Wednesday, July 26, 2017

Remotely Disable a Windows Firewall (command line)


On a computer in the domain, hit Start, Run, Type:

runas /user:an-administrator@YourDomain cmd "CMD will start with domain admin privliges "

in the CMD window, run:
psxec \\yourremotecomputername cmd

Now run:
netsh firewall set opmode disable "To disable firewall"

Or if you have access to GPO you can do this in the GPO with a GPP

Download PSExec here:  http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

Tuesday, July 04, 2017

2012 r2 support TLS 1.2, but defaults to SSL 3.0 + TLS 1.0.



TL;DR: TLS 1.1 and TLS 1.2 are supported, but disabled by default for most “WinHTTP” client applications, including .NET and hence PowerShell. 

Your Server 2012 r2 should be updated to change the defaults or this issue will reoccur, often.

Background information:
Microsoft .NET supports TLS 1.2, but defaults to SSL 3.0 + TLS 1.0.

Technical Recommendations:
Add the following registry keys to your Windows Server instances. Either save this is a “.reg” file, or alternatively deploy the 4 values using Group Policy Preferences.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
"DefaultSecureProtocols"=dword:00000a80

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
"DefaultSecureProtocols"=dword:00000a80

For servers where PowerShell has TLS 1.2 issues, but enabling it at the registry level causes incompatibility issues, the following snippet can be used:

# EITHER: Enable all current TLS variants:
[System.Net.ServicePointManager]::SecurityProtocol = 'Tls,Tls11,Tls12'

# OR: Enforce TLS 1.2 only and also check Certificate Revocation Lists (CRLs):
[System.Net.ServicePointManager]::SecurityProtocol = 'Tls12'
[System.Net.ServicePointManager]::CheckCertificateRevocationList  = $true  





Blog Archive