Skip to content

Outdated security best practices within xPSDesiredStateConfiguration.Security.psm1 #789

Description

@TuemmlerKelch

Problem description

The current implementation declares TLS1.1 as a secure protocol, which isn't true anymore. (see here) and also violates PCI DSS standards (regulatory standard for Payment Card Industry) introduced 2018 (declaring TLS1.2 as minimum acceptable version).
MS also shares that view, as they officially deprecated TLS1.1, explicitly dis-encouraging reactivation and hinting on complete removal of TLS1.1 support.

I would consider not only moving TLS1.1 to insecure protocols, but to also add a few other optimizations.
This is my list of possible optimization (open for discussion):

  • Move TLS 1.1 to insecure protocols
  • Configure both Client and Server component (now we only configure server)
  • Activate TLS1.3 (based on underlying OS; Server 2022 and newer)
  • Add DisabledByDefault = 1 (in addition to Enabled = 0) for insecure protocols
  • Add DisabledByDefault = 0 (in addition to Enabled = 1) for secure protocols
  • Remove unsupported protocols (PCT1.0 and SSL2.0 are not supported with Server 2016 and above)
  • Configure .NET for secure Protcol usage (SystemDefaultTlsVersions, SchUseStrongCrypto)

I thought about also going for ciphers, but, based on my experience, this is still a pretty sensitive topic and ultimately decided not to propose cipher configuration. But I am open to discuss this topic.
I am willing to do all the work and test this on my local PULL environment, once the decision has been made what to implement.

Verbose logs

Irrelevant for this issue

DSC configuration

Irrelevant for this issue

Suggested solution

Update outdated best practice to a more modern approach

Operating system the target node is running

Irrelevant for this issue

PowerShell version and build the target node is running

Irrelevant for this issue

xPSDesiredStateConfiguration version

any version. Doublechecked with 9.2.1

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions