如何在 Windows 服务器上禁用弱版本的 SSL/TLS 协议_windows server 2008 r2禁用对tls1.0、tls1.1的支持

作者：Li_阴宅 | 2024-08-23 09:06:10

踩

windows server 2008 r2禁用对tls1.0、tls1.1的支持

如何使用 Windows PowerShell 禁用传输层安全性 (TLS) 和安全套接字层 (SSL) 协议的弱版本。当然，在禁用弱版本的 SSL / TSL 协议之前，您需要确保可以在您的系统上使用 TLS 1.2 协议。
Windows 操作系统兼容的协议

系统与版本 TLS 1.2 兼容

Windows Server 2008 SP2: KB3154517
Windows Server 2008 R2: KB3154518
Windows Server 2012: KB3154519
Windows Server 2012 R2: KB3154520

启用 TLS 1.2

New-Item `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' `
    -name 'Enabled' `
    -value '1' `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' `
    -name 'DisabledByDefault' `
    -value 0 `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

New-Item `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' `
    -name 'Enabled' `
    -value '1' `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' `
    -name 'DisabledByDefault' `
    -value 0 `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

Write-Host 'TLS 1.2 has been enabled.'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

禁用 SSL 2.0 和 SSL 3.0

New-Item `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' `
    -name 'Enabled' `
    -value '0' `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' `
    -name 'DisabledByDefault' `
    -value 1 `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

New-Item `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' `
    -name 'Enabled' `
    -value '0' `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' `
    -name 'DisabledByDefault' `
    -value 1 `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

Write-Host 'SSL 2.0 has been disabled.'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

禁用 SSL v3.0

New-Item `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' `
    -name 'Enabled' `
    -value '0' `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' `
    -name 'DisabledByDefault' `
    -value 1 `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

New-Item `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' `
    -name 'Enabled' `
    -value '0' `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' `
    -name 'DisabledByDefault' `
    -value 1 `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

Write-Host 'SSL 3.0 has been disabled.'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

禁用 TLS 1.0 和 1.1

New-Item `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' `
    -name 'Enabled' `
    -value '0' `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' `
    -name 'DisabledByDefault' `
    -value 1 `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

New-Item `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' `
    -name 'Enabled' `
    -value '0' `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' `
    -name 'DisabledByDefault' `
    -value 1 `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

Write-Host 'TLS 1.0 has been disabled.'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

禁用 TLS 1.1

New-Item `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' `
    -name 'Enabled' `
    -value '0' `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' `
    -name 'DisabledByDefault' `
    -value 1 `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

New-Item `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' `
    -name 'Enabled' `
    -value '0' `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' `
    -name 'DisabledByDefault' `
    -value 1 `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

Write-Host 'TLS 1.1 has been disabled.'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

重启生效

ref

https://www.jorgebernhardt.com/disable-ssl-and-tls-on-winserv/

声明：本文内容由网友自发贡献，不代表【wpsshop博客】立场，版权归原作者所有，本站不承担相应法律责任。如您发现有侵权的内容，请联系我们。转载请注明出处：https://www.wpsshop.cn/w/Li_阴宅/article/detail/1020298