PowerShell Scripting for IT Pros: Disabling Weak SSL/TLS Ciphers Made Easy

When it comes to cybersecurity, the line between compliance and compromise is often a thin one. If you’re in the realm of IT, especially if you’re an IT professional or part of a Managed Service Provider (MSP), you’ve likely been toeing this line for a while. Let’s face it; old ciphers like SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 are not only outdated but are essentially cybersecurity hazards waiting to explode. It’s a problem that needs solving, and this blog post is your step-by-step guide to do just that—disable weak SSL ciphers and uplift your security posture in the process.

What are Weak Ciphers and Why Should You Care?

Weak ciphers are outdated algorithms used in SSL/TLS encryption that are susceptible to attacks. Cybercriminals could exploit these weak links to compromise sensitive data. Given today’s stringent regulatory landscape, keeping these outdated protocols in use could also incur compliance risks, not to mention the reputational damage it could cause to an organization.

PowerShell Script to Disable Weak Ciphers in SSL/TLS

If you’re managing a Windows-based infrastructure, PowerShell is your best friend. For those keen on diving right in, the script featured below automates the process of disabling weak ciphers like TLS 1.0, TLS 1.1, SSL 2.0, and SSL 3.0, while enabling the more robust TLS 1.2.

The Script

Note: The script requires PowerShell 5.1 and administrator-level privileges to execute. It’s compatible with Windows 10 and Windows Server 2016. Though it may run on older versions like Windows 7 or Server 2008 R2, PowerShell 5.1 would be a prerequisite.

#Requires -Version 5.1

<#
.SYNOPSIS
    Disables TLS 1.0, TLS 1.1, SSL 2.0, SSL 3.0. Enables TLS 1.2.
.DESCRIPTION
    Disables TLS 1.0, TLS 1.1, SSL 2.0, SSL 3.0. Enables TLS 1.2.
.EXAMPLE
    No Parameters Needed
    Disables TLS 1.0, TLS 1.1, SSL 2.0, SSL 3.0. Enables TLS 1.2.
.EXAMPLE
    -Restart
    Disables TLS 1.0, TLS 1.1, SSL 2.0, SSL 3.0. Enables TLS 1.2. Does Restart the computer.
.OUTPUTS
    String[]
.NOTES
    Minimum OS Architecture Supported: Windows 10, Windows Server 2016
    Could possibly run on Windows 7 and Server 2008 R2, but PowerShell 5.1 would be required.
    Release Notes:
    Initial Release
By using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https://www.ninjaone.com/terms-of-use.
    Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms. 
    Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party. 
    Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider. 
    Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations. 
    Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks. 
    Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script. 
    EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).
#>

[CmdletBinding()]
param ()

begin {
    function Test-IsElevated {
        $id = [System.Security.Principal.WindowsIdentity]::GetCurrent()
        $p = New-Object System.Security.Principal.WindowsPrincipal($id)
        $p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)
    }
}

process {
    if (-not (Test-IsElevated)) {
        Write-Error -Message "Access Denied. Please run with Administrator privileges."
        exit 1
    }
    
    @(
        [PSCustomObject]@{
            Protocol = 'SSL 2.0'
            Value    = 0
            Default  = 1
        }
        [PSCustomObject]@{
            Protocol = 'SSL 3.0'
            Value    = 0
            Default  = 1
        }
        [PSCustomObject]@{
            Protocol = 'TLS 1.0'
            Value    = 0
            Default  = 1
        }
        [PSCustomObject]@{
            Protocol = 'TLS 1.1'
            Value    = 0
            Default  = 1
        }
        [PSCustomObject]@{
            Protocol = 'TLS 1.2'
            Value    = 1
            Default  = 0
        }
    ) | ForEach-Object {
        $RegServerBase = "HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols$($_.Protocol)Server"
        $RegClientBase = "HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols$($_.Protocol)Client"
        
        New-Item $RegServerBase -Force -ErrorAction SilentlyContinue | Out-Null
        New-ItemProperty -Path $RegServerBase -Name 'Enabled' -Value $($_.Value) -PropertyType 'DWord' -Force -ErrorAction SilentlyContinue | Out-Null
        New-ItemProperty -Path $RegServerBase -Name 'DisabledByDefault' -Value $($_.Default) -PropertyType 'DWord' -Force -ErrorAction SilentlyContinue | Out-Null
        
        New-Item $RegClientBase -Force -ErrorAction SilentlyContinue | Out-Null
        New-ItemProperty -Path $RegClientBase -Name 'Enabled' -Value $($_.Value) -PropertyType 'DWord' -Force -ErrorAction SilentlyContinue | Out-Null
        New-ItemProperty -Path $RegClientBase -Name 'DisabledByDefault' -Value $($_.Default) -PropertyType 'DWord' -Force -ErrorAction SilentlyContinue | Out-Null

        $State = if (
            $(Get-ItemPropertyValue -Path $RegServerBase -Name 'Enabled') -eq 0 -and
            $(Get-ItemPropertyValue -Path $RegServerBase -Name 'DisabledByDefault') -eq 1
        ) { 'disabled' } else { 'enabled' }

        Write-Host "$($_.Protocol) has been $State."
    }

    Write-Host "Please reboot for settings to take effect."
}
end {}

 

Key Features of the Script

1. Check for Administrative Privileges: The script exits if it’s not run with administrative permissions, thereby safeguarding against accidental execution.
2. Registry Edits: The script makes targeted changes to the Windows Registry, specifically in the areas that manage SSL/TLS protocols, to enforce the security settings.
3. Feedback Loop: The script confirms which protocols have been enabled or disabled.
4. No Parameters Needed: The script is straightforward to run. If you want to restart the computer after the script executes, include the -Restart parameter.

How Can IT Professionals and MSPs Benefit?

Timesaving

For IT professionals and MSPs who manage multiple systems, this script is a godsend. Deploy it across multiple machines with ease, saving countless man-hours.

Compliance

Regulatory frameworks like PCI DSS require that weak ciphers be disabled. This script provides a one-stop solution for achieving compliance with minimal hassle.

Scalability

The script can be incorporated into larger automation workflows, making it a versatile tool for scaling security operations.

Risk Mitigation

By disabling weak ciphers in SSL/TLS, you mitigate the risks of data breaches and cyberattacks, thereby enhancing your organization’s security posture.

Integrating the Script with NinjaOne for Streamlined Operations

If you’re an IT professional or part of an MSP, there’s a good chance you’re already familiar with NinjaOne. Our platform’s capabilities can extend far beyond the usual ticketing, patch management, and inventory functions you may associate with an RMM.

Here’s how you can integrate the PowerShell script to disable weak ciphers in SSL/TLS into your NinjaOne setup:

Centralized Deployment

NinjaOne offers centralized script deployment, allowing you to run this PowerShell script on multiple endpoints simultaneously. Navigate to the ‘Scripting’ section, upload the script, and execute it across the systems you manage—all from a single dashboard.

Scheduled Execution

Set up schedules within NinjaOne to run the script at designated times. This is particularly useful for new devices that join the network or to enforce compliance standards periodically.

Alerts and Monitoring

Configure NinjaOne to monitor registry settings related to SSL/TLS protocols. Any deviation from the established norms (such as enabling a weak cipher) can trigger an alert, allowing for immediate remedial action.

Reporting

NinjaOne’s comprehensive reporting allows you to validate the success of the script deployment. You can generate reports that confirm the disabling of weak ciphers, which can be instrumental during compliance audits.

Final Thoughts

If you’re still using weak ciphers in 2023, consider this your wake-up call. Use the above PowerShell script to disable weak ciphers in Windows environments and take a concrete step towards bolstering your cybersecurity infrastructure.

You wouldn’t use a rusty old lock to secure a vault; don’t use outdated ciphers to protect your data. Time to modernize and secure your network. And if you ever find yourself wondering how to disable weak ciphers in Windows again, just remember—this blog post has got you covered.

Disclaimer: Always test scripts and changes in a controlled environment before deploying them into production.