GPO: Disable SSL3 and weak ciphers

This GPO can be used to enforce SSL settings with Group Policy. This can be very usefull if you have to implement secure encryption settings in a Windows based environment, where all servers can be managed with Group Policy Preferences.

Configured Settings:

The settings specified in this GPO are a subset of the implementation done by Alexander Hass who wrote a nice Power Shell script to configure IIS to use SSL Perfect Forward Secrecy and TLS 1.2 >> read more on hass.de

Not all settings are yet implemented but they will follow soon.

How to use

To import the settings you have to copy everything from the code box and then right click into GPP registry settings and select "Paste"

GPO: Disable SSL3 and weak ciphers

After this you can see the imported settings like this:

GPO: Disable SSL3 and weak ciphers

Script code:

	
<?xml version="1.0" encoding="utf-8"?>
<RegistrySettings clsid="{A3CCFC41-DFDB-43a5-8D26-0FE8B954DA51}"><Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="Disable PCT 1.0 Server" status="DisabledByDefault" image="12" changed="2016-03-31 22:19:39" uid="{2C32B77C-DFDE-4410-94A7-9448BF6A8BCA}" bypassErrors="1"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server" name="DisabledByDefault" type="REG_DWORD" value="00000001"/></Registry>
	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="Disable SSLv2 Server" status="DisabledByDefault" image="12" changed="2016-03-31 22:19:47" uid="{F8C8F573-9BC0-4AC2-ADEC-1BAE66AE6FD7}" bypassErrors="1"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" name="DisabledByDefault" type="REG_DWORD" value="00000001"/></Registry>
	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="Disable SSLv3 Server" status="DisabledByDefault" image="12" changed="2016-03-31 22:31:11" uid="{8E8628E4-039D-490D-B547-1CCF501FEDD4}" bypassErrors="1"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" name="DisabledByDefault" type="REG_DWORD" value="00000001"/></Registry>
	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="Enable TLSv1 Server" status="DisabledByDefault" image="12" changed="2016-03-31 22:29:53" uid="{3A980A7D-66AA-43EF-9AF0-EB10B8E743B8}" bypassErrors="1"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" name="DisabledByDefault" type="REG_DWORD" value="00000000"/></Registry>
	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="Enable TLSv1.1 Server" status="DisabledByDefault" image="12" changed="2016-03-31 22:33:42" uid="{2DB44899-2C39-487D-BFCE-93743E64FF23}" bypassErrors="1"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" name="DisabledByDefault" type="REG_DWORD" value="00000000"/></Registry>
	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="Enable TLSV1.2 Server" status="DisabledByDefault" image="12" changed="2016-03-31 22:35:19" uid="{F78CEAB6-7405-4C2B-A1C2-082FE5B0F3AF}" bypassErrors="1"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" name="DisabledByDefault" type="REG_DWORD" value="00000000"/></Registry>
	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="Disable PCT 1.0 Server - Part2" status="Enabled" image="12" changed="2016-03-31 22:19:30" uid="{15F32C94-A1CE-4740-9B0F-2C2961D04A4A}" bypassErrors="1"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server" name="Enabled" type="REG_DWORD" value="00000000"/></Registry>
	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="Disable SSLv2 Server - Part2" status="Enabled" image="12" changed="2016-03-31 22:19:54" uid="{24C368C4-9450-4FCA-B03C-C41F4B8ED09A}" bypassErrors="1"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" name="Enabled" type="REG_DWORD" value="00000000"/></Registry>
	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="Disable SSLv3 Server - Part2" status="Enabled" image="12" changed="2016-03-31 22:20:00" uid="{8E637CF8-6DDB-4B6E-A448-993C1F7E6FAA}" bypassErrors="1"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" name="Enabled" type="REG_DWORD" value="00000000"/></Registry>
	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="Enable TLSv1 Server - Part2" status="Enabled" image="12" changed="2016-03-31 22:39:44" uid="{3B0C04A4-1690-4592-BA1B-1BD4556DF3A4}" bypassErrors="1"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" name="Enabled" type="REG_DWORD" value="FFFFFFFF"/></Registry>
	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="Enable TLSv1.1 Server - Part2" status="Enabled" image="12" changed="2016-03-31 22:39:54" uid="{3F8BEA22-0389-4082-A12B-0DD202256740}" bypassErrors="1"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" name="Enabled" type="REG_DWORD" value="FFFFFFFF"/></Registry>
	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="Enable TLSv1.2 Server - Part2" status="Enabled" image="12" changed="2016-03-31 22:39:24" uid="{3C8CCB15-18A1-4B10-9B8D-636044DBD254}" bypassErrors="1"><Properties action="U" displayDecimal="1" default="0" hive="HKEY_LOCAL_MACHINE" key="System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" name="Enabled" type="REG_DWORD" value="FFFFFFFF"/></Registry>
	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="Enable cipher AES 128-128" status="Enabled" image="12" changed="2016-03-31 23:23:34" uid="{9E9C03AF-BB52-4332-8BD5-4FCCF31141E2}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128" name="Enabled" type="REG_DWORD" value="FFFFFFFF"/></Registry>
	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="Enabled cipher AES 256-256" status="Enabled" image="12" changed="2016-03-31 23:23:38" uid="{1D998966-B921-43C6-9B69-BE0E96B3540F}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256" name="Enabled" type="REG_DWORD" value="FFFFFFFF"/></Registry>
	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="Disable weak cipher DES 56/56" status="Enabled" image="12" changed="2016-03-31 23:53:59" uid="{A4BDC4CF-683B-4626-99E1-DE18868D867D}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56" name="Enabled" type="REG_DWORD" value="00000000"/></Registry>
	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="Disable weak cipher NULL" status="Enabled" image="12" changed="2016-03-31 23:53:35" uid="{2D9D8C82-80CA-4F54-9B52-68E1768EF403}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL" name="Enabled" type="REG_DWORD" value="00000000"/></Registry>
	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="Disable weak cipher RC2 128-128" status="Enabled" image="12" changed="2016-03-31 23:54:03" uid="{305FE020-EE42-42D1-97D3-A8E9C638C307}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128" name="Enabled" type="REG_DWORD" value="00000000"/></Registry>
	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="Disable weak cipher RC2 40-128" status="Enabled" image="12" changed="2016-03-31 23:54:08" uid="{66B729BF-1541-478F-A3EF-89FEFB55F0BC}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128" name="Enabled" type="REG_DWORD" value="00000000"/></Registry>
	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="Disable weak cipher RC2 56-128" status="Enabled" image="12" changed="2016-03-31 23:54:14" uid="{C3369AEC-AB2B-4EC7-A530-DADCADB37D08}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128" name="Enabled" type="REG_DWORD" value="00000000"/></Registry>
	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="Disable weak cipher RC4 128-128" status="Enabled" image="12" changed="2016-03-31 23:54:46" uid="{CAFFE095-8242-498D-8D52-4C77D571200F}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" name="Enabled" type="REG_DWORD" value="00000000"/></Registry>
	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="Disable weak cipher RC4 40-128" status="Enabled" image="12" changed="2016-03-31 23:54:21" uid="{BAE7AB00-07BA-4A83-BD94-DE3F1C5E5486}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128" name="Enabled" type="REG_DWORD" value="00000000"/></Registry>
	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="Disable weak cipher RC4 56-128" status="Enabled" image="12" changed="2016-03-31 23:54:27" uid="{771D7F47-8CAD-44A8-9476-D0581058F81D}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128" name="Enabled" type="REG_DWORD" value="00000000"/></Registry>
	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="Disable weak cipher RC4 64-128" status="Enabled" image="12" changed="2016-03-31 23:54:32" uid="{F1ADA876-CF35-49BE-BDF4-CA11692E94D0}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128" name="Enabled" type="REG_DWORD" value="00000000"/></Registry>
	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="Enabled cipher Triple DES 168-168" status="Enabled" image="12" changed="2016-03-31 23:54:35" uid="{6903D66A-ABE1-4C46-A2AD-4FB5E6CCB0E3}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168" name="Enabled" type="REG_DWORD" value="FFFFFFFF"/></Registry>
</RegistrySettings>
>> syntax highlighting powered by highlight.js