Problem description
The current implementation declares TLS1.1 as a secure protocol, which isn't true anymore. (see here) and also violates PCI DSS standards (regulatory standard for Payment Card Industry) introduced 2018 (declaring TLS1.2 as minimum acceptable version).
MS also shares that view, as they officially deprecated TLS1.1, explicitly dis-encouraging reactivation and hinting on complete removal of TLS1.1 support.
I would consider not only moving TLS1.1 to insecure protocols, but to also add a few other optimizations.
This is my list of possible optimization (open for discussion):
- Move TLS 1.1 to insecure protocols
- Configure both Client and Server component (now we only configure server)
- Activate TLS1.3 (based on underlying OS; Server 2022 and newer)
- Add DisabledByDefault = 1 (in addition to Enabled = 0) for insecure protocols
- Add DisabledByDefault = 0 (in addition to Enabled = 1) for secure protocols
- Remove unsupported protocols (PCT1.0 and SSL2.0 are not supported with Server 2016 and above)
- Configure .NET for secure Protcol usage (SystemDefaultTlsVersions, SchUseStrongCrypto)
I thought about also going for ciphers, but, based on my experience, this is still a pretty sensitive topic and ultimately decided not to propose cipher configuration. But I am open to discuss this topic.
I am willing to do all the work and test this on my local PULL environment, once the decision has been made what to implement.
Verbose logs
Irrelevant for this issue
DSC configuration
Irrelevant for this issue
Suggested solution
Update outdated best practice to a more modern approach
Operating system the target node is running
Irrelevant for this issue
PowerShell version and build the target node is running
Irrelevant for this issue
xPSDesiredStateConfiguration version
any version. Doublechecked with 9.2.1
Problem description
The current implementation declares TLS1.1 as a secure protocol, which isn't true anymore. (see here) and also violates PCI DSS standards (regulatory standard for Payment Card Industry) introduced 2018 (declaring TLS1.2 as minimum acceptable version).
MS also shares that view, as they officially deprecated TLS1.1, explicitly dis-encouraging reactivation and hinting on complete removal of TLS1.1 support.
I would consider not only moving TLS1.1 to insecure protocols, but to also add a few other optimizations.
This is my list of possible optimization (open for discussion):
I thought about also going for ciphers, but, based on my experience, this is still a pretty sensitive topic and ultimately decided not to propose cipher configuration. But I am open to discuss this topic.
I am willing to do all the work and test this on my local PULL environment, once the decision has been made what to implement.
Verbose logs
DSC configuration
Irrelevant for this issueSuggested solution
Update outdated best practice to a more modern approach
Operating system the target node is running
PowerShell version and build the target node is running
xPSDesiredStateConfiguration version