Microsoft's PowerTrip. Oops, sorry: PowerShell

Why do we disable weak TLS cyphers? We are told that they pose risk of intrusion/eavesdropping. A-ha! They pose a risk.

But here comes a genius degenerate from Microsoft and... Guess what they do? They write the code behind PowerShell commands. One such command is Get-TlsCipherSuite. It was devised to display information about the existing cypher suites. When you run it it spits out a bunch of information. So, what is the problem?

The problem is that genius degenerates in Microsoft did not bother to include Enabled/Disabled flag! What is the implication of this? The implication is that there are only 2 ways to find out whether a particular cypher suit is enabled or disabled. One is to try to disable it, and to get an error if it already is disabled. The other is to try to enable and re-disable it.

Let us pause to think, for a second. So, if a cypher suite is disabled, and we want to find out its status, then we can only enable it temporarily. Does this not create a vulnerability, which could be exploited?

And if we try to disable an already disabled cypher and receive an error do we know what causes the error? Is it the fact that it is disabled or is it some other reason? Here is the error, for you to judge:

Disable-TlsCipherSuite : Exception from HRESULT: 0xD0000225
At line:1 char:1
+ Disable-TlsCipherSuite -Name "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (: ) [Disable-TlsCipherSuite], COMException
    + FullyQualifiedErrorId : Exception from HRESULT: 0xD0000225,Microsoft.WindowsAuthenticationProtocols.Commands.Rem
   oveTlsCipherSuiteCommand

The same error is thrown if PowerTrip, oops, sorry, PowerShell does not run under Administrator. There may be other cases of which I am not aware. How do you tell one reason from another?

Posted by: LinuxLies at 09:08 AM | No Comments | Add Comment
Post contains 301 words, total size 2 kb.