Azure SQLVM: Windows web servers should be configured to use secure communication protocols

Rahul 296 Reputation points
2023-01-20T13:00:27.5033333+00:00

Hello Team,
I'm trying to make the green below Regulatory Compliance recommendation for my Azure SQL VM.
Windows web servers should be configured to use secure communication protocols
I added the registry keys as per [https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls?WT.mc_id=Portal-Microsoft_Azure_Security#configuring-schannel-protocols-in-the-windows-registry
Picture2.png
But still, it won't be green. Can someone enlighten me on this?
Thanks in advance.
Regards,
Rahul

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,967 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,848 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,401 questions
{count} votes

Accepted answer
  1. deherman-MSFT 37,411 Reputation points Microsoft Employee
    2023-01-20T19:55:19.0866667+00:00

    @Rahul
    Please try these steps and see if they resolve your issue:

    In order for the guest configuration to work properly you need to have the Guest Configuration Extension enabled on the machine

    · https://learn.microsoft.com/en-us/azure/governance/policy/concepts/guest-configuration#deploy-requirements-for-azure-virtual-machines

    Below is the name of the definition which is pushing the extension

    · Deploy prerequisites to enable Guest Configuration policies on virtual machines

    Afterwards you need to have a managed identity which is going to authenticate the machine as it reads and writes to the Guest Configuration service.

    · Add system-assigned managed identity to enable Guest Configuration assignments

    · AND

    · Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
    After you have these in place, run the remediation tasks for the non compliant resource.

    · Remediate non-compliant resources - Azure Policy | Microsoft Learn

    If you have everything ok till this point, run a policy scan on that resource as in the below docs (note that the Policy blade take 24 h to refresh, while forcing the scan you should see it in less than 20 minutes)

    · https://learn.microsoft.com/en-us/azure/governance/policy/how-to/get-compliance-data#on-demand-evaluation-scan---azure-cli

    Hope this helps! Let us know if you are still facing issues with this and we can work with you directly to resolve it.


    Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.


5 additional answers

Sort by: Most helpful
  1. Limitless Technology 44,376 Reputation points
    2023-01-23T17:02:43.9366667+00:00

    Hi. Thank you for your question and reaching out. I’d be more than happy to help you with your query.

    I highly suggest to you to check this forum https://learn.microsoft.com/en-us/answers/questions/318654/windows-web-servers-should-be-configured-to-use-se on how to resolve this issue since you both have the exact same issue.

    If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.

    0 comments No comments

  2. Rahul 296 Reputation points
    2023-01-24T09:10:10.3366667+00:00

    @deherman-MSFT
    I followed the above steps and waited 24 hours as well. I am attaching snaps for the same.1.JPG 2.JPG 3.JPG

    The PS Command "Start-AzPolicyComplianceScan -ResourceGroupName 'MyRG'" did not return any results. 4.JPG

    The Recommendation is still Red 5.JPG

    Thanks

    Rahul

    0 comments No comments

  3. deherman-MSFT 37,411 Reputation points Microsoft Employee
    2023-01-24T22:13:27.2633333+00:00

    Rahul
    Sorry to hear that this alert has not gone away for you. To further troubleshoot this, we're going to enable a free, one time technical support ticket. Please email the following to AzCommunity@microsoft.com and we'll get back to you promptly:

    • Subject: "Attn: deherman - "

    • Email body: Your Subscription ID

    • Email body: A link to this thread so we can validate and expedite the request

    If you don't receive a response within 24 hours, please reply to the thread so we can investigate.

    0 comments No comments

  4. Rahul Dhande 20 Reputation points
    2023-02-16T14:16:35.2066667+00:00

    @deherman-MSFT

    I'm trying to compliant the above under my other Subscription.  The TLS Registry Keys are correct. Only TLS 1.2 is enabled under"azure VM" and Internet Options.  I did remove and reassigned the policy and ran the command " Start-AzPolicyComplianceScan" under the Subscription. The Compliant status is showing Non-Compliant with the below reason

    Could not find any secure TLS protocol version enabled on this web server.

    Displaying the current status of protocols:

    SSL 2.0 - Absent

    SSL 3.0 - Absent

    TLS 1.0 - Absent

    PCT 1.0 - Absent

    Multi-Protocol Unified Hello - Absent

    TLS 1.1 - Absent

    TLS 1.2 - Absent

    Do you aware anything needs to make changed?  Why the Policy won't detect TLS keys in the Registry

    The above policy is compliant with my other resource which has the same configuration. 

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.