SChannelDsc

1.4.0

DSCResources/MSFT_SChannelSettings/en-US/about_SChannelSettings.help.txt

                                .NAME

    SChannelSettings

.DESCRIPTION

    This resource is responsible for configuring various Secure Channel settings.

    TLS 1.2 and the .Net Framework:

    https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls

    Kerberos Supported Encryption Types:

    https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos

    WinHTTP Default Secure Protocols:

    https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-wi

    FIPS Compliance:

    https://docs.microsoft.com/en-us/dotnet/standard/security/fips-compliance

    https://support.microsoft.com/en-us/help/811833/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashi

.PARAMETER IsSingleInstance

    Key - String

    Allowed values: Yes

    Specifies the resource is a single instance, the value must be 'Yes'

.PARAMETER TLS12State

    Write - String

    Allowed values: Enabled, Disabled, Default

    Specifies the state of TLS 1.2 for the .Net Framework 3.5 and 4.*

.PARAMETER DiffieHellmanMinClientKeySize

    Write - UInt32

    Allowed values: 1024, 2048, 3072, 4096

    Minimum client key size for the Diffie-Hellman key exchange algorithm

.PARAMETER DiffieHellmanMinServerKeySize

    Write - UInt32

    Allowed values: 1024, 2048, 3072, 4096

    Minimum server key size for the Diffie-Hellman key exchange algorithm

.PARAMETER KerberosSupportedEncryptionType

    Write - StringArray

    Allowed values: DES-CBC-CRC, DES-CBC-MD5, RC4-HMAC-MD5, AES128-HMAC-SHA1, AES256-HMAC-SHA1

    Specifies the supported Kerberos Encryption Types

.PARAMETER WinHttpDefaultSecureProtocols

    Write - StringArray

    Allowed values: SSL2.0, SSL3.0, TLS1.0, TLS1.1, TLS1.2

    Specifies the WinHTTP Default Secure Protocols

.PARAMETER EnableFIPSAlgorithmPolicy

    Write - Boolean

    Specifies if the FIPS Algorithm Policy is enabled

.PARAMETER RebootWhenRequired

    Write - Boolean

    Specifies if a reboot will be performed when required (Default: False)

.EXAMPLE 1

This example shows how to configure SChannel.

    Configuration Example

    {

        param ()

        Import-DscResource -ModuleName SChannelDsc

        node localhost

        {

            SChannelSettings 'ConfigureSChannel'

            {

                IsSingleInstance                = 'Yes'

                TLS12State                      = 'Enabled'

                DiffieHellmanMinClientKeySize   = 4096

                DiffieHellmanMinServerKeySize   = 4096

                EnableFIPSAlgorithmPolicy       = $false

            }

        }

    }

.EXAMPLE 2

This example shows how to configure the Kerberos Supported

Encryption Types.

Configuration Example

{

    param ()

    Import-DscResource -ModuleName SChannelDsc

    node localhost

    {

        SChannelSettings 'ConfigureKerberosEncrTypes'

        {

            IsSingleInstance                = 'Yes'

            KerberosSupportedEncryptionType = @("RC4-HMAC-MD5","AES128-HMAC-SHA1","AES256-HMAC-SHA1")

        }

    }

}

.EXAMPLE 3

This example shows how to configure the WinHTTP Default

Secure Protocols.

    Configuration Example

    {

        param ()

        Import-DscResource -ModuleName SChannelDsc

        node localhost

        {

            SChannelSettings 'ConfigureWinHTTPProtocols'

            {

                IsSingleInstance              = 'Yes'

                WinHttpDefaultSecureProtocols = @("TLS1.1","TLS1.2")

            }

        }

    }