cookbook 'windows_schannel', '~> 1.0.0'
windows_schannel (3) Versions 1.0.0 Follow3
Configures windows schannel security support provider (SSP). Use it to disable support for the protocols like SSL and the RC4 Cipher. One step towards meeting CIS PCI FIPS compliance.
cookbook 'windows_schannel', '~> 1.0.0', :supermarket
knife supermarket install windows_schannel
knife supermarket download windows_schannel
Windows Schannel Cookbook
Description
A cookbook to configure the windows Secure Channel (Schannel) security support provider (SSP).
This SSP contains a set of security protocols and ciphers suites commonly used for HTTPS communications. Many of the microsoft provided services and 3rd party software make use of Schannel for their communication so by removing support for a given protocol, removes it for all components.
This can be a double-edge sword, restricting a protocol might be fine for one service and end up breaking another.
Always make sure you test these settings before deploying into production as you could end up shooting yourself in the foot
Using this cookbook should help improve your security posture for the following microsoft services and help towards meeting regulatory compliance (PCI CIS FIPS)
- Internet Information Services (IIS)
- Microsoft Remote Desktop (RDP) when configured to use TLS
- LDAPS (Active Directory)
- Global Catalog SSL (Active Directory)
- WinRM/HTTPS (Windows Remote Management)
TODO : Insert image of external scan before and after.
Support for managing the following
Protocols
- Transport Layer Security (TLS) - v1.0, v1.1, v1.2
- Secure Socket Layer (SSL) - v2.0, v3.0
- Private Communications Technology (PCT) - v1.0
Cipher Suites
- NULL, DES, RC2, RC4, 3DES, AES
Hashes
- MD5, SHA
Key Exchanges
- Diffie-Hellman (DH)
Requirements
Platforms
- Windows Server 2008 (R1, R2)
- Windows Server 2012 (R1, R2)
Attributes
-
node['windows_schannel']['allow_reboot']
=false
changes made to protocols won't take affect until after a restart, this doesn't apply to ciphers and hashes. The default is false change this to true to initiate a reboot after the run.
Other than the allow_reboot
attribute all the others are controlled by either setting it to either enable
or disable
this is CaSe Sensitive
Protocols
-
node['windows_schannel']['pct_v1.0']
=disable
-
node['windows_schannel']['ssl_v2.0']
=disable
-
node['windows_schannel']['ssl_v3.0']
=disable
-
node['windows_schannel']['tls_v1.0']
=enable
-
node['windows_schannel']['tls_v1.1']
=enable
-
node['windows_schannel']['tls_v1.2']
=enable
Ciphers
-
node['windows_schannel']['cipher_null']
=disable
-
node['windows_schannel']['cipher_des']
=disable
-
node['windows_schannel']['cipher_rc2']
=disable
-
node['windows_schannel']['cipher_rc4']
=disable
-
node['windows_schannel']['cipher_3des']
=enable
-
node['windows_schannel']['cipher_aes']
=enable
Hashes
-
node['windows_schannel']['hash_md5']
=enable
-
node['windows_schannel']['hash_sha']
=enable
Key Exchanges
-
node['windows_schannel']['keyEx_dh']
=enable
License & Authors
- Author:: Gary Bright (digitalgaz@hotmail.com)
Copyright 2017, Gary Bright Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Dependent cookbooks
This cookbook has no specified dependencies.
Contingent cookbooks
There are no cookbooks that are contingent upon this one.
windows_schannel Cookbook CHANGELOG
This file is used to list changes made in each version of the windows_schannel cookbook.
1.0.0 - (06-10-2017)
- Bumping Cookbook to a big 1.0.0. It's been used in production for over a year and I think it's in a strong shape, all functionatly tested.
0.4.1 - (06-10-2017)
- The registry key for the 3DES Cipher was incorrect and as a result wasn't managing it correctly
0.4.0 - (06-10-2017)
- Migrated the integration tests to inspec.
- Changed some of the wording of the ChefSpec Tests
0.3.0 - (06-10-2017)
- Corrected ChefSpec errors, warnings and now has 100% coverage
0.2.0 - (06-10-2017)
- Refreshed cookbook metadata, corrected unit & chef style linting errors
0.1.4 - (19-09-2016)
- Added RC4 128/128 to the RC4 cipher suite with RC4 128/128 unit test (Thank You @brianbohanon)
0.1.3 - (20-06-2016)
- Changed the description to make it easyer to understand what it does in the supermarket
0.1.2 - (17-06-2016)
- Fixed some typo's in the README ready for relase to the supermarket.
v0.1.1 (16-06-2016)
- Changed the attribute values to make it easier to read rather than 1 or 0, means it is now caSe sensitive but I think its worth the trade off as its easier to interpret
- Added support for Hashes (MD5 and SHA) and Keyexchanges (DH)
- Refactored the ciphers to loop based on foodcritic
- Added reboot notifier for protocol changes.
v0.1.0 (20-04-2016)
- Building the framework of the cookbook.
Collaborator Number Metric
1.0.0 passed this metric
Contributing File Metric
1.0.0 passed this metric
Foodcritic Metric
1.0.0 passed this metric
No Binaries Metric
1.0.0 passed this metric
Testing File Metric
1.0.0 passed this metric
Version Tag Metric
1.0.0 passed this metric
1.0.0 passed this metric
1.0.0 passed this metric
Foodcritic Metric
1.0.0 passed this metric
No Binaries Metric
1.0.0 passed this metric
Testing File Metric
1.0.0 passed this metric
Version Tag Metric
1.0.0 passed this metric
1.0.0 passed this metric
1.0.0 passed this metric
Testing File Metric
1.0.0 passed this metric
Version Tag Metric
1.0.0 passed this metric
1.0.0 passed this metric
1.0.0 passed this metric