PowerShell Geek

Quick PowerShell #34

Posted on by damian
Spread the love

Quick Introduction

Continuing with my series of Quick PowerShell article, we will cover a quick PowerShell script that can check to see if a server will respond for TLS1, TLS11 or TLS12 connections. For simplicity, we will use a premade tool that is free for download – TestSSLServer. The scrip queries a list of Exchange Servers, then uses this tool to check each server to see if it can connect using these TLS versions. Each connect type, for each server is reported on screen:

Sample Run

Script Code

Click on ‘Expand Source to see the full script code.

# Get alphabetical Exchange Server name list:
$Servers = (Get-ExchangeServer).Name | Sort Name
# Check each server:
Foreach ($Server in $Servers){
    Write-Host "** TLS Report for $Server"-ForegroundColor Magenta
    # TLS 1.0 check
    $TLSTest = .\TestSSLServer4.exe -Max TLSv1 $Server 443
    If ($TLSTest -like "System.Exception: Could not initiate a handshake (not SSL/TLS?)*") {
        Write-Host 'TLS 1.0'  -ForegroundColor White -NoNewLine
        Write-Host ' not enabled' -ForegroundColor Green
    } Else {
        Write-Host 'TLS 1.0 is' -ForegroundColor White -NoNewLine
        Write-Host ' enabled' -ForegroundColor Red
    }
    # TLS 1.1 check
    $TLSTest = .\TestSSLServer4.exe -Max TLSv1.1 $Server 443
    If ($TLSTest -like "System.Exception: Could not initiate a handshake (not SSL/TLS?)*") {
        Write-Host 'TLS 1.1' -ForegroundColor White -NoNewLine
        Write-Host ' not enabled' -ForegroundColor Green
    } Else {
        Write-Host 'TLS 1.1 is' -ForegroundColor White -NoNewLine
    Write-Host ' enabled' -ForegroundColor Red
    }
    # TLS 1.2 check
    $TLSTest = .\TestSSLServer4.exe -Max TLSv1.2 $Server 443
    If ($TLSTest -like "System.Exception: Could not initiate a handshake (not SSL/TLS?)*") {
        Write-Host 'TLS 1.2' -ForegroundColor White -NoNewLine
        Write-Host ' not enabled' -ForegroundColor Red
    } Else {
        Write-Host 'TLS 1.2 is' -ForegroundColor White -NoNewLine
        Write-Host ' enabled' -ForegroundColor Green
    }
}

What Next?

Why use this? TLS1 and TLS 11 are insecure protocols that should be turned off on servers. Consider these connections safety issues and ones that should be closed if possible, Make sure to investigate the servers to ensure that blocking TLS1 and TLS1.1 protocols is supported and will not cause any issues. For Windows servers there are certain registry entries to be added to the servers to prevent these connections:

Registry changes for Windows 2016+

Below are the changes required to disable TLS1 and TLS1.1.
Disable TLS1.1

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

Disable TLS1.1

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

** Make sure to reboot post adding Registry changes **

Social Media Auto Publish Powered By : XYZScripts.com