Harden RDP, Disable TLS 1.0, Disable SMB v1 via PowerShell

  • by

Security remediation can be a daunting task and doing it by hand can be time-consuming.  In this post, I have provided a  script I’ve used in the past to harden RDP, TLS, SMB via PowerShell.

Make sure to adjust the following for your environment:

$getRDPSec.SecurityLayer = "3"
$getRDPSec.MinEncryptionLevel = "3"

The following TechNet article provides more information on the settings listed above:

https://docs.microsoft.com/en-us/previous-versions/technet-magazine/ff458357(v=msdn.10)?redirectedfrom=MSDN

Disclaimer: You should not be adjusting important security settings by hand or via PowerShell.  Leverage GPOs to apply changes such as these and you will rest comfortably knowing they are baseline and will be reverted back if they are changed.

# -----------------------------------
# Check Windows Version
# -----------------------------------
$checkOSver = (Get-WmiObject -class Win32_OperatingSystem).Caption

# -----------------------------------
# Update RDP Security Levels
# -----------------------------------
$getRDPSec = Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices
$getRDPSec.SecurityLayer = "3"
$getRDPSec.MinEncryptionLevel = "3"

# -----------------------------------
# Create keys for TLS 1.0 if not created
# -----------------------------------
new-item -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" -Name "TLS 1.0"
new-item -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0" -Name "Server"
new-item -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0" -Name "Client"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" -Name "Enabled" -Value 0
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" -Name "DisabledByDefault" -Value 1
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" -Name "Enabled" -Value 0
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" -Name "DisabledByDefault" -Value 1

# -----------------------------------
# Sets value if TLS 1.0 already exists
# -----------------------------------
set-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" -Name "Enabled" -Value 0
set-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" -Name "DisabledByDefault" -Value 1
set-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" -Name "Enabled" -Value 0
set-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" -Name "DisabledByDefault" -Value 1

# -----------------------------------
# Run on Windows 2012 or Windows 10
#------------------------------------
if ($checkOSver -like "Microsoft Windows Server 2012*" -or $checkOSver -like "Microsoft Windows 10*" -or $checkOSver -like "Microsoft Windows 8.1*"){

    # Disable TCP Timestamps
    Set-netTCPsetting -SettingName InternetCustom -Timestamps disabled

    # Disable SMBv1
    $checkSMBv1Server = Get-SmbServerConfiguration | Select EnableSMB1Protocol
    if ($checkSMBv1Server){
        Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
    }
}
else {
    # Disable TCP Timestamps
    new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" -Name "Tcp1323Opts" -Value 0
    set-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" -Name "Tcp1323Opts" -Value 0

    #Disable SMBv1 - Client
    $checkSMB1 = Get-Item HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}
    if ($checkSMB1){
        Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 –Force
    }
}