Check or verify your TLS settings

April 18th, 2018

If you want to know what your current TLS settings are on a server run the following in PowerShell:

    $path = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\'

    Write-Host "Checking Protocols" -ForegroundColor Cyan
    Write-Host "" 
    $protocols = Get-ChildItem -Recurse -Path "$path\Protocols\" | Get-ItemProperty
    foreach ($protocol in $protocols){
        Write-Host "Protocol [" -ForegroundColor Green -NoNewline
        Write-Host "$($protocol.PSParentPath | Split-Path -Leaf) - $($protocol.PSChildName)" -ForegroundColor Yellow -NoNewline
        Write-Host "] is [" -ForegroundColor Green -NoNewline

        if ($protocol.Enabled -eq 1) { 
            Write-Host "Enabled" -ForegroundColor Yellow -NoNewline
        } else {
            Write-Host "Disabled" -ForegroundColor Red -NoNewline
        }

        Write-Host "]" -ForegroundColor Green
    }

    Write-Host "" 
    Write-Host "" 
    Write-Host "Checking Ciphers" -ForegroundColor Cyan
    Write-Host "" 

    $ciphers = Get-ChildItem -Recurse -Path "$path\Ciphers\" | Get-ItemProperty
    foreach ($cipher in $ciphers){
        Write-Host "Cipher [" -ForegroundColor Green -NoNewline
        Write-Host "$($cipher.PSChildName)" -ForegroundColor Yellow -NoNewline
        Write-Host "] is [" -ForegroundColor Green -NoNewline

        if ($cipher.Enabled -ne 0) { 
            Write-Host "Enabled" -ForegroundColor Yellow -NoNewline
        } else {
            Write-Host "Disabled" -ForegroundColor Red -NoNewline
        }

        Write-Host "]" -ForegroundColor Green
    }

    Write-Host "" 
    Write-Host "" 
    Write-Host "Checking Hashes" -ForegroundColor Cyan
    Write-Host "" 

    $hashes = Get-ChildItem -Recurse -Path "$path\Hashes\" | Get-ItemProperty
    foreach ($hash in $hashes){
        Write-Host "Hash [" -ForegroundColor Green -NoNewline
        Write-Host "$($hash.PSChildName)" -ForegroundColor Yellow -NoNewline
        Write-Host "] is [" -ForegroundColor Green -NoNewline

        if ($cipher.Enabled -ne 0) { 
            Write-Host "Enabled" -ForegroundColor Yellow -NoNewline
        } else {
            Write-Host "Disabled" -ForegroundColor Red -NoNewline
        }

        Write-Host "]" -ForegroundColor Green
    }

    Write-Host "" 
    Write-Host "" 
    Write-Host "Checking KeyExchangeAlgorithms" -ForegroundColor Cyan
    Write-Host "" 

    $keys = Get-ChildItem -Recurse -Path "$path\KeyExchangeAlgorithms\" | Get-ItemProperty
    foreach ($key in $keys){
        Write-Host "Key [" -ForegroundColor Green -NoNewline
        Write-Host "$($key.PSChildName)" -ForegroundColor Yellow -NoNewline
        Write-Host "] is [" -ForegroundColor Green -NoNewline

        if ($cipher.Enabled -ne 0) { 
            Write-Host "Enabled" -ForegroundColor Yellow -NoNewline
        } else {
            Write-Host "Disabled" -ForegroundColor Red -NoNewline
        }

        Write-Host "]" -ForegroundColor Green
    }

    Write-Host "" 
    Write-Host "" 
    Write-Host "Checking Cipher Suite Order" -ForegroundColor Cyan
    Write-Host "" 

    $suites = Get-ChildItem -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\" -Recurse | Get-ItemProperty
    foreach ($suite in $suites) { 
        Write-Host "Suite [" -ForegroundColor Green -NoNewline
        Write-Host "$($suite.PSChildName)" -ForegroundColor Yellow -NoNewline
        Write-Host "] has the order of" -ForegroundColor Green 
        foreach ($function in $suite.Functions){
            Write-Host "...$function" -ForegroundColor Yellow
        }
        Write-Host "" 
    }

The output should look something like:

Leave a Reply

Your email address will not be published. Required fields are marked *