Author Posts

June 19, 2015 at 5:51 am

Hi Team ,

I want to suppress the weak ciphers in my server using Registry resource in DSC, but this is unable to create the key with a forward slash in the directory name.

Key : HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128

Any idea how to resolve this issue??

Thanks,
Aravinda

June 19, 2015 at 10:56 am

I know it is not intuitive. Change the forward slash to a backslash and it should work:

HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64\128

October 22, 2015 at 4:09 am

This needs explaining, as simply using a backslash instead of a forward slash wouldn't give the same result. It would split the last key name into two and try to treat it as an additional level in the heirarchy hierarchy.

January 25, 2016 at 4:20 pm

Yes please explain, I need help with this one to

January 25, 2016 at 6:35 pm

Think this can be solved with OpenSubkey and CreateSubKey.

(I used w32time service becuase ... i dunno .. i trust myself in there)

$writable = $true
$key = (get-item HKLM:\System\CurrentControlSet\Services\W32Time).OpenSubKey("Parameters", $writable).CreateSubKey("C:/test")
$key.SetValue("Item 1", "Value 1")

That should build a subkey with a forward slash just fine.

February 23, 2016 at 12:11 pm

You can escape the forward slash. For some reason, you need to use 4 backslashes. My guess is that the string goes through a couple of rounds of evaluation, getting escaped each time. This is what worked for us:

Key = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128\\\\/128'

August 30, 2016 at 7:00 pm

This is fixed in the latest xRegistry resource in the xPSDesiredStateConfiguration module. Just install this module and import the resources into your script. Below is an example that works without further scripting or escaping:

configuration SecureSSLConfiguration
{

    Import-DscResource -ModuleName xPSDesiredStateConfiguration

    node "localhost"
    {

        # TLS/SSL settings
        # https://technet.microsoft.com/en-us/library/dn786418(v=ws.11).aspx

        xRegistry DisableSSLv3Server
        {
            Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server"
            ValueName = "Enabled"
            Ensure = "Present"
            ValueData = "0"
            ValueType = "Dword"
        }

        xRegistry DisableSSLv3Client
        {
            Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client"
            ValueName = "Enabled"
            Ensure = "Present"
            ValueData = "0"
            ValueType = "Dword"
        }

        xRegistry DisableTLSv1Server
        {
            Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server"
            ValueName = "Enabled"
            Ensure = "Present"
            ValueData = "0"
            ValueType = "Dword"
        }

        xRegistry DisableTLSv1Client
        {
            Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client"
            ValueName = "Enabled"
            Ensure = "Present"
            ValueData = "0"
            ValueType = "Dword"
        }


        # Microsoft security advisory: Update for disabling RC4
        # https://support.microsoft.com/en-us/kb/2868725

        xRegistry DisableRC4128
        {
            Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128"
            ValueName = "Enabled"
            Ensure = "Present"
            ValueData = "0"
            ValueType = "Dword"
        }

        xRegistry DisableRC456
        {
            Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128"
            ValueName = "Enabled"
            Ensure = "Present"
            ValueData = "0"
            ValueType = "Dword"
        }

        xRegistry DisableRC440
        {
            Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128"
            ValueName = "Enabled"
            Ensure = "Present"
            ValueData = "0"
            ValueType = "Dword"
        }


    }
}