noid-privacy/Modules/AdvancedSecurity/Private/Disable-LegacyTLS.ps1

function Disable-LegacyTLS {
    <#
    .SYNOPSIS
        Disable legacy TLS 1.0 and TLS 1.1
    
    .DESCRIPTION
        Disables TLS 1.0 and TLS 1.1 for both Client and Server to prevent
        BEAST, CRIME, and other attacks.
        
        Attack Prevention: BEAST, CRIME, weak cipher suites
        
        Impact: May break old internal web applications that haven't been updated
    
    .EXAMPLE
        Disable-LegacyTLS
    #>
    [CmdletBinding()]
    param()
    
    try {
        Write-Log -Level INFO -Message "Disabling legacy TLS 1.0 and TLS 1.1..." -Module "AdvancedSecurity"
        
        $tlsVersions = @("TLS 1.0", "TLS 1.1")
        $components = @("Server", "Client")
        
        $setCount = 0
        
        foreach ($version in $tlsVersions) {
            foreach ($component in $components) {
                $regPath = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$version\$component"
                
                # Create path if needed
                if (-not (Test-Path $regPath)) {
                    New-Item -Path $regPath -Force | Out-Null
                }
                
                # Disable TLS version
                $existing = Get-ItemProperty -Path $regPath -Name "Enabled" -ErrorAction SilentlyContinue
                if ($null -ne $existing) {
                    Set-ItemProperty -Path $regPath -Name "Enabled" -Value 0 -Force | Out-Null
                } else {
                    New-ItemProperty -Path $regPath -Name "Enabled" -Value 0 -PropertyType DWord -Force | Out-Null
                }
                
                $existing = Get-ItemProperty -Path $regPath -Name "DisabledByDefault" -ErrorAction SilentlyContinue
                if ($null -ne $existing) {
                    Set-ItemProperty -Path $regPath -Name "DisabledByDefault" -Value 1 -Force | Out-Null
                } else {
                    New-ItemProperty -Path $regPath -Name "DisabledByDefault" -Value 1 -PropertyType DWord -Force | Out-Null
                }
                
                Write-Log -Level SUCCESS -Message "Disabled $version $component" -Module "AdvancedSecurity"
                $setCount += 2
            }
        }
        
        Write-Log -Level SUCCESS -Message "Legacy TLS disabled ($setCount registry keys set)" -Module "AdvancedSecurity"
        Write-Host ""
        Write-Host "Legacy TLS Disabled:" -ForegroundColor Green
        Write-Host "  TLS 1.0: Client + Server" -ForegroundColor Gray
        Write-Host "  TLS 1.1: Client + Server" -ForegroundColor Gray
        Write-Host ""
        Write-Host "WARNING: Old web applications may not work!" -ForegroundColor Yellow
        Write-Host "Only TLS 1.2 and TLS 1.3 are now allowed." -ForegroundColor Gray
        Write-Host ""
        
        return $true
    }
    catch {
        Write-Log -Level ERROR -Message "Failed to disable legacy TLS: $_" -Module "AdvancedSecurity" -Exception $_.Exception
        return $false
    }
}
v2.2.0 - Complete Security Hardening Framework (632 Settings) 2025-12-08 10:32:49 +01:00			`function Disable-LegacyTLS {`
			`<#`
			`.SYNOPSIS`
			`Disable legacy TLS 1.0 and TLS 1.1`

			`.DESCRIPTION`
			`Disables TLS 1.0 and TLS 1.1 for both Client and Server to prevent`
			`BEAST, CRIME, and other attacks.`

			`Attack Prevention: BEAST, CRIME, weak cipher suites`

			`Impact: May break old internal web applications that haven't been updated`

			`.EXAMPLE`
			`Disable-LegacyTLS`
			`#>`
			`[CmdletBinding()]`
			`param()`

			`try {`
			`Write-Log -Level INFO -Message "Disabling legacy TLS 1.0 and TLS 1.1..." -Module "AdvancedSecurity"`

			`$tlsVersions = @("TLS 1.0", "TLS 1.1")`
			`$components = @("Server", "Client")`

			`$setCount = 0`

			`foreach ($version in $tlsVersions) {`
			`foreach ($component in $components) {`
			`$regPath = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$version\$component"`

			`# Create path if needed`
			`if (-not (Test-Path $regPath)) {`
			`New-Item -Path $regPath -Force \| Out-Null`
			`}`

			`# Disable TLS version`
			`$existing = Get-ItemProperty -Path $regPath -Name "Enabled" -ErrorAction SilentlyContinue`
			`if ($null -ne $existing) {`
			`Set-ItemProperty -Path $regPath -Name "Enabled" -Value 0 -Force \| Out-Null`
			`} else {`
			`New-ItemProperty -Path $regPath -Name "Enabled" -Value 0 -PropertyType DWord -Force \| Out-Null`
			`}`

			`$existing = Get-ItemProperty -Path $regPath -Name "DisabledByDefault" -ErrorAction SilentlyContinue`
			`if ($null -ne $existing) {`
			`Set-ItemProperty -Path $regPath -Name "DisabledByDefault" -Value 1 -Force \| Out-Null`
			`} else {`
			`New-ItemProperty -Path $regPath -Name "DisabledByDefault" -Value 1 -PropertyType DWord -Force \| Out-Null`
			`}`

			`Write-Log -Level SUCCESS -Message "Disabled $version $component" -Module "AdvancedSecurity"`
			`$setCount += 2`
			`}`
			`}`

			`Write-Log -Level SUCCESS -Message "Legacy TLS disabled ($setCount registry keys set)" -Module "AdvancedSecurity"`
			`Write-Host ""`
			`Write-Host "Legacy TLS Disabled:" -ForegroundColor Green`
			`Write-Host " TLS 1.0: Client + Server" -ForegroundColor Gray`
			`Write-Host " TLS 1.1: Client + Server" -ForegroundColor Gray`
			`Write-Host ""`
			`Write-Host "WARNING: Old web applications may not work!" -ForegroundColor Yellow`
			`Write-Host "Only TLS 1.2 and TLS 1.3 are now allowed." -ForegroundColor Gray`
			`Write-Host ""`

			`return $true`
			`}`
			`catch {`
			`Write-Log -Level ERROR -Message "Failed to disable legacy TLS: $_" -Module "AdvancedSecurity" -Exception $_.Exception`
			`return $false`
			`}`
			`}`