Windows web servers should be configured to use secure communication protocols

Bipin P 56

I have 1 Azure VM named rabbitMQ-rm-1. This machine has Windows (Windows Server 2012 R2 Datacenter). I have installed only RabbitMQ 3.8.11 and the latest Erlang OTP 23 installers. Basically, this machine provides a scalable platform for sending and receiving messages with the help of the RabbitMQ message broker.

In the Azure Portal, I have allowed only inbound port rule 5672 port in the Network security group. I have gone through the given articles but Windows web servers should be configured to use secure communication protocols is not getting resolved.

In Advisor recommendations facing following issues

All network ports should be restricted on network security groups associated with your virtual machine
Windows web servers should be configured to use secure communication protocols

Can you please help me to resolve these issues?

7 answers

SaiKishor-MSFT 17,211 Reputation points

2021-04-07T19:00:39.213+00:00

I see our internal team has mentioned the below steps as a probable solution to this issue:

In order for the quest configuration to work properly you need to have the Guest Configuration Extension enabled on the machine

· https://learn.microsoft.com/en-us/azure/governance/policy/concepts/guest-configuration#deploy-requirements-for-azure-virtual-machines

Below is the name of the definition which is pushing the extension

· Deploy prerequisites to enable Guest Configuration policies on virtual machines

Afterwards you need to have a managed identity which is going to authenticate the machine as it reads and writes to the Guest Configuration service.

· Add system-assigned managed identity to enable Guest Configuration assignments

· AND

· Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
After you have these in place, run the remediation tasks for the non compliant resource.

· Remediate non-compliant resources - Azure Policy | Microsoft Learn

If you have everything ok till this point, run a policy scan on that resource as in the below docs (note that the Policy blade take 24 h to refresh, while forcing the scan you should see it in less than 20 minutes)

· https://learn.microsoft.com/en-us/azure/governance/policy/how-to/get-compliance-data#on-demand-evaluation-scan---azure-cli

Please let us know if following these steps help you resolve your issue. Thank you!
Please sign in to rate this answer.

1 person found this answer helpful.
Joerg 1 Reputation point

2021-04-08T05:32:32.777+00:00

I can confirm that this is the solution (combined with setting the TLS version on the VM to the minimal TLS version in the policy at least) to remediate the recommendation.

SaiKishor-MSFT 17,211 Reputation points

2021-04-08T16:19:14.837+00:00

Thanks Joerg!

Joerg 1 Reputation point

2021-04-09T07:05:14.74+00:00

Quick correction: If the VM doesn't have the web server role, TLS settings are irrelevant because the recommendation relates only to web servers.

Stephen P 41 Reputation points

2021-04-09T08:34:52.677+00:00

I think I have tried the remedies above, but still no joy. The recommendation also claims a freshness interval of 30 minutes, but despite it being 9:32 BST on 9 April, the last entry is 8 April at 15:44! I ran the script that is supposed to update the recommendations after making the latest change.

Why, oh why, isn't there a script to run to correct this? It takes a few minutes to create a VM, and then days to implement all the security recommendations.

Joerg 1 Reputation point

2021-04-09T08:40:22.303+00:00

You're not the only one... typically we wait 24 hours... https://feedback.azure.com/forums/919474-azure-advisor/suggestions/36968887-allow-the-ability-to-refresh-advisor-recommendatio

SaiKishor-MSFT 17,211 Reputation points

2021-04-12T17:22:22.817+00:00

@Joerg @Stephen P

Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.

Stephen P 41 Reputation points

2021-04-12T19:27:34.077+00:00

I have basically given up attempting to resolve the issue; I assume that IIS under Windows Server 2019 Datacenter cannot be remedied as it doesn't have the option to prevent insecure communications protocols, unlike Windows 10. As Windows Server 2019 seems to be the most advanced Windows Server supported under Azure, the issue does not seem resolvable. Security Center is ahead of what seems possible. I have tried the Registry settings (but may have got them wrong, of course). As I suggest before, why isn't there a script, or perhaps even better, why doesn't IIS install with insecure protocols disabled?

SaiKishor-MSFT 17,211 Reputation points

2021-04-12T20:34:03.577+00:00

@Stephen P I apologize that this solution did not work for you. I would suggest reaching out to Azure Support so they can look into the issue in detail. Please send mail to AzCommunity [at] microsoft dot com with subject: "ATTN: Sai Kishor" include your Azure subscription ID and a link to this forum thread (for context). We can then put you through Azure backup technical support team to get quick resolution to your issue. Thank you!

Speedy 1 Reputation point

2021-05-14T11:44:46.447+00:00

I have to agree, I'm in the same situation. Vulnerability showing on Azure VM's that aren't even WEB servers, yet applied the recommended registry settings for both the Windows OS TLS, and IE TLS settings, and still no joy. Have open case now with Microsoft Azure Support. If I get a resolution I will add it here to share.

Rob David 6 Reputation points

2021-05-21T19:54:18.677+00:00

I think the idea here is that without the guest configuration extension everything is coming back non-compliant as the control can not "see" inside the OS. Install the guest config extension via policy initiative "Deploy prerequisites to enable Guest Configuration policies on virtual machines" and most should come back compliant unless you have vulnerable TLS protocols/cipher suites.

Stephen P 41 Reputation points

2021-05-22T12:10:22.053+00:00

I have the Guest Configuration Extension on the 'offending' machine, but still no joy. Unfortunately, the report doesn't say what it has found that makes the vulnerability.

The Security Center is great at discovering vulnerabilities, but the remediation instructions are somewhat lacking. Also, I suspect that Windows Server 2019 is now 'long in the tooth', and it lacks the tools to correct the vulnerabilities, for example IIS does not let you disable legacy protocols, unlike Windows 10.
Sign in to comment
Michael Greene 21 Reputation points Microsoft Employee

2021-08-04T23:11:22.327+00:00

The following doc page was published as a result of this discussion, to help make it easier to find the actual scripts used to audit/apply built-in content packages.

https://learn.microsoft.com/en-us/azure/governance/policy/samples/built-in-packages
Please sign in to rate this answer.

1 person found this answer helpful.
Leandro Rampanelli 1 Reputation point

2021-08-06T10:46:41.797+00:00

@Anonymous Why do we get a error if everything is configured correctly?

Michael Greene 21 Reputation points Microsoft Employee

2021-08-06T13:50:04.467+00:00

Can you confirm:
The machine has the GC extension
The machine has a MI
The reg key inside the machine is set to use a secure protocol for Server

In most cases, the issue has been #1 or #2. The error messages for missing dependencies will be more clear very soon. We also are working with the security center team on making provisioning of the extension easier.

Keep feedback coming. It is appreciated.

Leandro Rampanelli 1 Reputation point

2021-08-06T14:49:08.903+00:00

The machine don't have 1 and 2 but everything regarding security is configured.

Maybe the message is not that clear as you mention.

Also, doc you provided is quite hard to understand, that is to stop the message? to solve the issue? How can I start?

Thank you for your help

Michael Greene 21 Reputation points Microsoft Employee

2021-08-06T15:10:21.947+00:00

Got it. The machine is not compliant because it is missing required dependencies. This is documented here, but we are working on making it more clear in the Policy portal.
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/guest-configuration#deploy-requirements-for-azure-virtual-machines

The article helps find the specific PowerShell code that is used for the security check. In this case:

Definition name is "Windows web servers should be configured to use secure communication protocols"

Which means the configuration is using the DSC module "SecureProtocolWebServer".

Clicking that link takes you to the GitHub page to review the code

We could also list the reg key in the definition description, but I'm not certain whether people go to the description field for detailed information?

In all cases, if the extension and identity are not enabled, dependencies are missing so the machine will report "Not Compliant".

Leandro Rampanelli 1 Reputation point

2021-08-09T17:51:27.93+00:00

Hey @Anonymous , I followed your instructions and worked fine, here is my feedback:

All documentation provided was difficult to follow up.

Following your comment I made my own research e ended with the following links:

1º"The machine has the GC extension"
https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/guest-configuration#azure-cli

2º"The machine has a MI"
https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm#enable-system-assigned-managed-identity-on-an-existing-vm

3º "The reg key inside the machine is set to use a secure protocol for Server"
The .reg file from @KoenTee .
121688-hklm-all-tls-settings.txt

What I believe could be better:

t1º the error message:
GCExtensionInstalled=False;MSIEnabled=False;UserIdentityEnabled=False
It's really difficult to discover what is this.

2º many different prerequisites in many different links.

But I also want to thank you for your assistance in this issue. Without you I couldn't solve the issue. Thank you very much!

Michael Greene 21 Reputation points Microsoft Employee

2021-08-09T19:49:02.783+00:00

I think I understand. For your environment, it made more sense to deploy the extension and MI directly instead of using Policy. I will update the documentation for this scenario.
Sign in to comment
Dean Johnson 6 Reputation points

2022-05-01T10:02:41.96+00:00

To get to the screen that people couldn't find, you go the VM -> Policies -> "Azure Security Benchmark" -> "Policies" -> "Windows web servers should be configured to use secure communication protocols" -> "Details".

I hope this helps someone.
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment
SaiKishor-MSFT 17,211 Reputation points

2021-03-17T21:29:02.61+00:00

@Bipin P This seems to be happening when Azure detects that the server is a web server (it is likely installed as part of your application) and it checks that TLS 1.3 is being used. Your application might not be using TLS 1.3, or even be able to use 1.3. If this is the case, you can ignore this advisory. Hope this helps.

Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.
Please sign in to rate this answer.
Joerg 1 Reputation point

2021-03-22T10:15:46.963+00:00

@SaiKishor-MSFT I have nearly the same issue (and ignoring the recommendation isn't an option for me). How does Azure detect if a server is a web server? I thought it maybe detects it via an installed IIS but removing it from the server didn't make the warning go away. Unfortunately TLS 1.3 isn't available for our version of Windows Server, so we can't follow this recommendation.

Rob David 6 Reputation points

2021-03-22T19:24:40.83+00:00

I am seeing the same behavior on servers that are not even web servers. Do you know how this is being detected? Is it simply looking for the presence of certain registry keys?
Sign in to comment
Morsi MASMOUDI 46 Reputation points

2021-03-23T10:41:11.837+00:00

I have the same issue with my windows server 2019 vm. The security center advise me to "Windows web servers should be configured to use secure communication protocols" so as i think we can not ignore the recommendation. i use the vm with a desktop software.
The Remediation steps in Azure portal is not very clear, and i can't find the key for Winhttp for exemple.

So please, how can we resolve the issue ?

Thanks.
Please sign in to rate this answer.
SaiKishor-MSFT 17,211 Reputation points

2021-03-23T14:30:18.627+00:00

@Morsi MASMOUDI Could you confirm if you have the guest configuration extension installed on the VM?

Stephen P 41 Reputation points

2021-03-23T17:17:18.777+00:00

I have exactly the same issue on two VMs, both Windows Server 2019 Datacenter. I had, I thought, tweaked the Registry as per the remediation instructions, but you cannot tell IIS to deny legacy protocols in Windows Server 2019 Datacenter (build 1809) it seems. The Security Center shouldn't be flagging up deficiencies that cannot be remediated, as that obscures the ones that can. It is my major disappointment with Azure.

@SaiKishor-MSFT What does the Guest Configuration Extension look like? It isn't on my main machine, and I couldn't find it in the list of extension when I asked to add it.

A general observation is that the Security Center is great at pointing out deficiencies, but not so good at remediation instructions, not does it seem possible to run a quick interrogation to check if one has remediated the deficiency correctly.

Morsi MASMOUDI 46 Reputation points

2021-03-24T14:53:56.92+00:00

Are you talking about the "Guest + Host update" menu of the Azure portal? I just enabled the "update management"

SaiKishor-MSFT 17,211 Reputation points

2021-03-29T21:03:13.503+00:00

@Morsi MASMOUDI

Here are more details regarding Guest Extension- https://learn.microsoft.com/en-us/azure/governance/policy/how-to/guest-configuration-create.

At the moment we are investigating internally regarding this and will update this thread soon with any further updates from our internal team. We appreciate your patience in the meanwhile. Thank you!

Morsi MASMOUDI 46 Reputation points

2021-03-30T08:07:15.437+00:00

Thank you for your time on the problem

SaiKishor-MSFT 17,211 Reputation points

2021-03-30T14:40:08.807+00:00

@Morsi MASMOUDI Do you have the Guest configuration agent installed on the VMs?

Stephen P 41 Reputation points

2021-03-31T09:37:29.723+00:00

Thanks, I installed the Guest Configuration module, but should there not be a policy script? guest-configuration-create talks about how to install the module and how to create bits of policy. I am looking for a script that would, at a stroke, update a server to be compliant.
Sign in to comment

Share via

Windows web servers should be configured to use secure communication protocols

7 answers