Upgrading Milestone XProtect can be a big and time-consuming job, filled with repetitive tasks. In an effort to make it easier and less boring, I enlisted ChatGPT to create some PowerShell scripts to automate some of the repetition.
I know, I know, PowerShell isn’t exactly a silver bullet—it has its quirks and complexities. However, it’s significantly less time-consuming and more reliable than manually tweaking settings through the Windows interface.
This script focuses on enhancing security by ensuring IIS uses only TLS 1.2 and 1.3, while disabling outdated, less secure protocols.
Here’s the lowdown on how to automate this process with PowerShell and verify it using IIS Crypto.
PS. I am not responsible for any mishaps that may happen with your update. Do your own research, testing, and critical thinking. I am merely a human with a passion for security solutions that wants to share my knowledge and experience with you in hopes it helps make your job a little less boring.
Transport Layer Security (TLS) is vital for protecting data transmitted over networks. Outdated versions like TLS 1.0 and 1.1 are susceptible to various vulnerabilities and should be disabled to bolster security. By enforcing the use of TLS 1.2 and 1.3, we can safeguard our servers more effectively.
To make the process of securing IIS more efficient, I developed a PowerShell script that enforces the use of TLS 1.2 and 1.3 while disabling older protocols. Here’s a breakdown of what the script does:
# Function to configure and check the status of a TLS protocol
function Set-TLSStatus {
param (
[string]$Protocol,
[string]$Type,
[int]$EnableValue = 1
)
$regPath = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$Protocol\$Type"
if (-not (Test-Path $regPath)) {
New-Item -Path $regPath -Force | Out-Null
}
Set-ItemProperty -Path $regPath -Name "Enabled" -Value $EnableValue -Force
Set-ItemProperty -Path $regPath -Name "DisabledByDefault" -Value 0 -Force
}
# Function to check the status of a TLS protocol
function Get-TLSStatus {
param (
[string]$Protocol,
[string]$Type
)
$regPath = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$Protocol\$Type"
if (Test-Path $regPath) {
$enabled = Get-ItemProperty -Path $regPath -Name "Enabled" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Enabled -ErrorAction SilentlyContinue
$disabledByDefault = Get-ItemProperty -Path $regPath -Name "DisabledByDefault" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty DisabledByDefault -ErrorAction SilentlyContinue
if ($enabled -eq 1) {
"$Protocol $Type is Enabled"
} elseif ($disabledByDefault -eq 1) {
"$Protocol $Type is Disabled"
} else {
"$Protocol $Type is Not Configured"
}
} else {
"$Protocol $Type key does not exist"
}
}
# TLS versions to configure and check
$tlsProtocols = @("TLS 1.0", "TLS 1.1", "TLS 1.2", "TLS 1.3")
# Configure TLS 1.2 and TLS 1.3
foreach ($protocol in $tlsProtocols) {
if ($protocol -eq "TLS 1.2" -or $protocol -eq "TLS 1.3") {
Set-TLSStatus -Protocol $protocol -Type 'Client' -EnableValue 1
Set-TLSStatus -Protocol $protocol -Type 'Server' -EnableValue 1
} elseif ($protocol -eq "TLS 1.0" -or $protocol -eq "TLS 1.1") {
Set-TLSStatus -Protocol $protocol -Type 'Client' -EnableValue 0
Set-TLSStatus -Protocol $protocol -Type 'Server' -EnableValue 0
}
}
# Check the status for each protocol and type (Client and Server)
foreach ($protocol in $tlsProtocols) {
Write-Output "$(Get-TLSStatus -Protocol $protocol -Type 'Client')"
Write-Output "$(Get-TLSStatus -Protocol $protocol -Type 'Server')"
}
# .NET Framework strong cryptography setting
function Get-DotNetCryptoStatus {
param (
[string]$regPath
)
$strongCrypto = Get-ItemProperty -Path $regPath -Name "SchUseStrongCrypto" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty SchUseStrongCrypto -ErrorAction SilentlyContinue
if ($null -ne $strongCrypto) {
if ($strongCrypto -eq 1) {
".NET Framework Strong Crypto at $regPath is Enabled"
} else {
".NET Framework Strong Crypto at $regPath is Disabled"
}
} else {
".NET Framework Strong Crypto at $regPath is Not Configured"
}
}
# Check .NET Framework strong cryptography settings
$netFrameworkPaths = @(
"HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319",
"HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319"
)
foreach ($path in $netFrameworkPaths) {
Write-Output "$(Get-DotNetCryptoStatus -regPath $path)"
}
After running the script, it’s essential to verify that the settings have been applied correctly. I used IIS Crypto to validate the configuration:
By using PowerShell to enforce the use of TLS 1.2 and 1.3 on your IIS servers, you can significantly enhance their security. This script turns a repetitive and tedious task into an automated process, saving time and reducing the risk of human error. I hope this helps streamline your security configurations and makes your job a little less boring.
It’s the newsletter security professionals use to work smarter. We promise you’ll learn stuff and enjoy a few blissful moments of productive procrastination.
Experience the game-changing power of BoringBot (and all of The Boring Toolbox features!) for free with a 30-day free trial.
Your go-to XProtect eXPerts. We learn the technical stuff that will save you time and make it less boring.
Your go-to XProtect eXPerts. We learn the technical stuff that will save you time and make it less boring.
Managing a video surveillance system is not set it and forget it. In this blog we cover the importance of…
Learn how to use a PowerShell script to enforce TLS 1.2 and 1.3 on your IIS servers, improving security by…
Streamline your Milestone XProtect upgrades by using a SQL script to automate the backup and verification of your databases, ensuring…
Subscribe to get a monthly dose of security & surveillance industry news and insights, Milestone VMS time-saving tricks, tips for hacking your way out of boring work sent directly to your inbox!