Using win_regedit to harden Windows server ciphers

[Matt Betts]

Hi, I'm trying to create a playbook that I can use to bring a windows server up to the latest secure hardening standards and I'm stuck with configuring Ciphers. An example is as follows:

 ansible {HOST} -m win_regedit -a "key='HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128' value=Enabled data=00000000 datatype=dword state=present" -vvv

As you can see the Key name is "RC2 128/128" and the issue I'm encountering is Powershell interprets the / as a new key, irrespective of the direction. 

Has anyone managed to create a playbook to do this? I've got some alternatives (merging a registry file etc) but they aren't as clean. From the research I've done it looks like i'm going to need to user the powershell CreateSubKey function.

Thanks,

[Matt Davis]

Yep, doesn't look like there's any documented way to get the Powershell registry provider to work right with this. Even if we could get it to work right with the creation, it'd still break on all the Test-Path and other calls. Only way to handle this "right" would be a complete rewrite of win_regedit to directly use the .NET Registry classes instead (probably not happening anytime soon).

[Mike Fennemore]

I'm assuming for the security hardening you would be disabling multiple ciphers and protocols etc. A suggestion would be to use IISCrypto to configure the ciphers as required. Then export the relevant keys and use the win_regedit to import the exported reg.  

[Matt Davis]

+1 to this- IISCrypto is a great tool to make this easier, and bonus: it's available from chocolatey, thus easy to deal with from Ansible...