From 1982b97c470d5965af608ede87ebe83ac0b0d205 Mon Sep 17 00:00:00 2001 From: Daniel Fisher Date: Wed, 3 Jul 2019 11:07:56 +0200 Subject: [PATCH 1/4] Add support for IIS on Windows 1809 --- src/js/configs.js | 48 +++++++++ src/js/index.js | 2 + src/js/state.js | 8 ++ src/templates/partials/iis.hbs | 187 +++++++++++++++++++++++++++++++++ 4 files changed, 245 insertions(+) create mode 100644 src/templates/partials/iis.hbs diff --git a/src/js/configs.js b/src/js/configs.js index 60be3605..31214cc3 100755 --- a/src/js/configs.js +++ b/src/js/configs.js @@ -87,4 +87,52 @@ module.exports = { supportsOcspStapling: false, tls13: '12.0', }, + iis: { + hasVersions: false, + highlighter: 'ps', + latestVersion: '10.0.17763', // https://en.wikipedia.org/wiki/Internet_Information_Services + name: 'Microsoft Internet Information Services', + supportedCiphers: [ // https://docs.microsoft.com/en-us/windows/desktop/SecAuthN/tls-cipher-suites-in-windows-10-v1809 + 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', + 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', + 'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384', + 'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256', + 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384', + 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', + 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', + 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', + 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA', + 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA', + 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', + 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', + 'TLS_RSA_WITH_AES_256_GCM_SHA384', + 'TLS_RSA_WITH_AES_128_GCM_SHA256', + 'TLS_RSA_WITH_AES_256_CBC_SHA256', + 'TLS_RSA_WITH_AES_128_CBC_SHA256', + 'TLS_RSA_WITH_AES_256_CBC_SHA', + 'TLS_RSA_WITH_AES_128_CBC_SHA', + 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', + 'TLS_RSA_WITH_NULL_SHA256', + 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA', + 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA', + 'TLS_DHE_DSS_WITH_AES_256_CBC_SHA256', + 'TLS_DHE_DSS_WITH_AES_128_CBC_SHA256', + 'TLS_DHE_DSS_WITH_AES_256_CBC_SHA', + 'TLS_DHE_DSS_WITH_AES_128_CBC_SHA', + 'TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA', + 'TLS_RSA_WITH_RC4_128_SHA', + 'TLS_RSA_WITH_RC4_128_MD5', + 'TLS_RSA_WITH_DES_CBC_SHA', + 'TLS_DHE_DSS_WITH_DES_CBC_SHA', + 'TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA', + 'TLS_RSA_WITH_NULL_MD5', + 'TLS_RSA_EXPORT1024_WITH_RC4_56_SHA', + 'TLS_RSA_EXPORT_WITH_RC4_40_MD5', + 'TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA', + ], + supportsHsts: true, + supportsOcspStapling: true, + tls13: noSupportedVersion, + usesOpenssl: false, + }, }; diff --git a/src/js/index.js b/src/js/index.js index f1a93115..0294ccd9 100755 --- a/src/js/index.js +++ b/src/js/index.js @@ -11,11 +11,13 @@ import ini from 'highlight.js/lib/languages/ini'; import json from 'highlight.js/lib/languages/json'; import nginx from 'highlight.js/lib/languages/nginx'; import yaml from 'highlight.js/lib/languages/yaml'; +import ps from 'highlight.js/lib/languages/powershell'; hljs.registerLanguage('apache', apache); hljs.registerLanguage('ini', ini); hljs.registerLanguage('json', json); hljs.registerLanguage('nginx', nginx); hljs.registerLanguage('yaml', yaml); +hljs.registerLanguage('ps', ps); import '../css/index.scss'; diff --git a/src/js/state.js b/src/js/state.js index 4b3fa379..c494e72c 100644 --- a/src/js/state.js +++ b/src/js/state.js @@ -28,7 +28,14 @@ export default async function () { } let openssl_ciphers = ssc.openssl_ciphers; + let windows_ciphers = []; if (configs[server].supportedCiphers) { + // todo: for iis do some replace magic here to match suites + windows_ciphers = openssl_ciphers.filter(suite => + { + var suiteName ='TLS_' + suite.replace(/-/g, '_').replace('_AES128_','_WITH_AES_128_').replace('_AES256_','_WITH_AES_256_'); + return configs[server].supportedCiphers.indexOf(suiteName) !== -1 + }); openssl_ciphers = openssl_ciphers.filter(suite => configs[server].supportedCiphers.indexOf(suite) !== -1); } else { openssl_ciphers = openssl_ciphers; @@ -46,6 +53,7 @@ export default async function () { }, output: { ciphers: openssl_ciphers, // OpenSSL + windowsCiphers: windows_ciphers, // Windows and so IIS cipherSuites: ssc.openssl_ciphersuites, date: date.toISOString().substr(0, 10), dhCommand: ssc.dh_param_size >= 2048 ? `curl ${url.origin}/ffdhe${ssc.dh_param_size}.txt` : `openssl dhparam ${ssc.dh_param_size}`, diff --git a/src/templates/partials/iis.hbs b/src/templates/partials/iis.hbs new file mode 100644 index 00000000..fe6e84b5 --- /dev/null +++ b/src/templates/partials/iis.hbs @@ -0,0 +1,187 @@ +# {{output.date}}, {{{output.link}}} +function Set-Chipher($name, $value){ + Write-Host "Set-Chiphers ``$name`` ``$value``" + $key = [Microsoft.Win32.Registry]::LocalMachine; + $subKey = $key.CreateSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\$name") + $return = $subKey.SetValue("Enabled", $value, [Microsoft.Win32.RegistryValueKind]::DWord) + $subKey.Close(); + $key.Close(); +} + +function Reset-Chiphers(){ + Write-Host "Reset-Chiphers" + $sChannelKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers" + Remove-Item -Path $sChannelKey -Recurse -Force + $return = New-Item -Path $sChannelKey + $return = Set-ItemProperty -Path $sChannelKey -Name "EventLogging" -Value 1 -Type DWord + $return = Set-ItemProperty -Path $sChannelKey -Name "DisableRenegoOnClient" -Value 1 -Type DWord + $return = Set-ItemProperty -Path $sChannelKey -Name "DisableRenegoOnServer" -Value 1 -Type DWord +} + +function Set-Hash($name, $value){ + Write-Host "Set-Hashes ``$name`` ``$value``" + $hashKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\$name" + if($false -eq (Test-Path $hashKey)){ + $return = New-Item -Path $hashKey + } + $return = Set-ItemProperty -Path $hashKey -Name "Enabled" -Value $value -Type DWord +} + +function Reset-Hashes(){ + Write-Host "Reset-Hashes" + $hashesKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes" + Remove-Item -Path $hashesKey -Recurse -Force + $return = New-Item -Path $hashesKey +} + +function Set-KeyExchangeAlgorithm($name, $value){ + Write-Host "Set-KeyExchangeAlgorithm ``$name`` ``$value``" + $keyExchangeAlgorithmKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\$name" + if($false -eq (Test-Path $keyExchangeAlgorithmKey)){ + $return = New-Item -Path $keyExchangeAlgorithmKey + } + $return = Set-ItemProperty -Path $keyExchangeAlgorithmKey -Name "Enabled" -Value $value -Type DWord +} + +function Reset-KeyExchangeAlgorithms(){ + Write-Host "Reset-KeyExchangeAlgorithms" + $keyExchangeAlgorithmsKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms" + Remove-Item -Path $keyExchangeAlgorithmsKey -Recurse -Force + $return = New-Item -Path $keyExchangeAlgorithmsKey +} + +function Set-SChannelProtocol($name, $value, $clientAlso){ + Write-Host "Set-SChannelProtocol ``$name`` ``$value``" + $protocolKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$name" + if($false -eq (Test-Path $protocolKey)){ + $return = New-Item -Path $protocolKey + } + $protocolKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$name\Server" + if($false -eq (Test-Path $protocolKey)){ + $return = New-Item -Path $protocolKey + } + Set-ItemProperty -Path $protocolKey -Name "Enabled" -Value $value -Type DWord + if($value -eq 0x00000000){ + $return = Set-ItemProperty -Path $protocolKey -Name "DisabledByDefault" -Value 0x00000001 -Type DWord + }else{ + $return = Set-ItemProperty -Path $protocolKey -Name "DisabledByDefault" -Value 0x00000000 -Type DWord + } + if($clientAlso){ + $protocolKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$name\Client" + if($false -eq (Test-Path $protocolKey)){ + $return = New-Item -Path $protocolKey + } + if($value -eq 0x00000000){ + $return = Set-ItemProperty -Path $protocolKey -Name "DisabledByDefault" -Value 0x00000001 -Type DWord + }else{ + $return = Set-ItemProperty -Path $protocolKey -Name "DisabledByDefault" -Value 0x00000000 -Type DWord + } + } +} + +function Reset-SChannelProtocols(){ + Write-Host "Reset-SChannelProtocols" + $protocolKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\" + $r = Remove-Item -Path $protocolKey -Recurse -Force + $return = New-Item -Path $protocolKey +} + +function Remove-RegistryValue($path, $name){ + Write-Host "Remove-RegistryValue ``$name``" + $key = Get-Item -LiteralPath $path + if ($key.GetValue($name, $null) -ne $null) { + $r = Remove-ItemProperty -Path $path -Name $name + } +} + +# Restrict the use of certain cryptographic algorithms and protocols in Schannel.dll +# http://support2.microsoft.com/default.aspx?scid=kb;EN-US;245030 +Reset-Chiphers +Set-Chipher -name "AES 128/128" -value 0xffffffff +Set-Chipher -name "AES 256/256" -value 0xffffffff +Set-Chipher -name "DES 56/56" -value 0x00000000 +Set-Chipher -name "NULL" -value 0x00000000 +Set-Chipher -name "RC2 128/128" -value 0x00000000 +Set-Chipher -name "RC2 40/128" -value 0x00000000 +Set-Chipher -name "RC2 56/128" -value 0x00000000 +Set-Chipher -name "RC4 128/128" -value 0x00000000 +Set-Chipher -name "RC4 40/128" -value 0x00000000 +Set-Chipher -name "RC4 56/128" -value 0x00000000 +Set-Chipher -name "RC4 64/128" -value 0x00000000 +Set-Chipher -name "Triple DES 168/168" -value 0x00000000 + +Reset-Hashes +Set-Hash -name "MD5" -value 0x00000000 +Set-Hash -name "SHA" -value 0x00000000 +Set-Hash -name "SHA256" -value 0xffffffff +Set-Hash -name "SHA384" -value 0xffffffff +Set-Hash -name "SHA512" -value 0xffffffff + +Reset-KeyExchangeAlgorithms +Set-KeyExchangeAlgorithm -name Diffie-Hellman -value 0xffffffff +Set-KeyExchangeAlgorithm -name PKCS -value 0xffffffff +Set-KeyExchangeAlgorithm -name ECDH -value 0xffffffff + +Reset-SChannelProtocols +Set-SChannelProtocol -name "Multi-Protocol Unified Hello" -value 0x00000000 +Set-SChannelProtocol -name "PCT 1.0" -value 0x00000000 +Set-SChannelProtocol -name "SSL 2.0" -value 0x00000000 +Set-SChannelProtocol -name "SSL 3.0" -value 0x00000000 +Set-SChannelProtocol -name "TLS 1.0" -value 0x00000000 +Set-SChannelProtocol -name "TLS 1.1" -value 0x00000000 +Set-SChannelProtocol -name "TLS 1.2" -value 0xffffffff + +Remove-RegistryValue ` + -path "HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002" ` + -name "Functions" + +$ssl_ciphers = '{{{join output.windowsCiphers ","}}}'.Split(',') ` + | Foreach-Object { "TLS_$($_)".replace("-", "_").replace("_AES128_", "_WITH_AES128_").replace("_AES256_", "_WITH_AES256_") }; + +import-module tls +#https://docs.microsoft.com/en-us/powershell/module/tls/get-tlsciphersuite?view=win10-ps + +Foreach($suites in Get-TlsCipherSuite){ + Foreach($suite in $suites){ + if($ssl_ciphers.IndexOf($suite.Name) -eq -1){ + Write-Host "Disable-TlsCipherSuite ``$($suite.Name)``" + Disable-TlsCipherSuite -Name "$($suite.Name)"; + } + } +} + +Foreach($suite in $ssl_ciphers){ + Write-Host "Enable ``$suite``" + Enable-TlsCipherSuite -Name "$suite" +} + +{{#if form.ocsp}} +Write-Host "Enable OCSP stapling for SNI" +New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\" -Name "EnableOcspStaplingForSni" -PropertyType DWord -Value 1 +{{/if}} + +{{#if form.hsts}} +#https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10-version-1709/iis-10-version-1709-hsts + +Import-Module IISAdministration + +Reset-IISServerManager -Confirm:$false +Start-IISCommitDelay + +$ConfigSection = Get-IISConfigSection -SectionPath "system.applicationHost/sites" +Foreach($SitesCollection in Get-IISConfigCollection -ConfigElement $ConfigSection){ + foreach($item in $SitesCollection){ + $siteName = $item.GetAttributeValue("name") + $tlsBindings = Get-WebBinding -Name "$siteName" | Where-Object { $_.protocol -eq "https"} | Select-Object -First 1 + if($tlsBindings -ne $null){ + Write-Host "Enable HSTS on site ``$($siteName)``" + $Site = Get-IISConfigCollectionElement -ConfigCollection $SitesCollection -ConfigAttribute @{"name" = "$siteName"} + $Elem = Get-IISConfigElement -ConfigElement $Site -ChildElementName "limits" + Set-IISConfigAttributeValue -ConfigElement $Elem -AttributeName "MaxUrlSegments" -AttributeValue 16 + } + } +} + +Stop-IISCommitDelay +Remove-Module IISAdministration +{{/if}} \ No newline at end of file From 9f05efa56c60e9c088ab1264e20852e14d39c0bd Mon Sep 17 00:00:00 2001 From: Daniel Fisher Date: Wed, 21 Aug 2019 09:17:38 +0200 Subject: [PATCH 2/4] Update iis.hbs Fixed typo --- src/templates/partials/iis.hbs | 36 +++++++++++++++++----------------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/src/templates/partials/iis.hbs b/src/templates/partials/iis.hbs index fe6e84b5..bcd0597f 100644 --- a/src/templates/partials/iis.hbs +++ b/src/templates/partials/iis.hbs @@ -1,6 +1,6 @@ # {{output.date}}, {{{output.link}}} -function Set-Chipher($name, $value){ - Write-Host "Set-Chiphers ``$name`` ``$value``" +function Set-Cipher($name, $value){ + Write-Host "Set-Ciphers ``$name`` ``$value``" $key = [Microsoft.Win32.Registry]::LocalMachine; $subKey = $key.CreateSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\$name") $return = $subKey.SetValue("Enabled", $value, [Microsoft.Win32.RegistryValueKind]::DWord) @@ -8,8 +8,8 @@ function Set-Chipher($name, $value){ $key.Close(); } -function Reset-Chiphers(){ - Write-Host "Reset-Chiphers" +function Reset-Ciphers(){ + Write-Host "Reset-Ciphers" $sChannelKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers" Remove-Item -Path $sChannelKey -Recurse -Force $return = New-Item -Path $sChannelKey @@ -96,19 +96,19 @@ function Remove-RegistryValue($path, $name){ # Restrict the use of certain cryptographic algorithms and protocols in Schannel.dll # http://support2.microsoft.com/default.aspx?scid=kb;EN-US;245030 -Reset-Chiphers -Set-Chipher -name "AES 128/128" -value 0xffffffff -Set-Chipher -name "AES 256/256" -value 0xffffffff -Set-Chipher -name "DES 56/56" -value 0x00000000 -Set-Chipher -name "NULL" -value 0x00000000 -Set-Chipher -name "RC2 128/128" -value 0x00000000 -Set-Chipher -name "RC2 40/128" -value 0x00000000 -Set-Chipher -name "RC2 56/128" -value 0x00000000 -Set-Chipher -name "RC4 128/128" -value 0x00000000 -Set-Chipher -name "RC4 40/128" -value 0x00000000 -Set-Chipher -name "RC4 56/128" -value 0x00000000 -Set-Chipher -name "RC4 64/128" -value 0x00000000 -Set-Chipher -name "Triple DES 168/168" -value 0x00000000 +Reset-Chihers +Set-Cipher -name "AES 128/128" -value 0xffffffff +Set-Cipher -name "AES 256/256" -value 0xffffffff +Set-Cipher -name "DES 56/56" -value 0x00000000 +Set-Cipher -name "NULL" -value 0x00000000 +Set-Cipher -name "RC2 128/128" -value 0x00000000 +Set-Cipher -name "RC2 40/128" -value 0x00000000 +Set-Cipher -name "RC2 56/128" -value 0x00000000 +Set-Cipher -name "RC4 128/128" -value 0x00000000 +Set-Cipher -name "RC4 40/128" -value 0x00000000 +Set-Cipher -name "RC4 56/128" -value 0x00000000 +Set-Cipher -name "RC4 64/128" -value 0x00000000 +Set-Cipher -name "Triple DES 168/168" -value 0x00000000 Reset-Hashes Set-Hash -name "MD5" -value 0x00000000 @@ -184,4 +184,4 @@ Foreach($SitesCollection in Get-IISConfigCollection -ConfigElement $ConfigSectio Stop-IISCommitDelay Remove-Module IISAdministration -{{/if}} \ No newline at end of file +{{/if}} From b900dc2faf3593578bd64becee726000835fee4e Mon Sep 17 00:00:00 2001 From: Daniel Fisher Date: Wed, 21 Aug 2019 09:18:07 +0200 Subject: [PATCH 3/4] Ordered languages alphabetically --- src/js/index.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/js/index.js b/src/js/index.js index 36f08b6a..62d0cd64 100755 --- a/src/js/index.js +++ b/src/js/index.js @@ -16,8 +16,8 @@ hljs.registerLanguage('apache', apache); hljs.registerLanguage('ini', ini); hljs.registerLanguage('json', json); hljs.registerLanguage('nginx', nginx); -hljs.registerLanguage('yaml', yaml); hljs.registerLanguage('ps', ps); +hljs.registerLanguage('yaml', yaml); import '../css/index.scss'; @@ -138,4 +138,4 @@ $().ready(() => { await sleep(750); $('#copy').tooltip('hide'); }); -}); \ No newline at end of file +}); From 32bf58bb40843d4cbbc627787859c7f9ff4943db Mon Sep 17 00:00:00 2001 From: Daniel Fisher Date: Wed, 21 Aug 2019 09:22:17 +0200 Subject: [PATCH 4/4] Fixed link --- src/templates/partials/iis.hbs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/templates/partials/iis.hbs b/src/templates/partials/iis.hbs index bcd0597f..675bbc1d 100644 --- a/src/templates/partials/iis.hbs +++ b/src/templates/partials/iis.hbs @@ -95,7 +95,7 @@ function Remove-RegistryValue($path, $name){ } # Restrict the use of certain cryptographic algorithms and protocols in Schannel.dll -# http://support2.microsoft.com/default.aspx?scid=kb;EN-US;245030 +# https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc Reset-Chihers Set-Cipher -name "AES 128/128" -value 0xffffffff Set-Cipher -name "AES 256/256" -value 0xffffffff