TLS/SSL Insecure Ciphers (SCHANNEL)

78fcd8a8-18af-49f4-8a64-bccb901e5557

This script checks whether insecure protocols are still enabled: SSLV2.0 / SSLV3.0 / TLS 1.0 / TLS 1.1 / RC4.
Known insecure cipher protocols should be disabled but keep in mind that some applications other than web browsers may still rely on older ciphers such as TLS 1.0.

Remediation

Guide to disable insecure cipher protocols: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs

More information and recommendations on insecure cipher protocols: https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening

STIG IIS: https://www.stigviewer.com/stig/iis_8.5_server/2019-10-01/

We created a PowerShell Script to automatically disable all insecure ciphers. It can be found at our github repository here https://github.com/eventsentry/scripts/blob/main/disable_insecure_ciphers.ps1



iis-stig-high
compliance-desktop
compliance-server
security-server
security-desktop
server
desktop
nist800-171
cmmc-l1