I found a script online. I have included the script below. It works when i run it manually. However, I am wanting to create a GP that runs it at startup. So i will need to configure the script to elevate itself.<\/p>\n

<#\n.Synopsis\n   Solve Sweet32 Short description\n.DESCRIPTION\n   Long description\n.EXAMPLE\n   Example of how to use this cmdlet\n.EXAMPLE\n   Another example of how to use this cmdlet\n.INPUTS\n   Inputs to this cmdlet (if any)\n.OUTPUTS\n   Output from this cmdlet (if any)\n.NOTES\n   General notes\n.COMPONENT\n   The component this cmdlet belongs to\n.ROLE\n   The role this cmdlet belongs to\n.FUNCTIONALITY\n   The functionality that best describes this cmdlet\n\n#>\n\n[CmdletBinding()]\nparam(\n    [Parameter(position=0,Mandatory=$false)][ValidateSet(\"SWEET32\",\"TLS1.0\",\"Both\")]$Solve=\"Both\"\n)\n\nfunction Write-Log{\n    [CmdletBinding()]\n    #[Alias('wl')]\n    [OutputType([int])]\n    Param(\n        # The string to be written to the log.\n        [Parameter(Mandatory=$true,\n                   ValueFromPipelineByPropertyName=$true,\n                   Position=0)]\n        [ValidateNotNullOrEmpty()]\n        [Alias(\"LogContent\")]\n        [string]$Message,\n\n        # The path to the log file.\n        [Parameter(Mandatory=$false,\n                   ValueFromPipelineByPropertyName=$true,\n                   Position=1)]\n        [Alias('LogPath')]\n        [string]$Path=$DefaultLog,\n\n        [Parameter(Mandatory=$false,\n                    ValueFromPipelineByPropertyName=$true,\n                    Position=2)]\n        [ValidateSet(\"Error\",\"Warn\",\"Info\",\"Load\",\"Execute\")]\n        [string]$Level=\"Info\",\n\n        [Parameter(Mandatory=$false)]\n        [switch]$NoClobber\n    )\n\n   \n    Process{\n        \n        if ((Test-Path $Path) -AND $NoClobber) {\n            Write-Warning \"Log file $Path already exists, and you specified NoClobber. Either delete the file or specify a different name.\"\n            Return\n        }\n\n        # If attempting to write to a log file in a folder/path that doesn't exist\n        # to create the file include path.\n        elseif (!(Test-Path $Path)) {\n            Write-Verbose \"Creating $Path.\"\n            $NewLogFile = New-Item $Path -Force -ItemType File\n        }\n\n        else {\n            # Nothing to see here yet.\n        }\n\n        # Now do the logging and additional output based on $Level\n        switch ($Level) {\n            'Error' {\n                Write-Host $Message -ForegroundColor Red\n                Write-Output \"$(Get-Date -Format \"yyyy-MM-dd HH:mm:ss\") ERROR: `t $Message\" | Out-File -FilePath $Path -Append\n                break;\n            }\n            'Warn' {\n                Write-Warning $Message\n                Write-Output \"$(Get-Date -Format \"yyyy-MM-dd HH:mm:ss\") WARNING: `t $Message\" | Out-File -FilePath $Path -Append\n                break;\n            }\n            'Info' {\n                Write-Host $Message -ForegroundColor Green\n                Write-Verbose $Message\n                Write-Output \"$(Get-Date -Format \"yyyy-MM-dd HH:mm:ss\") INFO: `t $Message\" | Out-File -FilePath $Path -Append\n                break;\n            }\n            'Load' {\n                Write-Host $Message -ForegroundColor Magenta\n                Write-Verbose $Message\n                Write-Output \"$(Get-Date -Format \"yyyy-MM-dd HH:mm:ss\") LOAD: `t $Message\" | Out-File -FilePath $Path -Append\n                break;\n            }\n            'Execute' {\n                Write-Host $Message -ForegroundColor Cyan -BackgroundColor DarkBlue\n                Write-Verbose $Message\n                Write-Output \"$(Get-Date -Format \"yyyy-MM-dd HH:mm:ss\") EXEC: `t $Message\" | Out-File -FilePath $Path -Append\n                break;\n            }\n        }\n    }\n}\nfunction Test-RegistryValue {\n    param (\n        [parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()]$Path,\n        [parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()]$Value\n    )\n    try{\n        if( (Get-ItemProperty -Path $Path | Select-Object -ExpandProperty $Value -ErrorAction Stop) -eq 0 ){\n            return  $true\n        }\n        return $false\n    }\n    catch{\n        return  $true\n    }\n}\nfunction Test-RegistryProperty {\n    param (\n        [parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()]$Path,\n        [parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()]$Value\n    )\n    try{\n        if( (Get-ItemProperty -Path $Path | Select-Object -ExpandProperty $Value) -eq 0 ){\n            return  $true\n        }\n        return $false\n    }\n    catch{\n        return  $true\n    }\n}\n\n$Global:CleanUpGlobal=@()\n$Global:CleanUpVar=@()\n\n$global:ScriptLocation = $(get-location).Path\n$global:DefaultLog = \"$global:ScriptLocation\\Sweet32.log\"\n\n$Global:CleanUpGlobal+=\"ScriptLocation\"\n$Global:CleanUpGlobal+=\"DefaultLog\"\n################################################################################SWEET32######################################################################\n###                 Source : https://bobcares.com/blog/how-to-fix-sweet32-birthday-attacks-vulnerability-cve-2016-2183/3/                                 ###               \n################################################################################SWEET32######################################################################\n\nif( ($Solve -eq \"Both\") -or ($Solve -eq \"SWEET32\") ){\n    Write-Log -Level Load -Message \"Solving vulnerability --> SWEET32\"\n\n    $TripleDES168=\"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\Triple DES 168/168\"\n    $testkey = Test-path $TripleDES168\n\n    #Create Key Triple DES 168 (A key is a folder in the registry)\n    if(!$testkey){\n        Write-Log -Level info -Message \"Creating Key $TripleDES168\"\n        New-Item -Path $TripleDES168 -Force | Out-Null\n    }\n    else{\n        Write-Log -Level Warn -Message \"They key already exits ($TripleDES168)\"\n    }\n    \n    #Create The property \"Enabled\" with value 0\n    $testentry= Test-RegistryValue -Path $TripleDES168 -Value \"Enabled\"\n    if(!$testentry){\n        Write-Log -Level Info -Message \"Creating new Enabled Property with value 0\"\n        New-ItemProperty -PropertyType DWORD -Path $TripleDES168 -Name \"Enabled\" -Value 0  -Force | Out-Null\n    }\n    else{\n        Write-Log -Level Info -Message \"The registry entry with property enabled = 0, already exists\"\n    }\n}\n\n#############################################################################################################################################################\n# Add and Disable TLS 1.1 for client and server SCHANNEL communications\nNew-Item 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Server' -Force | Out-Null\nNew-ItemProperty -path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null\nNew-ItemProperty -path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null\nNew-Item 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Client' -Force | Out-Null\nNew-ItemProperty -path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null\nNew-ItemProperty -path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null\nWrite-Host 'TLS 1.1 has been disabled.'\n\n# Re-create the ciphers key.\nNew-Item 'HKLM:SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers' -Force | Out-Null\n \n# Disable insecure/weak ciphers.\n$insecureCiphers = @(\n  'DES 56/56',\n  'NULL',\n  'RC2 128/128',\n  'RC2 40/128',\n  'RC2 56/128',\n  'RC4 40/128',\n  'RC4 56/128',\n  'RC4 64/128',\n  'RC4 128/128',\n  'Triple DES 168'\n  )\nForeach ($insecureCipher in $insecureCiphers) {\n  $key = (Get-Item HKLM:\\).OpenSubKey('SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers', $true).CreateSubKey($insecureCipher)\n  $key.SetValue('Enabled', 0, 'DWord')\n  $key.close()\n  Write-Host \"Weak cipher $insecureCipher has been disabled.\"\n}\n# Enable new secure ciphers.\n# - RC4: It is recommended to disable RC4, but you may lock out WinXP/IE8 if you enforce this. This is a requirement for FIPS 140-2.\n# - 3DES: It is recommended to disable these in near future. This is the last cipher supported by Windows XP.\n# - Windows Vista and before 'Triple DES 168' was named 'Triple DES 168/168' per https://support.microsoft.com/en-us/kb/245030\n$secureCiphers = @(\n  'AES 128/128',\n  'AES 256/256'\n)\nForeach ($secureCipher in $secureCiphers) {\n  $key = (Get-Item HKLM:\\).OpenSubKey('SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers', $true).CreateSubKey($secureCipher)\n  New-ItemProperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\$secureCipher\" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null\n  $key.close()\n  Write-Host \"Strong cipher $secureCipher has been enabled.\"\n}\n \n# Set hashes configuration.\nNew-Item 'HKLM:SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Hashes' -Force | Out-Null\nNew-Item 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Hashes\\MD5' -Force | Out-Null\nNew-ItemProperty -path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Hashes\\MD5' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null\n \n$secureHashes = @(\n  'SHA',\n  'SHA256',\n  'SHA384',\n  'SHA512'\n)\nForeach ($secureHash in $secureHashes) {\n  $key = (Get-Item HKLM:\\).OpenSubKey('SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Hashes', $true).CreateSubKey($secureHash)\n  New-ItemProperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Hashes\\$secureHash\" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null\n  $key.close()\n  Write-Host \"Hash $secureHash has been enabled.\"\n}\n \n# Set KeyExchangeAlgorithms configuration.\nNew-Item 'HKLM:SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms' -Force | Out-Null\n$secureKeyExchangeAlgorithms = @(\n  'Diffie-Hellman',\n  'ECDH',\n  'PKCS'\n)\nForeach ($secureKeyExchangeAlgorithm in $secureKeyExchangeAlgorithms) {\n  $key = (Get-Item HKLM:\\).OpenSubKey('SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms', $true).CreateSubKey($secureKeyExchangeAlgorithm)\n  New-ItemProperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms\\$secureKeyExchangeAlgorithm\" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null\n  $key.close()\n  Write-Host \"KeyExchangeAlgorithm $secureKeyExchangeAlgorithm has been enabled.\"\n}\n \n# Microsoft Security Advisory 3174644 - Updated Support for Diffie-Hellman Key Exchange\n# https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2016/3174644\nWrite-Host 'Configure longer DHE key shares for TLS servers.'\nNew-ItemProperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms\\Diffie-Hellman\" -name 'ServerMinKeyBitLength' -value '2048' -PropertyType 'DWord' -Force | Out-Null\nNew-ItemProperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms\\Diffie-Hellman\" -name 'ClientMinKeyBitLength' -value '2048' -PropertyType 'DWord' -Force | Out-Null\n \n# https://support.microsoft.com/en-us/help/3174644/microsoft-security-advisory-updated-support-for-diffie-hellman-key-exc\nNew-ItemProperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms\\PKCS\" -name 'ClientMinKeyBitLength' -value '2048' -PropertyType 'DWord' -Force | Out-Null\n \n\n<\/code><\/pre>\n


  

    
    

    
    
Advertisement

    



    
    Close
  


I have read online about using the following<\/p>\n
Start-Process powershell -Verb runAs\n<\/code><\/pre>\n


  

    
    

    
    
Advertisement

    



    
    Close
  


or<\/p>\n
If (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] \"Administrator\"))\n\n{   \n$arguments = \"& '\" + $myinvocation.mycommand.definition + \"'\"\nStart-Process powershell -Verb runAs -ArgumentList $arguments\nBreak\n}\n<\/code><\/pre>\n
I am just not sure where they need to added to the script.<\/p>\n
I have tried both<\/p>\n
<#\n.Synopsis\n   Solve Sweet32 Short description\n.DESCRIPTION\n   Long description\n.EXAMPLE\n   Example of how to use this cmdlet\n.EXAMPLE\n   Another example of how to use this cmdlet\n.INPUTS\n   Inputs to this cmdlet (if any)\n.OUTPUTS\n   Output from this cmdlet (if any)\n.NOTES\n   General notes\n.COMPONENT\n   The component this cmdlet belongs to\n.ROLE\n   The role this cmdlet belongs to\n.FUNCTIONALITY\n   The functionality that best describes this cmdlet\n\nIf (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] \"Administrator\"))\n\n{   \n$arguments = \"& '\" + $myinvocation.mycommand.definition + \"'\"\nStart-Process powershell -Verb runAs -ArgumentList $arguments\nBreak\n}\n\n#>\n\n[CmdletBinding()]\nparam(\n    [Parameter(position=0,Mandatory=$false)][ValidateSet(\"SWEET32\",\"TLS1.0\",\"Both\")]$Solve=\"Both\"\n)\n\nfunction Write-Log{\n    [CmdletBinding()]\n    #[Alias('wl')]\n    [OutputType([int])]\n    Param(\n        # The string to be written to the log.\n        [Parameter(Mandatory=$true,\n                   ValueFromPipelineByPropertyName=$true,\n                   Position=0)]\n        [ValidateNotNullOrEmpty()]\n        [Alias(\"LogContent\")]\n        [string]$Message,\n\n        # The path to the log file.\n        [Parameter(Mandatory=$false,\n                   ValueFromPipelineByPropertyName=$true,\n                   Position=1)]\n        [Alias('LogPath')]\n        [string]$Path=$DefaultLog,\n\n        [Parameter(Mandatory=$false,\n                    ValueFromPipelineByPropertyName=$true,\n                    Position=2)]\n        [ValidateSet(\"Error\",\"Warn\",\"Info\",\"Load\",\"Execute\")]\n        [string]$Level=\"Info\",\n\n        [Parameter(Mandatory=$false)]\n        [switch]$NoClobber\n    )\n\n   \n    Process{\n        \n        if ((Test-Path $Path) -AND $NoClobber) {\n            Write-Warning \"Log file $Path already exists, and you specified NoClobber. Either delete the file or specify a different name.\"\n            Return\n        }\n\n        # If attempting to write to a log file in a folder/path that doesn't exist\n        # to create the file include path.\n        elseif (!(Test-Path $Path)) {\n            Write-Verbose \"Creating $Path.\"\n            $NewLogFile = New-Item $Path -Force -ItemType File\n        }\n\n        else {\n            # Nothing to see here yet.\n        }\n\n        # Now do the logging and additional output based on $Level\n        switch ($Level) {\n            'Error' {\n                Write-Host $Message -ForegroundColor Red\n                Write-Output \"$(Get-Date -Format \"yyyy-MM-dd HH:mm:ss\") ERROR: `t $Message\" | Out-File -FilePath $Path -Append\n                break;\n            }\n            'Warn' {\n                Write-Warning $Message\n                Write-Output \"$(Get-Date -Format \"yyyy-MM-dd HH:mm:ss\") WARNING: `t $Message\" | Out-File -FilePath $Path -Append\n                break;\n            }\n            'Info' {\n                Write-Host $Message -ForegroundColor Green\n                Write-Verbose $Message\n                Write-Output \"$(Get-Date -Format \"yyyy-MM-dd HH:mm:ss\") INFO: `t $Message\" | Out-File -FilePath $Path -Append\n                break;\n            }\n            'Load' {\n                Write-Host $Message -ForegroundColor Magenta\n                Write-Verbose $Message\n                Write-Output \"$(Get-Date -Format \"yyyy-MM-dd HH:mm:ss\") LOAD: `t $Message\" | Out-File -FilePath $Path -Append\n                break;\n            }\n            'Execute' {\n                Write-Host $Message -ForegroundColor Cyan -BackgroundColor DarkBlue\n                Write-Verbose $Message\n                Write-Output \"$(Get-Date -Format \"yyyy-MM-dd HH:mm:ss\") EXEC: `t $Message\" | Out-File -FilePath $Path -Append\n                break;\n            }\n        }\n    }\n}\nfunction Test-RegistryValue {\n    param (\n        [parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()]$Path,\n        [parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()]$Value\n    )\n    try{\n        if( (Get-ItemProperty -Path $Path | Select-Object -ExpandProperty $Value -ErrorAction Stop) -eq 0 ){\n            return  $true\n        }\n        return $false\n    }\n    catch{\n        return  $true\n    }\n}\nfunction Test-RegistryProperty {\n    param (\n        [parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()]$Path,\n        [parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()]$Value\n    )\n    try{\n        if( (Get-ItemProperty -Path $Path | Select-Object -ExpandProperty $Value) -eq 0 ){\n            return  $true\n        }\n        return $false\n    }\n    catch{\n        return  $true\n    }\n}\n\n$Global:CleanUpGlobal=@()\n$Global:CleanUpVar=@()\n\n$global:ScriptLocation = $(get-location).Path\n$global:DefaultLog = \"$global:ScriptLocation\\Sweet32.log\"\n\n$Global:CleanUpGlobal+=\"ScriptLocation\"\n$Global:CleanUpGlobal+=\"DefaultLog\"\n################################################################################SWEET32######################################################################\n###                 Source : https://bobcares.com/blog/how-to-fix-sweet32-birthday-attacks-vulnerability-cve-2016-2183/3/                                 ###               \n################################################################################SWEET32######################################################################\n\nif( ($Solve -eq \"Both\") -or ($Solve -eq \"SWEET32\") ){\n    Write-Log -Level Load -Message \"Solving vulnerability --> SWEET32\"\n\n    $TripleDES168=\"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\Triple DES 168/168\"\n    $testkey = Test-path $TripleDES168\n\n    #Create Key Triple DES 168 (A key is a folder in the registry)\n    if(!$testkey){\n        Write-Log -Level info -Message \"Creating Key $TripleDES168\"\n        New-Item -Path $TripleDES168 -Force | Out-Null\n    }\n    else{\n        Write-Log -Level Warn -Message \"They key already exits ($TripleDES168)\"\n    }\n    \n    #Create The property \"Enabled\" with value 0\n    $testentry= Test-RegistryValue -Path $TripleDES168 -Value \"Enabled\"\n    if(!$testentry){\n        Write-Log -Level Info -Message \"Creating new Enabled Property with value 0\"\n        New-ItemProperty -PropertyType DWORD -Path $TripleDES168 -Name \"Enabled\" -Value 0  -Force | Out-Null\n    }\n    else{\n        Write-Log -Level Info -Message \"The registry entry with property enabled = 0, already exists\"\n    }\n}\n\n#############################################################################################################################################################\n# Add and Disable TLS 1.1 for client and server SCHANNEL communications\nNew-Item 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Server' -Force | Out-Null\nNew-ItemProperty -path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null\nNew-ItemProperty -path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null\nNew-Item 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Client' -Force | Out-Null\nNew-ItemProperty -path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null\nNew-ItemProperty -path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null\nWrite-Host 'TLS 1.1 has been disabled.'\n\n# Re-create the ciphers key.\nNew-Item 'HKLM:SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers' -Force | Out-Null\n \n# Disable insecure/weak ciphers.\n$insecureCiphers = @(\n  'DES 56/56',\n  'NULL',\n  'RC2 128/128',\n  'RC2 40/128',\n  'RC2 56/128',\n  'RC4 40/128',\n  'RC4 56/128',\n  'RC4 64/128',\n  'RC4 128/128',\n  'Triple DES 168'\n  )\nForeach ($insecureCipher in $insecureCiphers) {\n  $key = (Get-Item HKLM:\\).OpenSubKey('SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers', $true).CreateSubKey($insecureCipher)\n  $key.SetValue('Enabled', 0, 'DWord')\n  $key.close()\n  Write-Host \"Weak cipher $insecureCipher has been disabled.\"\n}\n# Enable new secure ciphers.\n# - RC4: It is recommended to disable RC4, but you may lock out WinXP/IE8 if you enforce this. This is a requirement for FIPS 140-2.\n# - 3DES: It is recommended to disable these in near future. This is the last cipher supported by Windows XP.\n# - Windows Vista and before 'Triple DES 168' was named 'Triple DES 168/168' per https://support.microsoft.com/en-us/kb/245030\n$secureCiphers = @(\n  'AES 128/128',\n  'AES 256/256'\n)\nForeach ($secureCipher in $secureCiphers) {\n  $key = (Get-Item HKLM:\\).OpenSubKey('SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers', $true).CreateSubKey($secureCipher)\n  New-ItemProperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\$secureCipher\" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null\n  $key.close()\n  Write-Host \"Strong cipher $secureCipher has been enabled.\"\n}\n \n# Set hashes configuration.\nNew-Item 'HKLM:SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Hashes' -Force | Out-Null\nNew-Item 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Hashes\\MD5' -Force | Out-Null\nNew-ItemProperty -path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Hashes\\MD5' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null\n \n$secureHashes = @(\n  'SHA',\n  'SHA256',\n  'SHA384',\n  'SHA512'\n)\nForeach ($secureHash in $secureHashes) {\n  $key = (Get-Item HKLM:\\).OpenSubKey('SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Hashes', $true).CreateSubKey($secureHash)\n  New-ItemProperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Hashes\\$secureHash\" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null\n  $key.close()\n  Write-Host \"Hash $secureHash has been enabled.\"\n}\n \n# Set KeyExchangeAlgorithms configuration.\nNew-Item 'HKLM:SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms' -Force | Out-Null\n$secureKeyExchangeAlgorithms = @(\n  'Diffie-Hellman',\n  'ECDH',\n  'PKCS'\n)\nForeach ($secureKeyExchangeAlgorithm in $secureKeyExchangeAlgorithms) {\n  $key = (Get-Item HKLM:\\).OpenSubKey('SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms', $true).CreateSubKey($secureKeyExchangeAlgorithm)\n  New-ItemProperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms\\$secureKeyExchangeAlgorithm\" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null\n  $key.close()\n  Write-Host \"KeyExchangeAlgorithm $secureKeyExchangeAlgorithm has been enabled.\"\n}\n \n# Microsoft Security Advisory 3174644 - Updated Support for Diffie-Hellman Key Exchange\n# https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2016/3174644\nWrite-Host 'Configure longer DHE key shares for TLS servers.'\nNew-ItemProperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms\\Diffie-Hellman\" -name 'ServerMinKeyBitLength' -value '2048' -PropertyType 'DWord' -Force | Out-Null\nNew-ItemProperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms\\Diffie-Hellman\" -name 'ClientMinKeyBitLength' -value '2048' -PropertyType 'DWord' -Force | Out-Null\n \n# https://support.microsoft.com/en-us/help/3174644/microsoft-security-advisory-updated-support-for-diffie-hellman-key-exc\nNew-ItemProperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms\\PKCS\" -name 'ClientMinKeyBitLength' -value '2048' -PropertyType 'DWord' -Force | Out-Null\n \n\n<\/code><\/pre>\n
and<\/p>\n
<#.Synopsis   Solve Sweet32 Short description.DESCRIPTION   Long description.EXAMPLE   Example of how to use this cmdlet.EXAMPLE   Another example of how to use this cmdlet.INPUTS   Inputs to this cmdlet (if any).OUTPUTS   Output from this cmdlet (if any).NOTES   General notes.COMPONENT   The component this cmdlet belongs to.ROLE   The role this cmdlet belongs to.FUNCTIONALITY   The functionality that best describes this cmdlet\n\nStart-Process powershell -Verb runAs\n\n#>[CmdletBinding()]param(    [Parameter(position=0,Mandatory=$false)][ValidateSet(\"SWEET32\",\"TLS1.0\",\"Both\")]$Solve=\"Both\")function Write-Log{    [CmdletBinding()]    #[Alias('wl')]    [OutputType([int])]    Param(        # The string to be written to the log.        [Parameter(Mandatory=$true,                   ValueFromPipelineByPropertyName=$true,                   Position=0)]        [ValidateNotNullOrEmpty()]        [Alias(\"LogContent\")]        [string]$Message,        # The path to the log file.        [Parameter(Mandatory=$false,                   ValueFromPipelineByPropertyName=$true,                   Position=1)]        [Alias('LogPath')]        [string]$Path=$DefaultLog,        [Parameter(Mandatory=$false,                    ValueFromPipelineByPropertyName=$true,                    Position=2)]        [ValidateSet(\"Error\",\"Warn\",\"Info\",\"Load\",\"Execute\")]        [string]$Level=\"Info\",        [Parameter(Mandatory=$false)]        [switch]$NoClobber    )       Process{                if ((Test-Path $Path) -AND $NoClobber) {            Write-Warning \"Log file $Path already exists, and you specified NoClobber. Either delete the file or specify a different name.\"            Return        }        # If attempting to write to a log file in a folder/path that doesn't exist        # to create the file include path.        elseif (!(Test-Path $Path)) {            Write-Verbose \"Creating $Path.\"            $NewLogFile = New-Item $Path -Force -ItemType File        }        else {            # Nothing to see here yet.        }        # Now do the logging and additional output based on $Level        switch ($Level) {            'Error' {                Write-Host $Message -ForegroundColor Red                Write-Output \"$(Get-Date -Format \"yyyy-MM-dd HH:mm:ss\") ERROR: `t $Message\" | Out-File -FilePath $Path -Append                break;            }            'Warn' {                Write-Warning $Message                Write-Output \"$(Get-Date -Format \"yyyy-MM-dd HH:mm:ss\") WARNING: `t $Message\" | Out-File -FilePath $Path -Append                break;            }            'Info' {                Write-Host $Message -ForegroundColor Green                Write-Verbose $Message                Write-Output \"$(Get-Date -Format \"yyyy-MM-dd HH:mm:ss\") INFO: `t $Message\" | Out-File -FilePath $Path -Append                break;            }            'Load' {                Write-Host $Message -ForegroundColor Magenta                Write-Verbose $Message                Write-Output \"$(Get-Date -Format \"yyyy-MM-dd HH:mm:ss\") LOAD: `t $Message\" | Out-File -FilePath $Path -Append                break;            }            'Execute' {                Write-Host $Message -ForegroundColor Cyan -BackgroundColor DarkBlue                Write-Verbose $Message                Write-Output \"$(Get-Date -Format \"yyyy-MM-dd HH:mm:ss\") EXEC: `t $Message\" | Out-File -FilePath $Path -Append                break;            }        }    }}function Test-RegistryValue {    param (        [parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()]$Path,        [parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()]$Value    )    try{        if( (Get-ItemProperty -Path $Path | Select-Object -ExpandProperty $Value -ErrorAction Stop) -eq 0 ){            return  $true        }        return $false    }    catch{        return  $true    }}function Test-RegistryProperty {    param (        [parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()]$Path,        [parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()]$Value    )    try{        if( (Get-ItemProperty -Path $Path | Select-Object -ExpandProperty $Value) -eq 0 ){            return  $true        }        return $false    }    catch{        return  $true    }}$Global:CleanUpGlobal=@()$Global:CleanUpVar=@()$global:ScriptLocation = $(get-location).Path$global:DefaultLog = \"$global:ScriptLocation\\Sweet32.log\"$Global:CleanUpGlobal+=\"ScriptLocation\"$Global:CleanUpGlobal+=\"DefaultLog\"################################################################################SWEET32#########################################################################                 Source : https://bobcares.com/blog/how-to-fix-sweet32-birthday-attacks-vulnerability-cve-2016-2183/3/                                 ###               ################################################################################SWEET32######################################################################if( ($Solve -eq \"Both\") -or ($Solve -eq \"SWEET32\") ){    Write-Log -Level Load -Message \"Solving vulnerability --> SWEET32\"    $TripleDES168=\"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\Triple DES 168/168\"    $testkey = Test-path $TripleDES168    #Create Key Triple DES 168 (A key is a folder in the registry)    if(!$testkey){        Write-Log -Level info -Message \"Creating Key $TripleDES168\"        New-Item -Path $TripleDES168 -Force | Out-Null    }    else{        Write-Log -Level Warn -Message \"They key already exits ($TripleDES168)\"    }        #Create The property \"Enabled\" with value 0    $testentry= Test-RegistryValue -Path $TripleDES168 -Value \"Enabled\"    if(!$testentry){        Write-Log -Level Info -Message \"Creating new Enabled Property with value 0\"        New-ItemProperty -PropertyType DWORD -Path $TripleDES168 -Name \"Enabled\" -Value 0  -Force | Out-Null    }    else{        Write-Log -Level Info -Message \"The registry entry with property enabled = 0, already exists\"    }}############################################################################################################################################################## Add and Disable TLS 1.1 for client and server SCHANNEL communicationsNew-Item 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Server' -Force | Out-NullNew-ItemProperty -path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-NullNew-ItemProperty -path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-NullNew-Item 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Client' -Force | Out-NullNew-ItemProperty -path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-NullNew-ItemProperty -path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-NullWrite-Host 'TLS 1.1 has been disabled.'# Re-create the ciphers key.New-Item 'HKLM:SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers' -Force | Out-Null # Disable insecure/weak ciphers.$insecureCiphers = @(  'DES 56/56',  'NULL',  'RC2 128/128',  'RC2 40/128',  'RC2 56/128',  'RC4 40/128',  'RC4 56/128',  'RC4 64/128',  'RC4 128/128',  'Triple DES 168'  )Foreach ($insecureCipher in $insecureCiphers) {  $key = (Get-Item HKLM:\\).OpenSubKey('SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers', $true).CreateSubKey($insecureCipher)  $key.SetValue('Enabled', 0, 'DWord')  $key.close()  Write-Host \"Weak cipher $insecureCipher has been disabled.\"}# Enable new secure ciphers.# - RC4: It is recommended to disable RC4, but you may lock out WinXP/IE8 if you enforce this. This is a requirement for FIPS 140-2.# - 3DES: It is recommended to disable these in near future. This is the last cipher supported by Windows XP.# - Windows Vista and before 'Triple DES 168' was named 'Triple DES 168/168' per https://support.microsoft.com/en-us/kb/245030$secureCiphers = @(  'AES 128/128',  'AES 256/256')Foreach ($secureCipher in $secureCiphers) {  $key = (Get-Item HKLM:\\).OpenSubKey('SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers', $true).CreateSubKey($secureCipher)  New-ItemProperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\$secureCipher\" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null  $key.close()  Write-Host \"Strong cipher $secureCipher has been enabled.\"} # Set hashes configuration.New-Item 'HKLM:SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Hashes' -Force | Out-NullNew-Item 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Hashes\\MD5' -Force | Out-NullNew-ItemProperty -path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Hashes\\MD5' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null $secureHashes = @(  'SHA',  'SHA256',  'SHA384',  'SHA512')Foreach ($secureHash in $secureHashes) {  $key = (Get-Item HKLM:\\).OpenSubKey('SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Hashes', $true).CreateSubKey($secureHash)  New-ItemProperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Hashes\\$secureHash\" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null  $key.close()  Write-Host \"Hash $secureHash has been enabled.\"} # Set KeyExchangeAlgorithms configuration.New-Item 'HKLM:SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms' -Force | Out-Null$secureKeyExchangeAlgorithms = @(  'Diffie-Hellman',  'ECDH',  'PKCS')Foreach ($secureKeyExchangeAlgorithm in $secureKeyExchangeAlgorithms) {  $key = (Get-Item HKLM:\\).OpenSubKey('SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms', $true).CreateSubKey($secureKeyExchangeAlgorithm)  New-ItemProperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms\\$secureKeyExchangeAlgorithm\" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null  $key.close()  Write-Host \"KeyExchangeAlgorithm $secureKeyExchangeAlgorithm has been enabled.\"} # Microsoft Security Advisory 3174644 - Updated Support for Diffie-Hellman Key Exchange# https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2016/3174644Write-Host 'Configure longer DHE key shares for TLS servers.'New-ItemProperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms\\Diffie-Hellman\" -name 'ServerMinKeyBitLength' -value '2048' -PropertyType 'DWord' -Force | Out-NullNew-ItemProperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms\\Diffie-Hellman\" -name 'ClientMinKeyBitLength' -value '2048' -PropertyType 'DWord' -Force | Out-Null # https://support.microsoft.com/en-us/help/3174644/microsoft-security-advisory-updated-support-for-dif...New-ItemProperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms\\PKCS\" -name 'ClientMinKeyBitLength' -value '2048' -PropertyType 'DWord' -Force | Out-N\n<\/code><\/pre>\n
both don’t seem to work<\/p>","upvoteCount":6,"answerCount":15,"datePublished":"2020-02-28T14:43:20.000Z","author":{"@type":"Person","name":"jeffbearden2425","url":"https://community.spiceworks.com/u/jeffbearden2425"},"suggestedAnswer":[{"@type":"Answer","text":"
I found a script online. I have included the script below. It works when i run it manually. However, I am wanting to create a GP that runs it at startup. So i will need to configure the script to elevate itself.<\/p>\n
<#\n.Synopsis\n   Solve Sweet32 Short description\n.DESCRIPTION\n   Long description\n.EXAMPLE\n   Example of how to use this cmdlet\n.EXAMPLE\n   Another example of how to use this cmdlet\n.INPUTS\n   Inputs to this cmdlet (if any)\n.OUTPUTS\n   Output from this cmdlet (if any)\n.NOTES\n   General notes\n.COMPONENT\n   The component this cmdlet belongs to\n.ROLE\n   The role this cmdlet belongs to\n.FUNCTIONALITY\n   The functionality that best describes this cmdlet\n\n#>\n\n[CmdletBinding()]\nparam(\n    [Parameter(position=0,Mandatory=$false)][ValidateSet(\"SWEET32\",\"TLS1.0\",\"Both\")]$Solve=\"Both\"\n)\n\nfunction Write-Log{\n    [CmdletBinding()]\n    #[Alias('wl')]\n    [OutputType([int])]\n    Param(\n        # The string to be written to the log.\n        [Parameter(Mandatory=$true,\n                   ValueFromPipelineByPropertyName=$true,\n                   Position=0)]\n        [ValidateNotNullOrEmpty()]\n        [Alias(\"LogContent\")]\n        [string]$Message,\n\n        # The path to the log file.\n        [Parameter(Mandatory=$false,\n                   ValueFromPipelineByPropertyName=$true,\n                   Position=1)]\n        [Alias('LogPath')]\n        [string]$Path=$DefaultLog,\n\n        [Parameter(Mandatory=$false,\n                    ValueFromPipelineByPropertyName=$true,\n                    Position=2)]\n        [ValidateSet(\"Error\",\"Warn\",\"Info\",\"Load\",\"Execute\")]\n        [string]$Level=\"Info\",\n\n        [Parameter(Mandatory=$false)]\n        [switch]$NoClobber\n    )\n\n   \n    Process{\n        \n        if ((Test-Path $Path) -AND $NoClobber) {\n            Write-Warning \"Log file $Path already exists, and you specified NoClobber. Either delete the file or specify a different name.\"\n            Return\n        }\n\n        # If attempting to write to a log file in a folder/path that doesn't exist\n        # to create the file include path.\n        elseif (!(Test-Path $Path)) {\n            Write-Verbose \"Creating $Path.\"\n            $NewLogFile = New-Item $Path -Force -ItemType File\n        }\n\n        else {\n            # Nothing to see here yet.\n        }\n\n        # Now do the logging and additional output based on $Level\n        switch ($Level) {\n            'Error' {\n                Write-Host $Message -ForegroundColor Red\n                Write-Output \"$(Get-Date -Format \"yyyy-MM-dd HH:mm:ss\") ERROR: `t $Message\" | Out-File -FilePath $Path -Append\n                break;\n            }\n            'Warn' {\n                Write-Warning $Message\n                Write-Output \"$(Get-Date -Format \"yyyy-MM-dd HH:mm:ss\") WARNING: `t $Message\" | Out-File -FilePath $Path -Append\n                break;\n            }\n            'Info' {\n                Write-Host $Message -ForegroundColor Green\n                Write-Verbose $Message\n                Write-Output \"$(Get-Date -Format \"yyyy-MM-dd HH:mm:ss\") INFO: `t $Message\" | Out-File -FilePath $Path -Append\n                break;\n            }\n            'Load' {\n                Write-Host $Message -ForegroundColor Magenta\n                Write-Verbose $Message\n                Write-Output \"$(Get-Date -Format \"yyyy-MM-dd HH:mm:ss\") LOAD: `t $Message\" | Out-File -FilePath $Path -Append\n                break;\n            }\n            'Execute' {\n                Write-Host $Message -ForegroundColor Cyan -BackgroundColor DarkBlue\n                Write-Verbose $Message\n                Write-Output \"$(Get-Date -Format \"yyyy-MM-dd HH:mm:ss\") EXEC: `t $Message\" | Out-File -FilePath $Path -Append\n                break;\n            }\n        }\n    }\n}\nfunction Test-RegistryValue {\n    param (\n        [parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()]$Path,\n        [parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()]$Value\n    )\n    try{\n        if( (Get-ItemProperty -Path $Path | Select-Object -ExpandProperty $Value -ErrorAction Stop) -eq 0 ){\n            return  $true\n        }\n        return $false\n    }\n    catch{\n        return  $true\n    }\n}\nfunction Test-RegistryProperty {\n    param (\n        [parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()]$Path,\n        [parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()]$Value\n    )\n    try{\n        if( (Get-ItemProperty -Path $Path | Select-Object -ExpandProperty $Value) -eq 0 ){\n            return  $true\n        }\n        return $false\n    }\n    catch{\n        return  $true\n    }\n}\n\n$Global:CleanUpGlobal=@()\n$Global:CleanUpVar=@()\n\n$global:ScriptLocation = $(get-location).Path\n$global:DefaultLog = \"$global:ScriptLocation\\Sweet32.log\"\n\n$Global:CleanUpGlobal+=\"ScriptLocation\"\n$Global:CleanUpGlobal+=\"DefaultLog\"\n################################################################################SWEET32######################################################################\n###                 Source : https://bobcares.com/blog/how-to-fix-sweet32-birthday-attacks-vulnerability-cve-2016-2183/3/                                 ###               \n################################################################################SWEET32######################################################################\n\nif( ($Solve -eq \"Both\") -or ($Solve -eq \"SWEET32\") ){\n    Write-Log -Level Load -Message \"Solving vulnerability --> SWEET32\"\n\n    $TripleDES168=\"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\Triple DES 168/168\"\n    $testkey = Test-path $TripleDES168\n\n    #Create Key Triple DES 168 (A key is a folder in the registry)\n    if(!$testkey){\n        Write-Log -Level info -Message \"Creating Key $TripleDES168\"\n        New-Item -Path $TripleDES168 -Force | Out-Null\n    }\n    else{\n        Write-Log -Level Warn -Message \"They key already exits ($TripleDES168)\"\n    }\n    \n    #Create The property \"Enabled\" with value 0\n    $testentry= Test-RegistryValue -Path $TripleDES168 -Value \"Enabled\"\n    if(!$testentry){\n        Write-Log -Level Info -Message \"Creating new Enabled Property with value 0\"\n        New-ItemProperty -PropertyType DWORD -Path $TripleDES168 -Name \"Enabled\" -Value 0  -Force | Out-Null\n    }\n    else{\n        Write-Log -Level Info -Message \"The registry entry with property enabled = 0, already exists\"\n    }\n}\n\n#############################################################################################################################################################\n# Add and Disable TLS 1.1 for client and server SCHANNEL communications\nNew-Item 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Server' -Force | Out-Null\nNew-ItemProperty -path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null\nNew-ItemProperty -path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null\nNew-Item 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Client' -Force | Out-Null\nNew-ItemProperty -path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null\nNew-ItemProperty -path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null\nWrite-Host 'TLS 1.1 has been disabled.'\n\n# Re-create the ciphers key.\nNew-Item 'HKLM:SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers' -Force | Out-Null\n \n# Disable insecure/weak ciphers.\n$insecureCiphers = @(\n  'DES 56/56',\n  'NULL',\n  'RC2 128/128',\n  'RC2 40/128',\n  'RC2 56/128',\n  'RC4 40/128',\n  'RC4 56/128',\n  'RC4 64/128',\n  'RC4 128/128',\n  'Triple DES 168'\n  )\nForeach ($insecureCipher in $insecureCiphers) {\n  $key = (Get-Item HKLM:\\).OpenSubKey('SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers', $true).CreateSubKey($insecureCipher)\n  $key.SetValue('Enabled', 0, 'DWord')\n  $key.close()\n  Write-Host \"Weak cipher $insecureCipher has been disabled.\"\n}\n# Enable new secure ciphers.\n# - RC4: It is recommended to disable RC4, but you may lock out WinXP/IE8 if you enforce this. This is a requirement for FIPS 140-2.\n# - 3DES: It is recommended to disable these in near future. This is the last cipher supported by Windows XP.\n# - Windows Vista and before 'Triple DES 168' was named 'Triple DES 168/168' per https://support.microsoft.com/en-us/kb/245030\n$secureCiphers = @(\n  'AES 128/128',\n  'AES 256/256'\n)\nForeach ($secureCipher in $secureCiphers) {\n  $key = (Get-Item HKLM:\\).OpenSubKey('SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers', $true).CreateSubKey($secureCipher)\n  New-ItemProperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\$secureCipher\" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null\n  $key.close()\n  Write-Host \"Strong cipher $secureCipher has been enabled.\"\n}\n \n# Set hashes configuration.\nNew-Item 'HKLM:SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Hashes' -Force | Out-Null\nNew-Item 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Hashes\\MD5' -Force | Out-Null\nNew-ItemProperty -path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Hashes\\MD5' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null\n \n$secureHashes = @(\n  'SHA',\n  'SHA256',\n  'SHA384',\n  'SHA512'\n)\nForeach ($secureHash in $secureHashes) {\n  $key = (Get-Item HKLM:\\).OpenSubKey('SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Hashes', $true).CreateSubKey($secureHash)\n  New-ItemProperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Hashes\\$secureHash\" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null\n  $key.close()\n  Write-Host \"Hash $secureHash has been enabled.\"\n}\n \n# Set KeyExchangeAlgorithms configuration.\nNew-Item 'HKLM:SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms' -Force | Out-Null\n$secureKeyExchangeAlgorithms = @(\n  'Diffie-Hellman',\n  'ECDH',\n  'PKCS'\n)\nForeach ($secureKeyExchangeAlgorithm in $secureKeyExchangeAlgorithms) {\n  $key = (Get-Item HKLM:\\).OpenSubKey('SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms', $true).CreateSubKey($secureKeyExchangeAlgorithm)\n  New-ItemProperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms\\$secureKeyExchangeAlgorithm\" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null\n  $key.close()\n  Write-Host \"KeyExchangeAlgorithm $secureKeyExchangeAlgorithm has been enabled.\"\n}\n \n# Microsoft Security Advisory 3174644 - Updated Support for Diffie-Hellman Key Exchange\n# https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2016/3174644\nWrite-Host 'Configure longer DHE key shares for TLS servers.'\nNew-ItemProperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms\\Diffie-Hellman\" -name 'ServerMinKeyBitLength' -value '2048' -PropertyType 'DWord' -Force | Out-Null\nNew-ItemProperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms\\Diffie-Hellman\" -name 'ClientMinKeyBitLength' -value '2048' -PropertyType 'DWord' -Force | Out-Null\n \n# https://support.microsoft.com/en-us/help/3174644/microsoft-security-advisory-updated-support-for-diffie-hellman-key-exc\nNew-ItemProperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms\\PKCS\" -name 'ClientMinKeyBitLength' -value '2048' -PropertyType 'DWord' -Force | Out-Null\n \n\n<\/code><\/pre>\n
I have read online about using the following<\/p>\n
Start-Process powershell -Verb runAs\n<\/code><\/pre>\n
or<\/p>\n
If (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] \"Administrator\"))\n\n{   \n$arguments = \"& '\" + $myinvocation.mycommand.definition + \"'\"\nStart-Process powershell -Verb runAs -ArgumentList $arguments\nBreak\n}\n<\/code><\/pre>\n
I am just not sure where they need to added to the script.<\/p>\n
I have tried both<\/p>\n
<#\n.Synopsis\n   Solve Sweet32 Short description\n.DESCRIPTION\n   Long description\n.EXAMPLE\n   Example of how to use this cmdlet\n.EXAMPLE\n   Another example of how to use this cmdlet\n.INPUTS\n   Inputs to this cmdlet (if any)\n.OUTPUTS\n   Output from this cmdlet (if any)\n.NOTES\n   General notes\n.COMPONENT\n   The component this cmdlet belongs to\n.ROLE\n   The role this cmdlet belongs to\n.FUNCTIONALITY\n   The functionality that best describes this cmdlet\n\nIf (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] \"Administrator\"))\n\n{   \n$arguments = \"& '\" + $myinvocation.mycommand.definition + \"'\"\nStart-Process powershell -Verb runAs -ArgumentList $arguments\nBreak\n}\n\n#>\n\n[CmdletBinding()]\nparam(\n    [Parameter(position=0,Mandatory=$false)][ValidateSet(\"SWEET32\",\"TLS1.0\",\"Both\")]$Solve=\"Both\"\n)\n\nfunction Write-Log{\n    [CmdletBinding()]\n    #[Alias('wl')]\n    [OutputType([int])]\n    Param(\n        # The string to be written to the log.\n        [Parameter(Mandatory=$true,\n                   ValueFromPipelineByPropertyName=$true,\n                   Position=0)]\n        [ValidateNotNullOrEmpty()]\n        [Alias(\"LogContent\")]\n        [string]$Message,\n\n        # The path to the log file.\n        [Parameter(Mandatory=$false,\n                   ValueFromPipelineByPropertyName=$true,\n                   Position=1)]\n        [Alias('LogPath')]\n        [string]$Path=$DefaultLog,\n\n        [Parameter(Mandatory=$false,\n                    ValueFromPipelineByPropertyName=$true,\n                    Position=2)]\n        [ValidateSet(\"Error\",\"Warn\",\"Info\",\"Load\",\"Execute\")]\n        [string]$Level=\"Info\",\n\n        [Parameter(Mandatory=$false)]\n        [switch]$NoClobber\n    )\n\n   \n    Process{\n        \n        if ((Test-Path $Path) -AND $NoClobber) {\n            Write-Warning \"Log file $Path already exists, and you specified NoClobber. Either delete the file or specify a different name.\"\n            Return\n        }\n\n        # If attempting to write to a log file in a folder/path that doesn't exist\n        # to create the file include path.\n        elseif (!(Test-Path $Path)) {\n            Write-Verbose \"Creating $Path.\"\n            $NewLogFile = New-Item $Path -Force -ItemType File\n        }\n\n        else {\n            # Nothing to see here yet.\n        }\n\n        # Now do the logging and additional output based on $Level\n        switch ($Level) {\n            'Error' {\n                Write-Host $Message -ForegroundColor Red\n                Write-Output \"$(Get-Date -Format \"yyyy-MM-dd HH:mm:ss\") ERROR: `t $Message\" | Out-File -FilePath $Path -Append\n                break;\n            }\n            'Warn' {\n                Write-Warning $Message\n                Write-Output \"$(Get-Date -Format \"yyyy-MM-dd HH:mm:ss\") WARNING: `t $Message\" | Out-File -FilePath $Path -Append\n                break;\n            }\n            'Info' {\n                Write-Host $Message -ForegroundColor Green\n                Write-Verbose $Message\n                Write-Output \"$(Get-Date -Format \"yyyy-MM-dd HH:mm:ss\") INFO: `t $Message\" | Out-File -FilePath $Path -Append\n                break;\n            }\n            'Load' {\n                Write-Host $Message -ForegroundColor Magenta\n                Write-Verbose $Message\n                Write-Output \"$(Get-Date -Format \"yyyy-MM-dd HH:mm:ss\") LOAD: `t $Message\" | Out-File -FilePath $Path -Append\n                break;\n            }\n            'Execute' {\n                Write-Host $Message -ForegroundColor Cyan -BackgroundColor DarkBlue\n                Write-Verbose $Message\n                Write-Output \"$(Get-Date -Format \"yyyy-MM-dd HH:mm:ss\") EXEC: `t $Message\" | Out-File -FilePath $Path -Append\n                break;\n            }\n        }\n    }\n}\nfunction Test-RegistryValue {\n    param (\n        [parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()]$Path,\n        [parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()]$Value\n    )\n    try{\n        if( (Get-ItemProperty -Path $Path | Select-Object -ExpandProperty $Value -ErrorAction Stop) -eq 0 ){\n            return  $true\n        }\n        return $false\n    }\n    catch{\n        return  $true\n    }\n}\nfunction Test-RegistryProperty {\n    param (\n        [parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()]$Path,\n        [parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()]$Value\n    )\n    try{\n        if( (Get-ItemProperty -Path $Path | Select-Object -ExpandProperty $Value) -eq 0 ){\n            return  $true\n        }\n        return $false\n    }\n    catch{\n        return  $true\n    }\n}\n\n$Global:CleanUpGlobal=@()\n$Global:CleanUpVar=@()\n\n$global:ScriptLocation = $(get-location).Path\n$global:DefaultLog = \"$global:ScriptLocation\\Sweet32.log\"\n\n$Global:CleanUpGlobal+=\"ScriptLocation\"\n$Global:CleanUpGlobal+=\"DefaultLog\"\n################################################################################SWEET32######################################################################\n###                 Source : https://bobcares.com/blog/how-to-fix-sweet32-birthday-attacks-vulnerability-cve-2016-2183/3/                                 ###               \n################################################################################SWEET32######################################################################\n\nif( ($Solve -eq \"Both\") -or ($Solve -eq \"SWEET32\") ){\n    Write-Log -Level Load -Message \"Solving vulnerability --> SWEET32\"\n\n    $TripleDES168=\"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\Triple DES 168/168\"\n    $testkey = Test-path $TripleDES168\n\n    #Create Key Triple DES 168 (A key is a folder in the registry)\n    if(!$testkey){\n        Write-Log -Level info -Message \"Creating Key $TripleDES168\"\n        New-Item -Path $TripleDES168 -Force | Out-Null\n    }\n    else{\n        Write-Log -Level Warn -Message \"They key already exits ($TripleDES168)\"\n    }\n    \n    #Create The property \"Enabled\" with value 0\n    $testentry= Test-RegistryValue -Path $TripleDES168 -Value \"Enabled\"\n    if(!$testentry){\n        Write-Log -Level Info -Message \"Creating new Enabled Property with value 0\"\n        New-ItemProperty -PropertyType DWORD -Path $TripleDES168 -Name \"Enabled\" -Value 0  -Force | Out-Null\n    }\n    else{\n        Write-Log -Level Info -Message \"The registry entry with property enabled = 0, already exists\"\n    }\n}\n\n#############################################################################################################################################################\n# Add and Disable TLS 1.1 for client and server SCHANNEL communications\nNew-Item 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Server' -Force | Out-Null\nNew-ItemProperty -path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null\nNew-ItemProperty -path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null\nNew-Item 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Client' -Force | Out-Null\nNew-ItemProperty -path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null\nNew-ItemProperty -path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null\nWrite-Host 'TLS 1.1 has been disabled.'\n\n# Re-create the ciphers key.\nNew-Item 'HKLM:SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers' -Force | Out-Null\n \n# Disable insecure/weak ciphers.\n$insecureCiphers = @(\n  'DES 56/56',\n  'NULL',\n  'RC2 128/128',\n  'RC2 40/128',\n  'RC2 56/128',\n  'RC4 40/128',\n  'RC4 56/128',\n  'RC4 64/128',\n  'RC4 128/128',\n  'Triple DES 168'\n  )\nForeach ($insecureCipher in $insecureCiphers) {\n  $key = (Get-Item HKLM:\\).OpenSubKey('SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers', $true).CreateSubKey($insecureCipher)\n  $key.SetValue('Enabled', 0, 'DWord')\n  $key.close()\n  Write-Host \"Weak cipher $insecureCipher has been disabled.\"\n}\n# Enable new secure ciphers.\n# - RC4: It is recommended to disable RC4, but you may lock out WinXP/IE8 if you enforce this. This is a requirement for FIPS 140-2.\n# - 3DES: It is recommended to disable these in near future. This is the last cipher supported by Windows XP.\n# - Windows Vista and before 'Triple DES 168' was named 'Triple DES 168/168' per https://support.microsoft.com/en-us/kb/245030\n$secureCiphers = @(\n  'AES 128/128',\n  'AES 256/256'\n)\nForeach ($secureCipher in $secureCiphers) {\n  $key = (Get-Item HKLM:\\).OpenSubKey('SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers', $true).CreateSubKey($secureCipher)\n  New-ItemProperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\$secureCipher\" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null\n  $key.close()\n  Write-Host \"Strong cipher $secureCipher has been enabled.\"\n}\n \n# Set hashes configuration.\nNew-Item 'HKLM:SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Hashes' -Force | Out-Null\nNew-Item 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Hashes\\MD5' -Force | Out-Null\nNew-ItemProperty -path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Hashes\\MD5' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null\n \n$secureHashes = @(\n  'SHA',\n  'SHA256',\n  'SHA384',\n  'SHA512'\n)\nForeach ($secureHash in $secureHashes) {\n  $key = (Get-Item HKLM:\\).OpenSubKey('SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Hashes', $true).CreateSubKey($secureHash)\n  New-ItemProperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Hashes\\$secureHash\" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null\n  $key.close()\n  Write-Host \"Hash $secureHash has been enabled.\"\n}\n \n# Set KeyExchangeAlgorithms configuration.\nNew-Item 'HKLM:SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms' -Force | Out-Null\n$secureKeyExchangeAlgorithms = @(\n  'Diffie-Hellman',\n  'ECDH',\n  'PKCS'\n)\nForeach ($secureKeyExchangeAlgorithm in $secureKeyExchangeAlgorithms) {\n  $key = (Get-Item HKLM:\\).OpenSubKey('SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms', $true).CreateSubKey($secureKeyExchangeAlgorithm)\n  New-ItemProperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms\\$secureKeyExchangeAlgorithm\" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null\n  $key.close()\n  Write-Host \"KeyExchangeAlgorithm $secureKeyExchangeAlgorithm has been enabled.\"\n}\n \n# Microsoft Security Advisory 3174644 - Updated Support for Diffie-Hellman Key Exchange\n# https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2016/3174644\nWrite-Host 'Configure longer DHE key shares for TLS servers.'\nNew-ItemProperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms\\Diffie-Hellman\" -name 'ServerMinKeyBitLength' -value '2048' -PropertyType 'DWord' -Force | Out-Null\nNew-ItemProperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms\\Diffie-Hellman\" -name 'ClientMinKeyBitLength' -value '2048' -PropertyType 'DWord' -Force | Out-Null\n \n# https://support.microsoft.com/en-us/help/3174644/microsoft-security-advisory-updated-support-for-diffie-hellman-key-exc\nNew-ItemProperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms\\PKCS\" -name 'ClientMinKeyBitLength' -value '2048' -PropertyType 'DWord' -Force | Out-Null\n \n\n<\/code><\/pre>\n
and<\/p>\n
<#.Synopsis   Solve Sweet32 Short description.DESCRIPTION   Long description.EXAMPLE   Example of how to use this cmdlet.EXAMPLE   Another example of how to use this cmdlet.INPUTS   Inputs to this cmdlet (if any).OUTPUTS   Output from this cmdlet (if any).NOTES   General notes.COMPONENT   The component this cmdlet belongs to.ROLE   The role this cmdlet belongs to.FUNCTIONALITY   The functionality that best describes this cmdlet\n\nStart-Process powershell -Verb runAs\n\n#>[CmdletBinding()]param(    [Parameter(position=0,Mandatory=$false)][ValidateSet(\"SWEET32\",\"TLS1.0\",\"Both\")]$Solve=\"Both\")function Write-Log{    [CmdletBinding()]    #[Alias('wl')]    [OutputType([int])]    Param(        # The string to be written to the log.        [Parameter(Mandatory=$true,                   ValueFromPipelineByPropertyName=$true,                   Position=0)]        [ValidateNotNullOrEmpty()]        [Alias(\"LogContent\")]        [string]$Message,        # The path to the log file.        [Parameter(Mandatory=$false,                   ValueFromPipelineByPropertyName=$true,                   Position=1)]        [Alias('LogPath')]        [string]$Path=$DefaultLog,        [Parameter(Mandatory=$false,                    ValueFromPipelineByPropertyName=$true,                    Position=2)]        [ValidateSet(\"Error\",\"Warn\",\"Info\",\"Load\",\"Execute\")]        [string]$Level=\"Info\",        [Parameter(Mandatory=$false)]        [switch]$NoClobber    )       Process{                if ((Test-Path $Path) -AND $NoClobber) {            Write-Warning \"Log file $Path already exists, and you specified NoClobber. Either delete the file or specify a different name.\"            Return        }        # If attempting to write to a log file in a folder/path that doesn't exist        # to create the file include path.        elseif (!(Test-Path $Path)) {            Write-Verbose \"Creating $Path.\"            $NewLogFile = New-Item $Path -Force -ItemType File        }        else {            # Nothing to see here yet.        }        # Now do the logging and additional output based on $Level        switch ($Level) {            'Error' {                Write-Host $Message -ForegroundColor Red                Write-Output \"$(Get-Date -Format \"yyyy-MM-dd HH:mm:ss\") ERROR: `t $Message\" | Out-File -FilePath $Path -Append                break;            }            'Warn' {                Write-Warning $Message                Write-Output \"$(Get-Date -Format \"yyyy-MM-dd HH:mm:ss\") WARNING: `t $Message\" | Out-File -FilePath $Path -Append                break;            }            'Info' {                Write-Host $Message -ForegroundColor Green                Write-Verbose $Message                Write-Output \"$(Get-Date -Format \"yyyy-MM-dd HH:mm:ss\") INFO: `t $Message\" | Out-File -FilePath $Path -Append                break;            }            'Load' {                Write-Host $Message -ForegroundColor Magenta                Write-Verbose $Message                Write-Output \"$(Get-Date -Format \"yyyy-MM-dd HH:mm:ss\") LOAD: `t $Message\" | Out-File -FilePath $Path -Append                break;            }            'Execute' {                Write-Host $Message -ForegroundColor Cyan -BackgroundColor DarkBlue                Write-Verbose $Message                Write-Output \"$(Get-Date -Format \"yyyy-MM-dd HH:mm:ss\") EXEC: `t $Message\" | Out-File -FilePath $Path -Append                break;            }        }    }}function Test-RegistryValue {    param (        [parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()]$Path,        [parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()]$Value    )    try{        if( (Get-ItemProperty -Path $Path | Select-Object -ExpandProperty $Value -ErrorAction Stop) -eq 0 ){            return  $true        }        return $false    }    catch{        return  $true    }}function Test-RegistryProperty {    param (        [parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()]$Path,        [parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()]$Value    )    try{        if( (Get-ItemProperty -Path $Path | Select-Object -ExpandProperty $Value) -eq 0 ){            return  $true        }        return $false    }    catch{        return  $true    }}$Global:CleanUpGlobal=@()$Global:CleanUpVar=@()$global:ScriptLocation = $(get-location).Path$global:DefaultLog = \"$global:ScriptLocation\\Sweet32.log\"$Global:CleanUpGlobal+=\"ScriptLocation\"$Global:CleanUpGlobal+=\"DefaultLog\"################################################################################SWEET32#########################################################################                 Source : https://bobcares.com/blog/how-to-fix-sweet32-birthday-attacks-vulnerability-cve-2016-2183/3/                                 ###               ################################################################################SWEET32######################################################################if( ($Solve -eq \"Both\") -or ($Solve -eq \"SWEET32\") ){    Write-Log -Level Load -Message \"Solving vulnerability --> SWEET32\"    $TripleDES168=\"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\Triple DES 168/168\"    $testkey = Test-path $TripleDES168    #Create Key Triple DES 168 (A key is a folder in the registry)    if(!$testkey){        Write-Log -Level info -Message \"Creating Key $TripleDES168\"        New-Item -Path $TripleDES168 -Force | Out-Null    }    else{        Write-Log -Level Warn -Message \"They key already exits ($TripleDES168)\"    }        #Create The property \"Enabled\" with value 0    $testentry= Test-RegistryValue -Path $TripleDES168 -Value \"Enabled\"    if(!$testentry){        Write-Log -Level Info -Message \"Creating new Enabled Property with value 0\"        New-ItemProperty -PropertyType DWORD -Path $TripleDES168 -Name \"Enabled\" -Value 0  -Force | Out-Null    }    else{        Write-Log -Level Info -Message \"The registry entry with property enabled = 0, already exists\"    }}############################################################################################################################################################## Add and Disable TLS 1.1 for client and server SCHANNEL communicationsNew-Item 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Server' -Force | Out-NullNew-ItemProperty -path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-NullNew-ItemProperty -path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-NullNew-Item 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Client' -Force | Out-NullNew-ItemProperty -path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-NullNew-ItemProperty -path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-NullWrite-Host 'TLS 1.1 has been disabled.'# Re-create the ciphers key.New-Item 'HKLM:SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers' -Force | Out-Null # Disable insecure/weak ciphers.$insecureCiphers = @(  'DES 56/56',  'NULL',  'RC2 128/128',  'RC2 40/128',  'RC2 56/128',  'RC4 40/128',  'RC4 56/128',  'RC4 64/128',  'RC4 128/128',  'Triple DES 168'  )Foreach ($insecureCipher in $insecureCiphers) {  $key = (Get-Item HKLM:\\).OpenSubKey('SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers', $true).CreateSubKey($insecureCipher)  $key.SetValue('Enabled', 0, 'DWord')  $key.close()  Write-Host \"Weak cipher $insecureCipher has been disabled.\"}# Enable new secure ciphers.# - RC4: It is recommended to disable RC4, but you may lock out WinXP/IE8 if you enforce this. This is a requirement for FIPS 140-2.# - 3DES: It is recommended to disable these in near future. This is the last cipher supported by Windows XP.# - Windows Vista and before 'Triple DES 168' was named 'Triple DES 168/168' per https://support.microsoft.com/en-us/kb/245030$secureCiphers = @(  'AES 128/128',  'AES 256/256')Foreach ($secureCipher in $secureCiphers) {  $key = (Get-Item HKLM:\\).OpenSubKey('SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers', $true).CreateSubKey($secureCipher)  New-ItemProperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\$secureCipher\" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null  $key.close()  Write-Host \"Strong cipher $secureCipher has been enabled.\"} # Set hashes configuration.New-Item 'HKLM:SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Hashes' -Force | Out-NullNew-Item 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Hashes\\MD5' -Force | Out-NullNew-ItemProperty -path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Hashes\\MD5' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null $secureHashes = @(  'SHA',  'SHA256',  'SHA384',  'SHA512')Foreach ($secureHash in $secureHashes) {  $key = (Get-Item HKLM:\\).OpenSubKey('SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Hashes', $true).CreateSubKey($secureHash)  New-ItemProperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Hashes\\$secureHash\" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null  $key.close()  Write-Host \"Hash $secureHash has been enabled.\"} # Set KeyExchangeAlgorithms configuration.New-Item 'HKLM:SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms' -Force | Out-Null$secureKeyExchangeAlgorithms = @(  'Diffie-Hellman',  'ECDH',  'PKCS')Foreach ($secureKeyExchangeAlgorithm in $secureKeyExchangeAlgorithms) {  $key = (Get-Item HKLM:\\).OpenSubKey('SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms', $true).CreateSubKey($secureKeyExchangeAlgorithm)  New-ItemProperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms\\$secureKeyExchangeAlgorithm\" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null  $key.close()  Write-Host \"KeyExchangeAlgorithm $secureKeyExchangeAlgorithm has been enabled.\"} # Microsoft Security Advisory 3174644 - Updated Support for Diffie-Hellman Key Exchange# https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2016/3174644Write-Host 'Configure longer DHE key shares for TLS servers.'New-ItemProperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms\\Diffie-Hellman\" -name 'ServerMinKeyBitLength' -value '2048' -PropertyType 'DWord' -Force | Out-NullNew-ItemProperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms\\Diffie-Hellman\" -name 'ClientMinKeyBitLength' -value '2048' -PropertyType 'DWord' -Force | Out-Null # https://support.microsoft.com/en-us/help/3174644/microsoft-security-advisory-updated-support-for-dif...New-ItemProperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms\\PKCS\" -name 'ClientMinKeyBitLength' -value '2048' -PropertyType 'DWord' -Force | Out-N\n<\/code><\/pre>\n
both don’t seem to work<\/p>","upvoteCount":6,"datePublished":"2020-02-28T14:43:21.000Z","url":"https://community.spiceworks.com/t/run-as-administrator/753358/1","author":{"@type":"Person","name":"jeffbearden2425","url":"https://community.spiceworks.com/u/jeffbearden2425"}},{"@type":"Answer","text":"
Startup scripts that run in GPO should run as the SYSTEM account and would not require additional steps for elevation.<\/p>","upvoteCount":1,"datePublished":"2020-02-28T14:51:06.000Z","url":"https://community.spiceworks.com/t/run-as-administrator/753358/2","author":{"@type":"Person","name":"Evan7191","url":"https://community.spiceworks.com/u/Evan7191"}},{"@type":"Answer","text":"
Can you remove the VERY long scripts that you posted? The issue is not really about the content of the scripts themselves, so they are not adding to the post. Instead, we have to scroll all the way to the bottom of the page to respond.<\/p>\n
Don’t post massive scripts. We’re all volunteers and we don’t have time to read all that, nor will we copy, paste, and run it. Post an excerpt, and clearly state what you’re having problems with. \n<\/code><\/pre>\n