├── .github ├── FUNDING.yml └── workflows │ ├── ci.yml │ └── release.yml ├── .gitignore ├── .pre-commit-config.yaml ├── .yamllint ├── LICENSE ├── README.md ├── defaults └── main.yml ├── meta └── main.yml ├── requirements.txt └── tasks ├── main.yml ├── windows.yml └── windows ├── ciphers.yml ├── hashes.yml └── protocols.yml /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | github: deekayen 4 | ko_fi: deekayen 5 | liberapay: deekayen 6 | custom: ["paypal.me/deekayen", "venmo.com/drdnorman", "buymeacoff.ee/deekayen"] 7 | -------------------------------------------------------------------------------- /.github/workflows/ci.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: CI 3 | 'on': 4 | pull_request: 5 | push: 6 | branches: 7 | - main 8 | 9 | defaults: 10 | run: 11 | working-directory: 'deekayen.schannel' 12 | 13 | jobs: 14 | 15 | test: 16 | name: Linting 17 | runs-on: ubuntu-latest 18 | 19 | steps: 20 | - name: Check out the codebase. 21 | uses: actions/checkout@v4.1.1 22 | with: 23 | path: 'deekayen.schannel' 24 | 25 | - name: Set up Python 3. 26 | uses: actions/setup-python@v5 27 | with: 28 | python-version: '3.x' 29 | 30 | - name: Install test dependencies. 31 | run: pip install --upgrade --upgrade-strategy eager -r requirements.txt 32 | 33 | - name: Run ansible-lint. 34 | run: ansible-lint . 35 | -------------------------------------------------------------------------------- /.github/workflows/release.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | name: Release 4 | 'on': 5 | push: 6 | tags: 7 | - '*' 8 | 9 | defaults: 10 | run: 11 | working-directory: 'deekayen.schannel' 12 | 13 | jobs: 14 | 15 | release: 16 | name: Release 17 | runs-on: ubuntu-latest 18 | steps: 19 | - name: Check out the codebase. 20 | uses: actions/checkout@v4.1.1 21 | with: 22 | path: 'deekayen.schannel' 23 | 24 | - name: GitHub Environment Variables Action 25 | uses: FranzDiebold/github-env-vars-action@v2.7.0 26 | 27 | - name: Trigger a new import on Galaxy. 28 | run: ansible-galaxy role import --branch $CI_REF_NAME --api-key ${{ secrets.GALAXY_API_KEY }} $CI_REPOSITORY_OWNER $CI_REPOSITORY_NAME 29 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.keytab 2 | *.retry 3 | .DS_Store 4 | .DS_Store? 5 | ._* 6 | .Spotlight-V100 7 | .Trashes 8 | ehthumbs.db 9 | Thumbs.db 10 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | repos: 4 | - repo: https://github.com/ansible/ansible-lint.git 5 | rev: v6.22.2 6 | hooks: 7 | - id: ansible-lint 8 | files: \.(yaml|yml)$ 9 | args: [--exclude=/Users/deekayen/.ansible] 10 | -------------------------------------------------------------------------------- /.yamllint: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | extends: default 4 | 5 | rules: 6 | indentation: 7 | spaces: 2 8 | indent-sequences: whatever 9 | line-length: disable 10 | truthy: disable 11 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License 2 | 3 | Copyright (c) 2017, David Norman 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | * Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | * Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | * Neither the name of the copyright holder nor the names of its 17 | contributors may be used to endorse or promote products derived from 18 | this software without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | SCHANNEL 2 | ======== 3 | [![CI](https://github.com/deekayen/ansible-role-schannel/actions/workflows/ci.yml/badge.svg)](https://github.com/deekayen/ansible-role-schannel/actions/workflows/ci.yml) [![Project Status: Inactive – The project has reached a stable, usable state but is no longer being actively developed; support/maintenance will be provided as time allows.](https://www.repostatus.org/badges/latest/inactive.svg)](https://www.repostatus.org/#inactive) ![BSD 3-Clause license](https://img.shields.io/badge/license-BSD%203--Clause-blue) ![Windows platform](https://img.shields.io/badge/platform-windows-lightgrey) 4 | 5 | Makes changes to SCHANNEL settings of the Windows 6 | registry to serve more secure cryptographic 7 | communications for services like IIS and WinRM. 8 | 9 | Ciphers: 10 | 11 | * AES 128/128 12 | * AES 256/256 13 | * DES 56/56 14 | * NULL 15 | * RC2 40/128 16 | * RC2 56/128 17 | * RC2 128/128 18 | * RC4 40/128 19 | * RC4 56/128 20 | * RC4 64/128 21 | * RC4 128/128 22 | * Triple DES 168/168 23 | 24 | Protocols: 25 | 26 | * PCT 1.0 27 | * SSLv2 28 | * SSLv3 29 | * TLS 1.0 30 | * TLS 1.1 31 | * TLS 1.2 32 | 33 | Hashes: 34 | 35 | * MD5 36 | * SHA-1 37 | * SHA-256 38 | * SHA-384 39 | * SHA-512 40 | 41 | Related documentation: 42 | 43 | * [How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll](https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protocols-in-schannel.dll) 44 | * [Schannel Security Support Provider Technical Reference: TLS/SSL Settings](https://technet.microsoft.com/en-us/library/dn786418.aspx) 45 | * [MS16-065: Description of the TLS/SSL protocol information disclosure vulnerability (CVE-2016-0149): May 10, 2016](https://support.microsoft.com/en-us/help/3155464/ms16-065-description-of-the-tls-ssl-protocol-information-disclosure-vu) 46 | * [Enabling strong cryptography for all .Net applications](https://www.johnlouros.com/blog/enabling-strong-cryptography-for-all-dot-net-applications) 47 | * [Updated Support for Diffie-Hellman Key Exchange](https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2016/3174644) 48 | * [Microsoft security advisory: Updated support for Diffie-Hellman Key Exchange](https://support.microsoft.com/en-us/help/3174644/microsoft-security-advisory-updated-support-for-diffie-hellman-key-exc) 49 | 50 | Requirements 51 | ------------ 52 | 53 | Windows 54 | 55 | Role Variables 56 | -------------- 57 | 58 | Default values are as follows: 59 | 60 | ``` 61 | schannel_dh_enabled: True 62 | schannel_dhmodulus: 2048 63 | 64 | schannel_3des: false 65 | schannel_aes_128: true 66 | schannel_aes_256: true 67 | schannel_des: false 68 | schannel_null: false 69 | schannel_rc2: false 70 | schannel_rc4: false 71 | 72 | schannel_md5: false 73 | schannel_sha1: true 74 | schannel_sha256: true 75 | schannel_sha384: true 76 | schannel_sha512: true 77 | 78 | schannel_pct: false 79 | schannel_sslv2: false 80 | schannel_sslv3: false 81 | schannel_tlsv10: false 82 | schannel_tlsv11: true 83 | schannel_tlsv12: true 84 | 85 | schannel_usestrongcrypto: true 86 | ``` 87 | 88 | Valid values for schannel_dhmodulus: 89 | * 1024 90 | * 2048 91 | * 3072 92 | * 4096 93 | 94 | Example Playbook 95 | ---------------- 96 | 97 | - name: Harden Windows SCHANNEL configurations. 98 | hosts: windows2012 99 | 100 | vars: 101 | schannel_tlsv10: true 102 | 103 | roles: 104 | - deekayen.schannel 105 | 106 | Dependencies 107 | ------------ 108 | 109 | None. 110 | 111 | Tags 112 | ---- 113 | 114 | There's a unique tag on each task. Read inside. 115 | 116 | * schannel 117 | * security 118 | * windows 119 | 120 | License 121 | ------- 122 | 123 | BSD 3-Clause License 124 | -------------------------------------------------------------------------------- /defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | schannel_dh_enabled: true 4 | schannel_dhmodulus: 2048 5 | 6 | schannel_3des: false 7 | schannel_aes_128: true 8 | schannel_aes_256: true 9 | schannel_des: false 10 | schannel_null: false 11 | schannel_rc2: false 12 | schannel_rc4: false 13 | 14 | schannel_md5: false 15 | schannel_sha1: true 16 | schannel_sha256: true 17 | schannel_sha384: true 18 | schannel_sha512: true 19 | 20 | schannel_pct: false 21 | schannel_sslv2: false 22 | schannel_sslv3: false 23 | schannel_tlsv10: false 24 | schannel_tlsv11: true 25 | schannel_tlsv12: true 26 | 27 | schannel_usestrongcrypto: true 28 | -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | galaxy_info: 4 | role_name: schannel 5 | namespace: deekayen 6 | author: David Norman 7 | description: Alter SCHANNEL registry settings for encryption protocols, ciphers, and hashes in Windows. 8 | 9 | github_branch: main 10 | issue_tracker_url: https://github.com/deekayen/ansible-role-schannel/issues 11 | 12 | license: BSD 13 | 14 | min_ansible_version: '2.13' 15 | 16 | platforms: 17 | - name: Windows 18 | versions: 19 | - all 20 | 21 | galaxy_tags: 22 | - windows 23 | - security 24 | 25 | collections: 26 | - ansible.windows 27 | 28 | dependencies: [] 29 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | ansible 2 | ansible-lint 3 | -------------------------------------------------------------------------------- /tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Limit to the whole play to just Windows. 4 | ansible.builtin.import_tasks: windows.yml 5 | when: ansible_os_family == 'Windows' 6 | tags: 7 | - main 8 | - schannel 9 | - security 10 | - windows 11 | -------------------------------------------------------------------------------- /tasks/windows.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Set ciphers. 4 | ansible.builtin.import_tasks: windows/ciphers.yml 5 | tags: 6 | - ciphers 7 | 8 | - name: Set hashes. 9 | ansible.builtin.import_tasks: windows/hashes.yml 10 | tags: 11 | - hashes 12 | 13 | - name: Set protocols. 14 | ansible.builtin.import_tasks: windows/protocols.yml 15 | tags: 16 | - protocols 17 | 18 | # Regedit to add "SchUseStrongCrypto" key 19 | - name: "Add SchUseStrongCrypto key to Wow6432Node" 20 | ansible.windows.win_regedit: 21 | path: HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319 22 | name: SchUseStrongCrypto 23 | data: 1 24 | type: dword 25 | state: "{{ schannel_usestrongcrypto | ternary('present', 'absent') }}" 26 | tags: 27 | - wow6432node 28 | 29 | - name: "Add SchUseStrongCrypto key to Microsoft .NET Framework" 30 | ansible.windows.win_regedit: 31 | path: HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 32 | name: SchUseStrongCrypto 33 | data: 1 34 | type: dword 35 | state: "{{ schannel_usestrongcrypto | ternary('present', 'absent') }}" 36 | tags: 37 | - dotnet 38 | 39 | # https://www3.trustwave.com/support/kb/Article.aspx?id=14784 40 | # DH is enabled by default. Removing the key should turn it back on after reboot. 41 | - name: "Diffie-Hellman key exchange." 42 | ansible.windows.win_regedit: 43 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman 44 | name: Enabled 45 | data: "{{ schannel_dh_enabled | ternary('4294967295', '0') }}" 46 | type: dword 47 | state: present 48 | tags: 49 | - dh_exchange 50 | 51 | # https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2016/3174644 52 | - name: "Update Diffie-Hellman Key Exchange DH modulus minimum." 53 | ansible.windows.win_regedit: 54 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman 55 | name: ServerMinKeyBitLength 56 | data: "{{ schannel_dhmodulus }}" 57 | type: dword 58 | state: present 59 | tags: 60 | - dh_modulus 61 | 62 | # https://support.microsoft.com/en-us/help/3174644/microsoft-security-advisory-updated-support-for-diffie-hellman-key-exc 63 | - name: "Update Diffie-Hellman Key Exchange using KB3174644." 64 | ansible.windows.win_regedit: 65 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS 66 | name: ClientMinKeyBitLength 67 | data: "{{ schannel_dhmodulus }}" 68 | type: dword 69 | state: present 70 | tags: 71 | - dh_kb3174644 72 | -------------------------------------------------------------------------------- /tasks/windows/ciphers.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # Cleanup nested SCHANNEL folders. 4 | 5 | - name: Remove AES 128. 6 | ansible.windows.win_regedit: 7 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128 8 | delete_key: true 9 | state: absent 10 | tags: 11 | - aes128 12 | 13 | - name: Remove AES 256. 14 | ansible.windows.win_regedit: 15 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256 16 | delete_key: true 17 | state: absent 18 | tags: 19 | - aes256 20 | 21 | - name: Remove DES 56. 22 | ansible.windows.win_regedit: 23 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56 24 | delete_key: true 25 | state: absent 26 | tags: 27 | - des56 28 | 29 | - name: Remove RC2 128. 30 | ansible.windows.win_regedit: 31 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128 32 | delete_key: true 33 | state: absent 34 | tags: 35 | - rc2_128 36 | 37 | - name: Remove RC2 40. 38 | ansible.windows.win_regedit: 39 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40 40 | delete_key: true 41 | state: absent 42 | tags: 43 | - rc2_40 44 | 45 | - name: Remove RC2 56. 46 | ansible.windows.win_regedit: 47 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56 48 | delete_key: true 49 | state: absent 50 | tags: 51 | - rc2_56 52 | 53 | - name: Remove RC4 128. 54 | ansible.windows.win_regedit: 55 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128 56 | delete_key: true 57 | state: absent 58 | tags: 59 | - rc4_128 60 | 61 | - name: Remove RC4 40. 62 | ansible.windows.win_regedit: 63 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40 64 | delete_key: true 65 | state: absent 66 | tags: 67 | - rc4_40 68 | 69 | - name: Set RC4 56. 70 | ansible.windows.win_regedit: 71 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56 72 | delete_key: true 73 | state: absent 74 | tags: 75 | - rc4_56 76 | 77 | - name: Remove RC4 64. 78 | ansible.windows.win_regedit: 79 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64 80 | delete_key: true 81 | state: absent 82 | tags: 83 | - rc4_64 84 | 85 | # Without creating registry keys first, win_regedit will nest the part after the 86 | # forward slash in each cipher as another folder instead of part of the name. 87 | # https://stackoverflow.com/questions/44067327/escaping-slash-in-a-win-regedit-path-on-ansible 88 | 89 | - name: "Create cipher registry keys except NULL and Triple DES." 90 | ansible.windows.win_shell: | 91 | $path=new-item -path 'HKLM:\\System\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers'; 92 | $key = (get-item HKLM:\\).OpenSubKey('System\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers', $true); 93 | $key.CreateSubKey('{{ item }}'); 94 | $key.Close() 95 | with_items: 96 | - "AES 128/128" 97 | - "AES 256/256" 98 | - "DES 56/56" 99 | - "RC2 128/128" 100 | - "RC2 40/128" 101 | - "RC2 56/128" 102 | - "RC4 128/128" 103 | - "RC4 40/128" 104 | - "RC4 56/128" 105 | - "RC4 64/128" 106 | when: not ansible_os_name is search("Windows Server 2008") and not ansible_os_name is search("Windows 7") 107 | tags: 108 | - seed_cipher_keys 109 | 110 | - name: Set AES 128/128. 111 | ansible.windows.win_regedit: 112 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128 113 | name: Enabled 114 | type: dword 115 | data: "{{ schannel_aes_128 | ternary('4294967295', '0') }}" 116 | state: present 117 | tags: 118 | - aes_128_128 119 | 120 | - name: Set AES 256/256. 121 | ansible.windows.win_regedit: 122 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256 123 | name: Enabled 124 | type: dword 125 | data: "{{ schannel_aes_256 | ternary('4294967295', '0') }}" 126 | state: present 127 | tags: 128 | - aes_256_256 129 | 130 | - name: Set NULL ciphers. 131 | ansible.windows.win_regedit: 132 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL 133 | name: Enabled 134 | type: dword 135 | data: "{{ schannel_null | ternary('4294967295', '0') }}" 136 | state: present 137 | tags: 138 | - "null" 139 | 140 | - name: Set DES 56/56. 141 | ansible.windows.win_regedit: 142 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56 143 | name: Enabled 144 | type: dword 145 | data: "{{ schannel_des | ternary('4294967295', '0') }}" 146 | state: present 147 | tags: 148 | - des_56_56 149 | 150 | - name: Set RC2 128/128. 151 | ansible.windows.win_regedit: 152 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128 153 | name: Enabled 154 | type: dword 155 | data: "{{ schannel_rc2 | ternary('4294967295', '0') }}" 156 | state: present 157 | tags: 158 | - rc2_128_128 159 | 160 | - name: Set RC2 40/128. 161 | ansible.windows.win_regedit: 162 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128 163 | name: Enabled 164 | type: dword 165 | data: "{{ schannel_rc2 | ternary('4294967295', '0') }}" 166 | state: present 167 | tags: 168 | - rc2_40_128 169 | 170 | - name: Set RC2 56/128. 171 | ansible.windows.win_regedit: 172 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128 173 | name: Enabled 174 | type: dword 175 | data: "{{ schannel_rc2 | ternary('4294967295', '0') }}" 176 | state: present 177 | tags: 178 | - rc2_56_128 179 | 180 | - name: Set RC4 128/128. 181 | ansible.windows.win_regedit: 182 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128 183 | name: Enabled 184 | type: dword 185 | data: "{{ schannel_rc4 | ternary('4294967295', '0') }}" 186 | state: present 187 | tags: 188 | - rc4_128_128 189 | 190 | - name: Set RC4 40/128. 191 | ansible.windows.win_regedit: 192 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128 193 | name: Enabled 194 | type: dword 195 | data: "{{ schannel_rc4 | ternary('4294967295', '0') }}" 196 | state: present 197 | tags: 198 | - rc4_40_128 199 | 200 | - name: Set RC4 56/128. 201 | ansible.windows.win_regedit: 202 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128 203 | name: Enabled 204 | type: dword 205 | data: "{{ schannel_rc4 | ternary('4294967295', '0') }}" 206 | state: present 207 | tags: 208 | - rc4_56_128 209 | 210 | - name: Set RC4 64/128. 211 | ansible.windows.win_regedit: 212 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128 213 | name: Enabled 214 | type: dword 215 | data: "{{ schannel_rc4 | ternary('4294967295', '0') }}" 216 | state: present 217 | tags: 218 | - rc4_64_128 219 | 220 | - name: Triple DES needs special handling since it changed from 2008/7 to 2012/8/10. 221 | when: ansible_os_name is search("Windows Server 2008") or ansible_os_name is search("Windows 7") 222 | block: 223 | 224 | - name: Remove Triple DES 168. 225 | ansible.windows.win_regedit: 226 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168 227 | delete_key: true 228 | state: absent 229 | tags: 230 | - remove_3des_168 231 | 232 | - name: Set Triple DES 168/168. 233 | ansible.windows.win_regedit: 234 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168 235 | name: Enabled 236 | type: dword 237 | data: "{{ schannel_3des | ternary('4294967295', '0') }}" 238 | state: present 239 | tags: 240 | - set_3des_168_168 241 | 242 | - name: Set Triple DES 168. 243 | ansible.windows.win_regedit: 244 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168 245 | name: Enabled 246 | type: dword 247 | data: "{{ schannel_3des | ternary('4294967295', '0') }}" 248 | state: present 249 | when: not ansible_os_name is search("Windows Server 2008") and not ansible_os_name is search("Windows 7") 250 | tags: 251 | - 3des_168 252 | -------------------------------------------------------------------------------- /tasks/windows/hashes.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Set MD5. 4 | ansible.windows.win_regedit: 5 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5 6 | name: Enabled 7 | type: dword 8 | data: "{{ schannel_md5 | ternary('4294967295', '0') }}" 9 | state: present 10 | tags: 11 | - md5 12 | 13 | - name: Set SHA-1. 14 | ansible.windows.win_regedit: 15 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA 16 | name: Enabled 17 | type: dword 18 | data: "{{ schannel_sha1 | ternary('4294967295', '0') }}" 19 | state: present 20 | tags: 21 | - sha1 22 | 23 | - name: Set SHA-256. 24 | ansible.windows.win_regedit: 25 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA256 26 | name: Enabled 27 | type: dword 28 | data: "{{ schannel_sha256 | ternary('4294967295', '0') }}" 29 | state: present 30 | tags: 31 | - sha256 32 | 33 | - name: Set SHA-384. 34 | ansible.windows.win_regedit: 35 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA384 36 | name: Enabled 37 | type: dword 38 | data: "{{ schannel_sha384 | ternary('4294967295', '0') }}" 39 | state: present 40 | tags: 41 | - sha384 42 | 43 | - name: Set SHA-512. 44 | ansible.windows.win_regedit: 45 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA512 46 | name: Enabled 47 | type: dword 48 | data: "{{ schannel_sha512 | ternary('4294967295', '0') }}" 49 | state: present 50 | tags: 51 | - sha512 52 | -------------------------------------------------------------------------------- /tasks/windows/protocols.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Set PCT 1.0 server state. 4 | ansible.windows.win_regedit: 5 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server 6 | name: Enabled 7 | type: dword 8 | data: "{{ schannel_pct | ternary('1', '0') }}" 9 | state: present 10 | tags: 11 | - pct10 12 | 13 | - name: Set SSL 2.0 client default. 14 | ansible.windows.win_regedit: 15 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client 16 | name: DisabledByDefault 17 | type: dword 18 | data: "{{ schannel_sslv2 | ternary('0', '1') }}" 19 | state: present 20 | tags: 21 | - ssl20_client 22 | 23 | - name: Set SSL 2.0 server state. 24 | ansible.windows.win_regedit: 25 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server 26 | name: Enabled 27 | type: dword 28 | data: "{{ schannel_sslv2 | ternary('1', '0') }}" 29 | state: present 30 | tags: 31 | - ssl20_server 32 | 33 | - name: Set SSL 3.0 client default. 34 | ansible.windows.win_regedit: 35 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client 36 | name: DisabledByDefault 37 | type: dword 38 | data: "{{ schannel_sslv3 | ternary('0', '1') }}" 39 | state: present 40 | tags: 41 | - ssl30_client 42 | 43 | - name: Set SSL 3.0 server state. 44 | ansible.windows.win_regedit: 45 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server 46 | name: Enabled 47 | type: dword 48 | data: "{{ schannel_sslv3 | ternary('1', '0') }}" 49 | state: present 50 | tags: 51 | - ssl30_server 52 | 53 | - name: Set TLS 1.0 client default. 54 | ansible.windows.win_regedit: 55 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client 56 | name: DisabledByDefault 57 | type: dword 58 | data: "{{ schannel_tlsv10 | ternary('0', '1') }}" 59 | state: present 60 | tags: 61 | - tls10_client 62 | 63 | - name: Set TLS 1.0 server state. 64 | ansible.windows.win_regedit: 65 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server 66 | name: Enabled 67 | type: dword 68 | data: "{{ schannel_tlsv10 | ternary('1', '0') }}" 69 | state: present 70 | tags: 71 | - tls10_server 72 | 73 | - name: Set TLS 1.1 client default. 74 | ansible.windows.win_regedit: 75 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client 76 | name: DisabledByDefault 77 | type: dword 78 | data: "{{ schannel_tlsv11 | ternary('0', '1') }}" 79 | state: present 80 | tags: 81 | - tls11_client 82 | 83 | - name: Set TLS 1.1 server default. 84 | ansible.windows.win_regedit: 85 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server 86 | name: DisabledByDefault 87 | type: dword 88 | data: "{{ schannel_tlsv11 | ternary('0', '1') }}" 89 | state: present 90 | tags: 91 | - tls11_server 92 | 93 | - name: Set TLS 1.1 server state. 94 | ansible.windows.win_regedit: 95 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server 96 | name: Enabled 97 | type: dword 98 | data: "{{ schannel_tlsv11 | ternary('1', '0') }}" 99 | state: present 100 | tags: 101 | - tls11_state 102 | 103 | - name: Set TLS 1.2 client default. 104 | ansible.windows.win_regedit: 105 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client 106 | name: DisabledByDefault 107 | type: dword 108 | data: "{{ schannel_tlsv12 | ternary('0', '1') }}" 109 | state: present 110 | tags: 111 | - tls12_client 112 | 113 | - name: Set TLS 1.2 server default. 114 | ansible.windows.win_regedit: 115 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server 116 | name: DisabledByDefault 117 | type: dword 118 | data: "{{ schannel_tlsv12 | ternary('0', '1') }}" 119 | state: present 120 | tags: 121 | - tls12_server 122 | 123 | - name: Set TLS 1.2 server state. 124 | ansible.windows.win_regedit: 125 | path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server 126 | name: Enabled 127 | type: dword 128 | data: "{{ schannel_tlsv12 | ternary('1', '0') }}" 129 | state: present 130 | tags: 131 | - tls12_state 132 | --------------------------------------------------------------------------------