Cannot manage registry keys with forward slashes

This topic contains 6 replies, has 7 voices, and was last updated by Profile photo of Luis Lugo Luis Lugo 8 months, 4 weeks ago.

  • Author
    Posts
  • #26662
    Profile photo of Aravinda Cat
    Aravinda Cat
    Participant

    Hi Team ,

    I want to suppress the weak ciphers in my server using Registry resource in DSC, but this is unable to create the key with a forward slash in the directory name.

    Key : HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128

    Any idea how to resolve this issue??

    Thanks,
    Aravinda

  • #26675
    Profile photo of Daniel Krebs
    Daniel Krebs
    Moderator

    I know it is not intuitive. Change the forward slash to a backslash and it should work:

    HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64\128

  • #31149
    Profile photo of David Lant
    David Lant
    Participant

    This needs explaining, as simply using a backslash instead of a forward slash wouldn't give the same result. It would split the last key name into two and try to treat it as an additional level in the heirarchy hierarchy.

  • #34279
    Profile photo of Alex Phu
    Alex Phu
    Participant

    Yes please explain, I need help with this one to

  • #34284
    Profile photo of Justin King
    Justin King
    Participant

    Think this can be solved with OpenSubkey and CreateSubKey.

    (I used w32time service becuase ... i dunno .. i trust myself in there)

    $writable = $true
    $key = (get-item HKLM:\System\CurrentControlSet\Services\W32Time).OpenSubKey("Parameters", $writable).CreateSubKey("C:/test")
    $key.SetValue("Item 1", "Value 1")
    

    That should build a subkey with a forward slash just fine.

  • #35574
    Profile photo of bmb56
    bmb56
    Participant

    You can escape the forward slash. For some reason, you need to use 4 backslashes. My guess is that the string goes through a couple of rounds of evaluation, getting escaped each time. This is what worked for us:

    Key = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128\\\\/128'

  • #52591
    Profile photo of Luis Lugo
    Luis Lugo
    Participant

    This is fixed in the latest xRegistry resource in the xPSDesiredStateConfiguration module. Just install this module and import the resources into your script. Below is an example that works without further scripting or escaping:

    configuration SecureSSLConfiguration
    {
    
        Import-DscResource -ModuleName xPSDesiredStateConfiguration
    
        node "localhost"
        {
    
            # TLS/SSL settings
            # https://technet.microsoft.com/en-us/library/dn786418(v=ws.11).aspx
    
            xRegistry DisableSSLv3Server
            {
                Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server"
                ValueName = "Enabled"
                Ensure = "Present"
                ValueData = "0"
                ValueType = "Dword"
            }
    
            xRegistry DisableSSLv3Client
            {
                Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client"
                ValueName = "Enabled"
                Ensure = "Present"
                ValueData = "0"
                ValueType = "Dword"
            }
    
            xRegistry DisableTLSv1Server
            {
                Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server"
                ValueName = "Enabled"
                Ensure = "Present"
                ValueData = "0"
                ValueType = "Dword"
            }
    
            xRegistry DisableTLSv1Client
            {
                Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client"
                ValueName = "Enabled"
                Ensure = "Present"
                ValueData = "0"
                ValueType = "Dword"
            }
    
    
            # Microsoft security advisory: Update for disabling RC4
            # https://support.microsoft.com/en-us/kb/2868725
    
            xRegistry DisableRC4128
            {
                Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128"
                ValueName = "Enabled"
                Ensure = "Present"
                ValueData = "0"
                ValueType = "Dword"
            }
    
            xRegistry DisableRC456
            {
                Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128"
                ValueName = "Enabled"
                Ensure = "Present"
                ValueData = "0"
                ValueType = "Dword"
            }
    
            xRegistry DisableRC440
            {
                Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128"
                ValueName = "Enabled"
                Ensure = "Present"
                ValueData = "0"
                ValueType = "Dword"
            }
    
    
        }
    }
    

You must be logged in to reply to this topic.