Makes changes to SCHANNEL settings of the Windows registry to serve more secure cryptographic communications for services like IIS and WinRM.
Ciphers:
- AES 128/128
- AES 256/256
- DES 56/56
- NULL
- RC2 40/128
- RC2 56/128
- RC2 128/128
- RC4 40/128
- RC4 56/128
- RC4 64/128
- RC4 128/128
- Triple DES 168/168
Protocols:
- PCT 1.0
- SSLv2
- SSLv3
- TLS 1.0
- TLS 1.1
- TLS 1.2
Hashes:
- MD5
- SHA-1
- SHA-256
- SHA-384
- SHA-512
Related documentation:
- How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll
- Schannel Security Support Provider Technical Reference: TLS/SSL Settings
- MS16-065: Description of the TLS/SSL protocol information disclosure vulnerability (CVE-2016-0149): May 10, 2016
- Enabling strong cryptography for all .Net applications
- Updated Support for Diffie-Hellman Key Exchange
- Microsoft security advisory: Updated support for Diffie-Hellman Key Exchange
Windows
Default values are as follows:
schannel_dh_enabled: True
schannel_dhmodulus: 2048
schannel_3des: false
schannel_aes_128: true
schannel_aes_256: true
schannel_des: false
schannel_null: false
schannel_rc2: false
schannel_rc4: false
schannel_md5: false
schannel_sha1: true
schannel_sha256: true
schannel_sha384: true
schannel_sha512: true
schannel_pct: false
schannel_sslv2: false
schannel_sslv3: false
schannel_tlsv10: false
schannel_tlsv11: true
schannel_tlsv12: true
schannel_usestrongcrypto: true
Valid values for schannel_dhmodulus:
- 1024
- 2048
- 3072
- 4096
- name: Harden Windows SCHANNEL configurations.
hosts: windows2012
vars:
schannel_tlsv10: true
roles:
- deekayen.schannel
None.
There's a unique tag on each task. Read inside.
- schannel
- security
- windows
BSD 3-Clause License
