Public/Enable-CipherProtocol.ps1
|
function Enable-CipherProtocol { <# .SYNOPSIS Re-enables legacy protocols and weak cipher suites in SCHANNEL. .DESCRIPTION Configures SCHANNEL registry keys to enable TLS 1.0, TLS 1.1, SSL 2.0, and SSL 3.0 for both Server and Client roles, and re-enables 24 known-weak TLS cipher suites. Optionally removes TLS 1.0, 1.1, and 1.2 registry entries entirely via -FullReset, allowing Windows to fall back to its built-in defaults. A system restart is required for changes to take effect. WARNING: This function intentionally weakens the cryptographic security posture of the system by enabling deprecated protocols and cipher suites with known vulnerabilities. Only use this in controlled environments where legacy compatibility is required. .INPUTS None. Parameters must be supplied directly. .OUTPUTS None. .PARAMETER FullReset Removes the TLS 1.0, TLS 1.1, and TLS 1.2 SCHANNEL registry keys entirely rather than setting them to enabled, allowing Windows to use its compiled-in defaults. .PARAMETER ComputerName The target computer. Defaults to the local machine. .PARAMETER Force Restarts the computer immediately after applying changes. .EXAMPLE Enable-CipherProtocol Re-enables legacy protocols and weak cipher suites on the local machine. .EXAMPLE Enable-CipherProtocol -FullReset -ComputerName 'TestServer' -Force Removes TLS 1.0/1.1/1.2 registry entries and re-enables weak cipher suites on TestServer, then restarts it immediately. .NOTES Requires Administrator privileges. This function reduces system security. Use Disable-CipherProtocol to reverse. Remote operations require WinRM to be configured on the target machine. #> [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')] [OutputType([void])] param ( [Parameter(Mandatory = $false)] [switch]$FullReset, [Parameter(Mandatory = $false)] [string]$ComputerName = $env:COMPUTERNAME, [Parameter(Mandatory = $false)] [switch]$Force ) $isLocal = ($ComputerName -ieq $env:COMPUTERNAME) -or ($ComputerName -ieq 'localhost') -or ($ComputerName -eq '127.0.0.1') Write-Warning "Enable-CipherProtocol enables deprecated protocols and weak cipher suites. This reduces the security posture of the system." if ($PSCmdlet.ShouldProcess($ComputerName, 'Enable TLS 1.0, 1.1, SSL 2.0, SSL 3.0; re-enable 24 weak cipher suites')) { $doFullReset = $FullReset.IsPresent $work = { param([bool]$doFullReset) $schannelBase = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols' if ($doFullReset) { foreach ($protocol in 'TLS 1.0', 'TLS 1.1', 'TLS 1.2') { $path = "$schannelBase\$protocol" if (Test-Path $path) { Remove-Item -Path $path -Recurse -Force Write-Verbose "Removed registry key: $path" } } } else { function Set-ProtocolEnabled { param([string]$Protocol) foreach ($role in 'Server', 'Client') { $path = "$($schannelBase)\$Protocol\$role" New-Item -Path $path -Force | Out-Null Set-ItemProperty -Path $path -Name 'Enabled' -Value 1 -Type DWord Set-ItemProperty -Path $path -Name 'DisabledByDefault' -Value 0 -Type DWord } } Set-ProtocolEnabled -Protocol 'TLS 1.2' Write-Verbose 'TLS 1.2: enabled.' Set-ProtocolEnabled -Protocol 'TLS 1.1' Write-Verbose 'TLS 1.1: enabled.' Set-ProtocolEnabled -Protocol 'TLS 1.0' Write-Verbose 'TLS 1.0: enabled.' Set-ProtocolEnabled -Protocol 'SSL 3.0' Write-Verbose 'SSL 3.0: enabled.' Set-ProtocolEnabled -Protocol 'SSL 2.0' Write-Verbose 'SSL 2.0: enabled.' } $weakCiphers = @( 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_AES_256_GCM_SHA384', 'TLS_RSA_WITH_AES_128_GCM_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', 'TLS_DHE_DSS_WITH_AES_256_CBC_SHA256', 'TLS_DHE_DSS_WITH_AES_128_CBC_SHA256', 'TLS_DHE_DSS_WITH_AES_256_CBC_SHA', 'TLS_DHE_DSS_WITH_AES_128_CBC_SHA', 'TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA', 'TLS_RSA_WITH_RC4_128_SHA', 'TLS_RSA_WITH_RC4_128_MD5', 'TLS_RSA_WITH_NULL_SHA256', 'TLS_RSA_WITH_NULL_SHA', 'TLS_PSK_WITH_AES_256_GCM_SHA384', 'TLS_PSK_WITH_AES_128_GCM_SHA256', 'TLS_PSK_WITH_AES_256_CBC_SHA384', 'TLS_PSK_WITH_AES_128_CBC_SHA256', 'TLS_PSK_WITH_NULL_SHA384', 'TLS_PSK_WITH_NULL_SHA256' ) foreach ($cipher in $weakCiphers) { try { Enable-TlsCipherSuite -Name $cipher -ErrorAction Stop Write-Verbose "Enabled cipher suite: $cipher" } catch { Write-Warning "Failed to enable cipher suite '$cipher': $($_.Exception.Message)" } } } if ($isLocal) { & $work $doFullReset } else { Invoke-Command -ComputerName $ComputerName -ScriptBlock $work -ArgumentList $doFullReset } Write-Verbose "Legacy protocol configuration applied on '$ComputerName'." Write-Warning "A system restart is required for changes to take effect." if ($Force -and $PSCmdlet.ShouldProcess($ComputerName, 'Restart computer to apply changes')) { Restart-Computer -ComputerName $ComputerName -Force } } } |