[ansible-project] Re: Using win_regedit to harden Windows server ciphers
+1 to this- IISCrypto is a great tool to make this easier, and bonus: it's available from chocolatey, thus easy to deal with from Ansible... On Monday, July 18, 2016 at 1:07:18 AM UTC-7, Mike Fennemore wrote: > > I'm assuming for the security hardening you would be disabling multiple > ciphers and protocols etc. A suggestion would be to use IISCrypto to > configure the ciphers as required. Then export the relevant keys and use > the win_regedit to import the exported reg. > > On Monday, July 11, 2016 at 10:11:59 PM UTC+2, Matt Betts wrote: >> >> Hi, I'm trying to create a playbook that I can use to bring a windows >> server up to the latest secure hardening standards and I'm stuck with >> configuring Ciphers. An example is as follows: >> >> ansible {HOST} -m win_regedit -a >> "key='HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 >> >> 128/128' value=Enabled data= datatype=dword state=present" -vvv >> >> As you can see the Key name is "RC2 128/128" and the issue I'm >> encountering is Powershell interprets the / as a new key, irrespective of >> the direction. >> >> Has anyone managed to create a playbook to do this? I've got some >> alternatives (merging a registry file etc) but they aren't as clean. From >> the research I've done it looks like i'm going to need to user the >> powershell CreateSubKey function. >> >> Thanks, >> >> >> -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/98dc2c03-f6cd-41b5-a34f-9435c7ecbf6d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ansible-project] Re: Using win_regedit to harden Windows server ciphers
I'm assuming for the security hardening you would be disabling multiple ciphers and protocols etc. A suggestion would be to use IISCrypto to configure the ciphers as required. Then export the relevant keys and use the win_regedit to import the exported reg. On Monday, July 11, 2016 at 10:11:59 PM UTC+2, Matt Betts wrote: > > Hi, I'm trying to create a playbook that I can use to bring a windows > server up to the latest secure hardening standards and I'm stuck with > configuring Ciphers. An example is as follows: > > ansible {HOST} -m win_regedit -a > "key='HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 > > 128/128' value=Enabled data= datatype=dword state=present" -vvv > > As you can see the Key name is "RC2 128/128" and the issue I'm > encountering is Powershell interprets the / as a new key, irrespective of > the direction. > > Has anyone managed to create a playbook to do this? I've got some > alternatives (merging a registry file etc) but they aren't as clean. From > the research I've done it looks like i'm going to need to user the > powershell CreateSubKey function. > > Thanks, > > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/001fcb85-430f-4183-89b3-6865427ff4b5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ansible-project] Re: Using win_regedit to harden Windows server ciphers
Yep, doesn't look like there's any documented way to get the Powershell registry provider to work right with this. Even if we could get it to work right with the creation, it'd still break on all the Test-Path and other calls. Only way to handle this "right" would be a complete rewrite of win_regedit to directly use the .NET Registry classes instead (probably not happening anytime soon). On Monday, July 11, 2016 at 1:11:59 PM UTC-7, Matt Betts wrote: > > Hi, I'm trying to create a playbook that I can use to bring a windows > server up to the latest secure hardening standards and I'm stuck with > configuring Ciphers. An example is as follows: > > ansible {HOST} -m win_regedit -a > "key='HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 > > 128/128' value=Enabled data= datatype=dword state=present" -vvv > > As you can see the Key name is "RC2 128/128" and the issue I'm > encountering is Powershell interprets the / as a new key, irrespective of > the direction. > > Has anyone managed to create a playbook to do this? I've got some > alternatives (merging a registry file etc) but they aren't as clean. From > the research I've done it looks like i'm going to need to user the > powershell CreateSubKey function. > > Thanks, > > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/e6573522-33de-4d5f-bca4-af1996ceddd4%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.