueName }}" for .NET applications
revertCodeComment: Restore "{{ $valueName }}" configuration for .NET applications
- # x86 | = .NET Framework 3.5
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727
valueName: "{{ $valueName }}"
dataType: REG_DWORD
data: '{{ $valueData }}'
deleteOnRevert: 'true' # Missing key since Windows 10 Pro 22H2 an Windows 11 Pro 23H3
- # x64 | = .NET Framework 3.5
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727
valueName: "{{ $valueName }}"
dataType: REG_DWORD
data: '{{ $valueData }}'
deleteOnRevert: 'true' # Missing key since Windows 10 Pro 22H2 an Windows 11 Pro 23H3
- # x86 | ≥ .NET Framework 4
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
valueName: "{{ $valueName }}"
dataType: REG_DWORD
data: '{{ $valueData }}'
deleteOnRevert: 'true' # Missing key since Windows 10 Pro 22H2 an Windows 11 Pro 23H3
- # x64 | ≥ .NET Framework 4
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319
valueName: "{{ $valueName }}"
dataType: REG_DWORD
data: '{{ $valueData }}'
deleteOnRevert: 'true' # Missing key since Windows 10 Pro 22H2 an Windows 11 Pro 23H3