noid-privacy/Modules/AdvancedSecurity/Private/Test-LegacyTLS.ps1

function Test-LegacyTLS {
    <#
    .SYNOPSIS
        Test Legacy TLS configuration compliance
    
    .DESCRIPTION
        Verifies that TLS 1.0 and TLS 1.1 are disabled for both Client and Server.
    
    .OUTPUTS
        PSCustomObject with compliance details
    #>
    [CmdletBinding()]
    param()
    
    try {
        $result = [PSCustomObject]@{
            Feature = "Legacy TLS (1.0/1.1)"
            Status = "Unknown"
            Details = @()
            Compliant = $true
        }
        
        $tlsVersions = @("TLS 1.0", "TLS 1.1")
        $components = @("Server", "Client")
        $nonCompliantCount = 0
        
        foreach ($version in $tlsVersions) {
            foreach ($component in $components) {
                $regPath = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$version\$component"
                
                if (Test-Path $regPath) {
                    $enabled = (Get-ItemProperty -Path $regPath -Name "Enabled" -ErrorAction SilentlyContinue).Enabled
                    $disabledByDefault = (Get-ItemProperty -Path $regPath -Name "DisabledByDefault" -ErrorAction SilentlyContinue).DisabledByDefault
                    
                    if ($enabled -eq 0) {
                        # Compliant
                    }
                    elseif ($null -eq $enabled -and $disabledByDefault -eq 1) {
                        # Compliant (implicitly disabled)
                    }
                    else {
                        $result.Details += "$version $component is NOT disabled (Enabled=$enabled)"
                        $nonCompliantCount++
                    }
                }
                else {
                    # Key missing usually means default (Enabled on old OS, Disabled on very new OS)
                    # For hardening, we expect explicit disable keys
                    $result.Details += "$version $component registry keys missing"
                    $nonCompliantCount++
                }
            }
        }
        
        if ($nonCompliantCount -eq 0) {
            $result.Status = "Secure (Disabled)"
            $result.Compliant = $true
        }
        else {
            $result.Status = "Insecure ($nonCompliantCount issues)"
            $result.Compliant = $false
        }
        
        return $result
    }
    catch {
        Write-Log -Level ERROR -Message "Failed to test Legacy TLS: $_" -Module "AdvancedSecurity"
        return [PSCustomObject]@{
            Feature = "Legacy TLS (1.0/1.1)"
            Status = "Error"
            Details = @("Failed to test: $_")
            Compliant = $false
        }
    }
}
v2.2.0 - Complete Security Hardening Framework (632 Settings) 2025-12-08 10:32:49 +01:00			`function Test-LegacyTLS {`
			`<#`
			`.SYNOPSIS`
			`Test Legacy TLS configuration compliance`

			`.DESCRIPTION`
			`Verifies that TLS 1.0 and TLS 1.1 are disabled for both Client and Server.`

			`.OUTPUTS`
			`PSCustomObject with compliance details`
			`#>`
			`[CmdletBinding()]`
			`param()`

			`try {`
			`$result = [PSCustomObject]@{`
			`Feature = "Legacy TLS (1.0/1.1)"`
			`Status = "Unknown"`
			`Details = @()`
			`Compliant = $true`
			`}`

			`$tlsVersions = @("TLS 1.0", "TLS 1.1")`
			`$components = @("Server", "Client")`
			`$nonCompliantCount = 0`

			`foreach ($version in $tlsVersions) {`
			`foreach ($component in $components) {`
			`$regPath = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$version\$component"`

			`if (Test-Path $regPath) {`
			`$enabled = (Get-ItemProperty -Path $regPath -Name "Enabled" -ErrorAction SilentlyContinue).Enabled`
			`$disabledByDefault = (Get-ItemProperty -Path $regPath -Name "DisabledByDefault" -ErrorAction SilentlyContinue).DisabledByDefault`

			`if ($enabled -eq 0) {`
			`# Compliant`
			`}`
			`elseif ($null -eq $enabled -and $disabledByDefault -eq 1) {`
			`# Compliant (implicitly disabled)`
			`}`
			`else {`
			`$result.Details += "$version $component is NOT disabled (Enabled=$enabled)"`
			`$nonCompliantCount++`
			`}`
			`}`
			`else {`
			`# Key missing usually means default (Enabled on old OS, Disabled on very new OS)`
			`# For hardening, we expect explicit disable keys`
			`$result.Details += "$version $component registry keys missing"`
			`$nonCompliantCount++`
			`}`
			`}`
			`}`

			`if ($nonCompliantCount -eq 0) {`
			`$result.Status = "Secure (Disabled)"`
			`$result.Compliant = $true`
			`}`
			`else {`
			`$result.Status = "Insecure ($nonCompliantCount issues)"`
			`$result.Compliant = $false`
			`}`

			`return $result`
			`}`
			`catch {`
			`Write-Log -Level ERROR -Message "Failed to test Legacy TLS: $_" -Module "AdvancedSecurity"`
			`return [PSCustomObject]@{`
			`Feature = "Legacy TLS (1.0/1.1)"`
			`Status = "Error"`
			`Details = @("Failed to test: $_")`
			`Compliant = $false`
			`}`
			`}`
			`}`