This repository has been archived by the owner on May 28, 2020. It is now read-only.
forked from richardhicks/aovpn
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathSet-IKEv2VpnSecurityBaseline.ps1
214 lines (166 loc) · 9.02 KB
/
Set-IKEv2VpnSecurityBaseline.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
<#
.SYNOPSIS
Configure baseline security settings for IPsec on Windows Server Routing and Remote Access Service (RRAS) servers.
.PARAMETER Reset
Resets the VPN server's IKEv2 security parameters to their default settings.
.PARAMETER Restart
Restarts the RemoteAccess service after implementing IPsec policy changes.
.PARAMETER EnforceIKEv2CrlCheck
Enables CRL checking for IKEv2 VPN connections.
.EXAMPLE
.\Set-IKEv2VpnSecurityBaseline.ps1
Running this command will configure minimum recommended security settings for IKEv2 VPN connections.
.EXAMPLE
.\Set-IKEv2VpnSecurityBaseline.ps1 -EnforceIKEv2CrlCheck
Running this command will configure minimum recommended security settings for IKEv2 VPN connections. It will also enforce CRL checks for IKEv2 VPN connections.
.EXAMPLE
.\Set-IKEv2VpnSecurityBaseline.ps1 -Restart
Running this command will configure minimum recommended security settings for IKEv2 VPN connections and restart the RemoteAccess service.
.EXAMPLE
.\Set-IKEv2VpnSecurityBaseline.ps1 -Reset
Running this command will restore the default IKEv2 security settings.
.DESCRIPTION
The default IPsec policy settings for Windows Server RRAS IKEv2 VPN connections are considered weak and should be updated. This script implements current minimum security best practices for IPsec.
.LINK
https://directaccess.richardhicks.com/2018/12/10/always-on-vpn-ikev2-security-configuration/
.NOTES
Version: 1.2
Creation Date: July 26, 2019
Last Updated: April 30, 2020
Author: Richard Hicks
Organization: Richard M. Hicks Consulting, Inc.
Contact: [email protected]
Web Site: https://directaccess.richardhicks.com/
#>
[CmdletBinding()]
Param(
[switch]$EnforceIKEv2CrlCheck,
[switch]$Reset,
[switch]$Restart
)
# // Minimum recommended security settings for IPsec VPN
# // Settings documented here: https://docs.microsoft.com/en-us/windows/client-management/mdm/vpnv2-csp
# // Restore default settings
If ($Reset) {
Write-Verbose 'Resetting VPN server IKEv2 security parameters to their defaults...'
Set-VpnServerConfiguration -RevertToDefault | Out-Null
If ($Restart) {
Write-Verbose 'Restarting the ResmoteAccess service...'
Restart-Service RemoteAccess -PassThru
}
Else {
Write-Warning 'The RemoteAccess service must be restarted for changes to take effect.'
}
Exit
}
# // Define new IPsec policy
$Parameters = @{
AuthenticationTransformConstants = 'SHA256128'
CipherTransformConstants = 'AES128'
DHGroup = 'Group14'
EncryptionMethod = 'AES128'
IntegrityCheckMethod = 'SHA256'
PFSgroup = 'PFS2048'
SALifeTimeSeconds = '28800'
SADataSizeForRenegotiationKilobytes = '102400'
}
# // Implement new IPsec policy
Write-Verbose 'Configuring VPN server IPsec policy...'
[PSCustomObject]$Parameters | Set-VpnServerConfiguration -CustomPolicy
If ($EnforceIKEv2CrlCheck) {
# // Enable CRL check for IKEv2 connections
# // Requries update KB4505658 for Windows Server 2019 and KB4503294 for Windows Server 2016
# // Reference: https://support.microsoft.com/en-us/help/4505658/windows-10-update-kb4505658
# // Reference: https://support.microsoft.com/en-us/help/4503294/windows-10-update-kb4503294
$Parameters = @{
Path = 'HKLM:\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\Ikev2\'
Name = 'CertAuthFlags'
PropertyType = 'DWORD'
Value = '4'
}
# // Update registry settings
Write-Verbose 'Enforce CRL check for IKEv2 connections...'
New-ItemProperty @Parameters -Force
}
# // Restart the RemoteAccess service or warn administrator that it must be restarted.
If ($Restart) {
Write-Verbose 'Restarting the RemoteAccess service...'
Restart-Service RemoteAccess -PassThru
}
Else {
Write-Warning 'The RemoteAccess service must be restarted for changes to take effect.'
}
# SIG # Begin signature block
# MIINbAYJKoZIhvcNAQcCoIINXTCCDVkCAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB
# gjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNR
# AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQUOQVwBBugtaYMRACeQKFYwE3B
# 01WgggquMIIFMDCCBBigAwIBAgIQBAkYG1/Vu2Z1U0O1b5VQCDANBgkqhkiG9w0B
# AQsFADBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYD
# VQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVk
# IElEIFJvb3QgQ0EwHhcNMTMxMDIyMTIwMDAwWhcNMjgxMDIyMTIwMDAwWjByMQsw
# CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cu
# ZGlnaWNlcnQuY29tMTEwLwYDVQQDEyhEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQg
# Q29kZSBTaWduaW5nIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
# +NOzHH8OEa9ndwfTCzFJGc/Q+0WZsTrbRPV/5aid2zLXcep2nQUut4/6kkPApfmJ
# 1DcZ17aq8JyGpdglrA55KDp+6dFn08b7KSfH03sjlOSRI5aQd4L5oYQjZhJUM1B0
# sSgmuyRpwsJS8hRniolF1C2ho+mILCCVrhxKhwjfDPXiTWAYvqrEsq5wMWYzcT6s
# cKKrzn/pfMuSoeU7MRzP6vIK5Fe7SrXpdOYr/mzLfnQ5Ng2Q7+S1TqSp6moKq4Tz
# rGdOtcT3jNEgJSPrCGQ+UpbB8g8S9MWOD8Gi6CxR93O8vYWxYoNzQYIH5DiLanMg
# 0A9kczyen6Yzqf0Z3yWT0QIDAQABo4IBzTCCAckwEgYDVR0TAQH/BAgwBgEB/wIB
# ADAOBgNVHQ8BAf8EBAMCAYYwEwYDVR0lBAwwCgYIKwYBBQUHAwMweQYIKwYBBQUH
# AQEEbTBrMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQwYI
# KwYBBQUHMAKGN2h0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFz
# c3VyZWRJRFJvb3RDQS5jcnQwgYEGA1UdHwR6MHgwOqA4oDaGNGh0dHA6Ly9jcmw0
# LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwOqA4oDaG
# NGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RD
# QS5jcmwwTwYDVR0gBEgwRjA4BgpghkgBhv1sAAIEMCowKAYIKwYBBQUHAgEWHGh0
# dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCgYIYIZIAYb9bAMwHQYDVR0OBBYE
# FFrEuXsqCqOl6nEDwGD5LfZldQ5YMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6en
# IZ3zbcgPMA0GCSqGSIb3DQEBCwUAA4IBAQA+7A1aJLPzItEVyCx8JSl2qB1dHC06
# GsTvMGHXfgtg/cM9D8Svi/3vKt8gVTew4fbRknUPUbRupY5a4l4kgU4QpO4/cY5j
# DhNLrddfRHnzNhQGivecRk5c/5CxGwcOkRX7uq+1UcKNJK4kxscnKqEpKBo6cSgC
# PC6Ro8AlEeKcFEehemhor5unXCBc2XGxDI+7qPjFEmifz0DLQESlE/DmZAwlCEIy
# sjaKJAL+L3J+HNdJRZboWR3p+nRka7LrZkPas7CM1ekN3fYBIM6ZMWM9CBoYs4Gb
# T8aTEAb8B4H6i9r5gkn3Ym6hU/oSlBiFLpKR6mhsRDKyZqHnGKSaZFHvMIIFdjCC
# BF6gAwIBAgIQDOTKENcaCUe5Ct81Y25diDANBgkqhkiG9w0BAQsFADByMQswCQYD
# VQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGln
# aWNlcnQuY29tMTEwLwYDVQQDEyhEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ29k
# ZSBTaWduaW5nIENBMB4XDTE5MTIxNjAwMDAwMFoXDTIxMTIyMDEyMDAwMFowgbIx
# CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1NaXNz
# aW9uIFZpZWpvMSowKAYDVQQKEyFSaWNoYXJkIE0uIEhpY2tzIENvbnN1bHRpbmcs
# IEluYy4xHjAcBgNVBAsTFVByb2Zlc3Npb25hbCBTZXJ2aWNlczEqMCgGA1UEAxMh
# UmljaGFyZCBNLiBIaWNrcyBDb25zdWx0aW5nLCBJbmMuMIIBIjANBgkqhkiG9w0B
# AQEFAAOCAQ8AMIIBCgKCAQEAr+wmqY7Bpvs6EmNV227JD5tee0m+ltuYmleTJ1TG
# TCfibcWU+2HOHICHoUdSF4M8L0LoonkIWKoMCUaGFzrvMFjlt/J8juH7kazf3mEd
# Z9lzxOt6GLn5ILpq+8i2xb4cGqLd1k8FEJaFcq66Xvi2xknQ3r8cDJWBXi4+CoLY
# 0/VPNNPho2RTlpN8QL/Xz//hE+KB7YzaF+7wYCVCkR/Qn4D8AfiUBCAw8fNbjNGo
# Q/v7xh+f6TidtC7Y5B8D8AR4IJSok8Zbivz+HJj5wZNWsS70D8HnWQ7hM/7nAwQh
# teh0/kj0m6TMVtsv4b9KCDEyPT71cp5g4JxMO+x3UZh0CQIDAQABo4IBxTCCAcEw
# HwYDVR0jBBgwFoAUWsS5eyoKo6XqcQPAYPkt9mV1DlgwHQYDVR0OBBYEFB6Bcy+o
# ShXw68ntqleXMwE4Lj1jMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEF
# BQcDAzB3BgNVHR8EcDBuMDWgM6Axhi9odHRwOi8vY3JsMy5kaWdpY2VydC5jb20v
# c2hhMi1hc3N1cmVkLWNzLWcxLmNybDA1oDOgMYYvaHR0cDovL2NybDQuZGlnaWNl
# cnQuY29tL3NoYTItYXNzdXJlZC1jcy1nMS5jcmwwTAYDVR0gBEUwQzA3BglghkgB
# hv1sAwEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQ
# UzAIBgZngQwBBAEwgYQGCCsGAQUFBwEBBHgwdjAkBggrBgEFBQcwAYYYaHR0cDov
# L29jc3AuZGlnaWNlcnQuY29tME4GCCsGAQUFBzAChkJodHRwOi8vY2FjZXJ0cy5k
# aWdpY2VydC5jb20vRGlnaUNlcnRTSEEyQXNzdXJlZElEQ29kZVNpZ25pbmdDQS5j
# cnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAcJWSNtlE7Ml9VLf/
# 96z8tVbF05wZ/EkC4O9ouEdg5AmMx/5LdW2Tz4OrwAUCrRWgIRsC2ea4ZzsZli1i
# 7TdwaYmb2LGKMpq0z1g88iyjIdX6jCoUqMQq1jZAFaJ9iMk7Gn2kHrlcHvVjxwYE
# nf3XxMeGkvvBl8CBkV/fPQ2rrSyKeGSdumWdGGx6Dv/OH5log+x6Qdr6tkFC7byK
# oCBsiETUHs63z53QeVjVxH0zXGa9/G57XphUx18UTYkgIobMN4+dRizxA5sU1WCB
# pstchAVbAsM8OhGoxCJlQGjaXxSk6uis2XretUDhNzCodqdz9ul8CVKem9uJTYjo
# V6CBYjGCAigwggIkAgEBMIGGMHIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdp
# Q2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xMTAvBgNVBAMTKERp
# Z2lDZXJ0IFNIQTIgQXNzdXJlZCBJRCBDb2RlIFNpZ25pbmcgQ0ECEAzkyhDXGglH
# uQrfNWNuXYgwCQYFKw4DAhoFAKB4MBgGCisGAQQBgjcCAQwxCjAIoAKAAKECgAAw
# GQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQwHAYKKwYBBAGCNwIBCzEOMAwGCisG
# AQQBgjcCARUwIwYJKoZIhvcNAQkEMRYEFOf4Dv4/YBr6jvq6IKNLfMGcwPrEMA0G
# CSqGSIb3DQEBAQUABIIBAFCOP+z9HfVxpWRAHR8ECLS+/IGFWk4QLyETtLX/Vucs
# t4Ri5jTosfpFuaODGrXrIjl5RJw729ihEGETBvNtA/8N4n7K2T2a/DHfwOSLH1HE
# c7juD8y7qkHir/mfOs+5j8BA3AQKqggmbeeRmjtC/qD5wSwwfCujSgeawO5d/Q4p
# OA7aaZ8a3+ofD1X+8WmKPuQoOMuuea+j3zRyxeH3/R31noVCkeOaJgEdg9wShX2/
# 65TtsF/aoosnwpg9q/zev2yrIS8zCSY1xwsnXIRZ5qNfcVRnWc9ric8ORaz+ASpH
# 9nr1sauL0pmC45iwvMLjdsnGBB5vy76W5U+uonLhqu4=
# SIG # End signature block