# Unsichere Protokolle deaktivieren; Sichere aktivieren
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("SSL 3.0\Server")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("SSL 2.0\Server")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("SSL 3.0\Client")
$key.SetValue("DisabledByDefault", 1, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("SSL 2.0\Client")
$key.SetValue("DisabledByDefault", 1, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("TLS 1.0\Server")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key.SetValue("DisabledByDefault", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("TLS 1.1\Server")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key.SetValue("DisabledByDefault", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("TLS 1.2\Server")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key.SetValue("DisabledByDefault", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0", $true).CreateSubKey("Client")
$key.SetValue("Enabled", 1, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key.SetValue("DisabledByDefault", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1", $true).CreateSubKey("Client")
$key.SetValue("Enabled", 1, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key.SetValue("DisabledByDefault", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2", $true).CreateSubKey("Client")
$key.SetValue("Enabled", 1, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key.SetValue("DisabledByDefault", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("Multi-Protocol Unified Hello\Server")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("PCT 1.0\Server")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true)
$key.SetValue("AllowInsecureRenegoClients", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true)
$key.SetValue("DisableRenegoOnServer", 1, [Microsoft.Win32.RegistryValueKind]::DWORD)

# Unsichere Cipher deaktivieren (Win XP / >IE8); Sichere aktivieren
# Unsicher
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL", $true).CreateSubKey("Ciphers\NULL")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("DES 56\56")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("RC2 40\128")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("RC2 56\128")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("RC2 128\128")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("RC4 40\128")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("RC4 56\128")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("RC4 64\128")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("RC4 128\128")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)

# Sicher
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("AES 128\128")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("AES 256\256")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("Triple DES 168\168")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)

# Unsichere Hashes deaktivieren; Sichere aktivieren
# Unsicher
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL", $true).CreateSubKey("Hashes\MD5")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)

# Sicher
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes", $true).CreateSubKey("SHA")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes", $true).CreateSubKey("SHA256")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes", $true).CreateSubKey("SHA384")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes", $true).CreateSubKey("SHA512")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)

# Sicheren Schlüsselaustausch aktivieren
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL", $true).CreateSubKey("KeyExchangeAlgorithms\Diffie-Hellman")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms", $true).CreateSubKey("PKCS")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms", $true).CreateSubKey("ECDH")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)

# PFS Aktivieren
$key = (get-item HKLM:\).OpenSubKey("SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL", $true).CreateSubKey("00010002")
$key.SetValue("Functions", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA")