In this article we will explain how we can implement an effective solution based on the DSC (Desired State Configuration) feature with Azure PowerShell to disable obsolete encryption protocols and force the use of TLS 1.2 in .NET applications so that the different servers and / or workstations perform as well as possible.
We already discussed in previous posts how the DSC system administration technique works using Azure PowerShell that allows you to manage IT and Development infrastructure. But in this case, we will proceed to disable the use of obsolete encryption protocols (from SSL 1.0 to TLS 1.1), because their use is currently discouraged as they present security flaws. At the same time, the use of the latest encryption protocol, TLS 1.2, will be forced in .NET applications.
*Note: in subsequent DSC-related articles, additional code dealing with other configurations will be added to progressively provide a standard desirable security configuration template for use in production environments.
Creation of the DSC configuration template:
With what was seen in the first article on DSC, we proceed to elaborate a configuration file. The following is the structure that this configuration must have in order to carry out what was explained at the beginning of this article:
1. Configuration DSC-GENERAL-CONFIGURATION
2. {
3. ######### BASELINES FOR SECURITY ON SERVERS AND WORKSTATIONS #########
4.
5. ### 1 - DISABLE INSECURE AND OBSOLETE PROTOCOLS ###
6.
7. # Protocol SSL1 on client side
8. Registry DisableDeprecatedProtocolSSL1Client
9. {
10. Ensure = "Present"
11. Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 1.0\Client"
12. ValueName = "DisabledByDefault"
13. ValueType = "DWORD"
14. ValueData = "1"
15. }
16.
17. # Protocol SSL1 on server side
18. Registry DisableDeprecatedProtocolSSL1Server
19. {
20. Ensure = "Present"
21. Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 1.0\Server"
22. ValueName = "DisabledByDefault"
23. ValueType = "DWORD"
24. ValueData = "1"
25. }
26.
27. # Protocol SSL2 on client side
28. Registry DisableDeprecatedProtocolSSL2Client
29. {
30. Ensure = "Present"
31. Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Client"
32. ValueName = "DisabledByDefault"
33. ValueType = "DWORD"
34. ValueData = "1"
35. }
36.
37. # Protocol SSL2 on server side
38. Registry DisableDeprecatedProtocolSSL2Server
39. {
40. Ensure = "Present"
41. Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server"
42. ValueName = "DisabledByDefault"
43. ValueType = "DWORD"
44. ValueData = "1"
45. }
46.
47. # Protocol SSL3 on client side
48. Registry DisableDeprecatedProtocolSSL3Client
49. {
50. Ensure = "Present"
51. Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Client"
52. ValueName = "DisabledByDefault"
53. ValueType = "DWORD"
54. ValueData = "1"
55. }
56.
57. # Protocol SSL3 on server side
58. Registry DisableDeprecatedProtocolSSL3Server
59. {
60. Ensure = "Present"
61. Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server"
62. ValueName = "DisabledByDefault"
63. ValueType = "DWORD"
64. ValueData = "1"
65. }
66.
67. # Protocol TLS1.0 on client side
68. Registry DisableDeprecatedProtocolTLS1Client
69. {
70. Ensure = "Present"
71. Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Client"
72. ValueName = "DisabledByDefault"
73. ValueType = "DWORD"
74. ValueData = "1"
75. }
76.
77. # Protocol TLS1.0 on server side
78. Registry DisableDeprecatedProtocolTLS1Server
79. {
80. Ensure = "Present"
81. Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Server"
82. ValueName = "DisabledByDefault"
83. ValueType = "DWORD"
84. ValueData = "1"
85. }
86.
87. # Protocol TLS1.1 on client side
88. Registry DisableDeprecatedProtocolTLS1.1Client
89. {
90. Ensure = "Present"
91. Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Client"
92. ValueName = "DisabledByDefault"
93. ValueType = "DWORD"
94. ValueData = "1"
95. }
96.
97. # Protocol TLS1.1 on server side
98. Registry DisableDeprecatedProtocolTLS1.1Server
99. {
100. Ensure = "Present"
101. Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Server"
102. ValueName = "DisabledByDefault"
103. ValueType = "DWORD"
104. ValueData = "1"
105. }
106.
107. ### 2 - FORCE USE OF TLS 1.2 IN .NET APPLICATIONS ###
108.
109. # Force the use of TLS 1.2
110. Registry ForceUseOfTLS1.2Protocol
111. {
112. Ensure = "Present"
113. Key = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319"
114. ValueName = "SchUseStrongCrypto"
115. ValueType = "DWORD"
116. ValueData = "1"
117. }
118. }
119.
As you can see, it consists of including several entries in the Windows registry, so that DSC will make sure that they are always in the registry. In principle, SSL 1.0 to 3.0 and TLS 1.0 to TLS 1.1 protocols are disabled, both in client mode (i.e. when the server/workstation connects to a service that uses one of these protocols, immediately closing the connection) and in server mode (preventing the use of these protocols when a service is implemented on the machine).
Running the DSC
Having saved the above configuration in a file (e.g., named DSC-GENERAL-CONFIG.ps1), proceed to start a PowerShell console and run the following:
1. PS> . .\DSC-GENERAL-CONFIG.ps1
This will load the configuration in memory as if it were a function, proceeding to execute it as follows:
1. PS> DSC-GENERAL-CONFIGURATION
If everything went well, a folder named "DSC-GENERAL-CONFIGURATION" should have been generated with a file inside with a .MOF extension:
You can check if the machine settings comply with what you have configured by running the "Test-DscConfiguration" cmdlet:
As the result is not the correct one, we proceed to start the DSC jobs with the execution of the cmdlet "Start-DscConfiguration", in this way:
The result of the check indicated that the work has been done and the configuration status is as desired, which can be verified by going to the registry and looking at the relevant entries:
Likewise, it can also be seen that the additional input for .NET applications was also included:
Schedule task for PowerShell
Finally, once it is verified that the configuration status is as desired, a scheduled task can be implemented that executes the following code in PowerShell, which will periodically check that the configuration is met; if not, it will re-include the corresponding entries in the Windows registry:
1. # Some useful variables
2. $WORKING_DIRECTORY = '/'
3. $DSC_CONFIG_FOLDER_NAME = 'DSC-GENERAL-CONFIGURATION'
4.
5. # Change to our working directory
6. cd $WORKING_DIRECTORY
7.
8. # Check the DSC configuration status
9. $STATUS = Test-DscConfiguration ('.\'+$DSC_CONFIG_FOLDER_NAME+'\') | Select-Object -ExpandProperty InDesiredState
10.
11. # If the status does not match the value True, proceed to reapply
12. # the configuration, otherwise does nothing
13. if ($STATUS -notmatch $true)
14. {
15. Start-DscConfiguration ('.\'+$DSC_CONFIG_FOLDER_NAME+'\')
16. }
17.
18.
Given that this is simply a check (and that the record will rarely be modified), scheduling the task could work for longer or shorter periods, for example, from 24 hours to 1 week.
Sources consulted