Automate Milestone XProtect Updates: Enforce TLS 1.2 and 1.3 with PowerShell Script

Learn how to use a PowerShell script to enforce TLS 1.2 and 1.3 on your IIS servers, improving security by disabling outdated protocols. This guide provides the script and validation steps to streamline your Milestone upgrades.
Table of Contents

Upgrading Milestone XProtect can be a big and time-consuming job, filled with repetitive tasks. In an effort to make it easier and less boring, I enlisted ChatGPT to create some PowerShell scripts to automate some of the repetition. 

I know, I know, PowerShell isn’t exactly a silver bullet—it has its quirks and complexities. However, it’s significantly less time-consuming and more reliable than manually tweaking settings through the Windows interface.

This script focuses on enhancing security by ensuring IIS uses only TLS 1.2 and 1.3, while disabling outdated, less secure protocols. 

Here’s the lowdown on how to automate this process with PowerShell and verify it using IIS Crypto.

👉 PS. I am not responsible for any mishaps that may happen with your update. Do your own research, testing, and critical thinking. I am merely a human with a passion for security solutions that wants to share my knowledge and experience with you in hopes it helps make your job a little less boring.

Why TLS Matters

Transport Layer Security (TLS) is vital for protecting data transmitted over networks. Outdated versions like TLS 1.0 and 1.1 are susceptible to various vulnerabilities and should be disabled to bolster security. By enforcing the use of TLS 1.2 and 1.3, we can safeguard our servers more effectively.

PowerShell Script to Enforce Strong TLS

To make the process of securing IIS more efficient, I developed a PowerShell script that enforces the use of TLS 1.2 and 1.3 while disabling older protocols. Here’s a breakdown of what the script does:

  • Disables SSL 2.0 and SSL 3.0: These older protocols are deprecated and should be turned off to prevent security vulnerabilities.
  • Disables TLS 1.0 and 1.1: These versions have known weaknesses and are no longer considered secure.
  • Enables TLS 1.2 and TLS 1.3: The script ensures that only these more secure protocols are used.
  • Checks .NET Framework Strong Cryptography Settings: Ensures that .NET applications use strong cryptography.
 
Here is the script I used:
				
					# Function to configure and check the status of a TLS protocol
function Set-TLSStatus {
    param (
        [string]$Protocol,
        [string]$Type,
        [int]$EnableValue = 1
    )

    $regPath = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$Protocol\$Type"

    if (-not (Test-Path $regPath)) {
        New-Item -Path $regPath -Force | Out-Null
    }

    Set-ItemProperty -Path $regPath -Name "Enabled" -Value $EnableValue -Force
    Set-ItemProperty -Path $regPath -Name "DisabledByDefault" -Value 0 -Force
}

# Function to check the status of a TLS protocol
function Get-TLSStatus {
    param (
        [string]$Protocol,
        [string]$Type
    )

    $regPath = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$Protocol\$Type"

    if (Test-Path $regPath) {
        $enabled = Get-ItemProperty -Path $regPath -Name "Enabled" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Enabled -ErrorAction SilentlyContinue
        $disabledByDefault = Get-ItemProperty -Path $regPath -Name "DisabledByDefault" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty DisabledByDefault -ErrorAction SilentlyContinue

        if ($enabled -eq 1) {
            "$Protocol $Type is Enabled"
        } elseif ($disabledByDefault -eq 1) {
            "$Protocol $Type is Disabled"
        } else {
            "$Protocol $Type is Not Configured"
        }
    } else {
        "$Protocol $Type key does not exist"
    }
}

# TLS versions to configure and check
$tlsProtocols = @("TLS 1.0", "TLS 1.1", "TLS 1.2", "TLS 1.3")

# Configure TLS 1.2 and TLS 1.3
foreach ($protocol in $tlsProtocols) {
    if ($protocol -eq "TLS 1.2" -or $protocol -eq "TLS 1.3") {
        Set-TLSStatus -Protocol $protocol -Type 'Client' -EnableValue 1
        Set-TLSStatus -Protocol $protocol -Type 'Server' -EnableValue 1
    } elseif ($protocol -eq "TLS 1.0" -or $protocol -eq "TLS 1.1") {
        Set-TLSStatus -Protocol $protocol -Type 'Client' -EnableValue 0
        Set-TLSStatus -Protocol $protocol -Type 'Server' -EnableValue 0
    }
}

# Check the status for each protocol and type (Client and Server)
foreach ($protocol in $tlsProtocols) {
    Write-Output "$(Get-TLSStatus -Protocol $protocol -Type 'Client')"
    Write-Output "$(Get-TLSStatus -Protocol $protocol -Type 'Server')"
}

# .NET Framework strong cryptography setting
function Get-DotNetCryptoStatus {
    param (
        [string]$regPath
    )

    $strongCrypto = Get-ItemProperty -Path $regPath -Name "SchUseStrongCrypto" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty SchUseStrongCrypto -ErrorAction SilentlyContinue
    if ($null -ne $strongCrypto) {
        if ($strongCrypto -eq 1) {
            ".NET Framework Strong Crypto at $regPath is Enabled"
        } else {
            ".NET Framework Strong Crypto at $regPath is Disabled"
        }
    } else {
        ".NET Framework Strong Crypto at $regPath is Not Configured"
    }
}

# Check .NET Framework strong cryptography settings
$netFrameworkPaths = @(
    "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319",
    "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319"
)

foreach ($path in $netFrameworkPaths) {
    Write-Output "$(Get-DotNetCryptoStatus -regPath $path)"
}
				
			

Validating the Configuration with IIS Crypto

After running the script, it’s essential to verify that the settings have been applied correctly. I used IIS Crypto to validate the configuration:

  • Open IIS Crypto: This tool provides a straightforward way to review and modify the SSL/TLS settings on your server.
  • Check the Protocols: Ensure that only TLS 1.2 and 1.3 are enabled, while the older protocols (SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1) are disabled.

By using PowerShell to enforce the use of TLS 1.2 and 1.3 on your IIS servers, you can significantly enhance their security. This script turns a repetitive and tedious task into an automated process, saving time and reducing the risk of human error. I hope this helps streamline your security configurations and makes your job a little less boring. 

It’s the newsletter security professionals use to work smarter. We promise you’ll learn stuff and enjoy a few blissful moments of productive procrastination.

Simplify, streamline, and supercharge your security operations today. 

Experience the game-changing power of BoringBot (and all of The Boring Toolbox features!) for free with a 30-day free trial.

Team Boring

Your go-to XProtect eXPerts. We learn the technical stuff that will save you time and make it less boring.

Team Boring

Your go-to XProtect eXPerts. We learn the technical stuff that will save you time and make it less boring.

You Might Also Enjoy…