Windows web servers should be configured to use secure communication protocols

Bipin P 56

I have 1 Azure VM named rabbitMQ-rm-1. This machine has Windows (Windows Server 2012 R2 Datacenter). I have installed only RabbitMQ 3.8.11 and the latest Erlang OTP 23 installers. Basically, this machine provides a scalable platform for sending and receiving messages with the help of the RabbitMQ message broker.

In the Azure Portal, I have allowed only inbound port rule 5672 port in the Network security group. I have gone through the given articles but Windows web servers should be configured to use secure communication protocols is not getting resolved.

In Advisor recommendations facing following issues

All network ports should be restricted on network security groups associated with your virtual machine
Windows web servers should be configured to use secure communication protocols

Can you please help me to resolve these issues?

7 answers

KoenTee 6 Reputation points

2021-06-09T11:32:58.81+00:00
@Stephen P

Have a look at the exact compliance reason in the recommendation.

In my case, on my end it said GCExtensionInstalled=False;MSIEnabled=False;UserIdentityEnabled=False

This is what I did to fix it:

A. GCextensionInstalled:

Install the Guest Configuration extension on your VM - I did this via Azure CLI:

az account set --subscription "MY SUBSCRIPTION NAME"
select-azsubscription - subscriptionname "MY SUBSCRIPTION NAME"
az vm extension set --publisher Microsoft.GuestConfiguration --name ConfigurationforWindows --extension-instance-name AzurePolicyforWindows --resource-group MYRESOURCEGROUP --vm-name MYVM

B. MSIEnabled:

Don't go looking for installation (msi) options. This means your VM doesn't have a Managed System Identity

To fix this, follow this article: https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm

Or in short, open the Azure PORTAL, go to your VM - Settings - Identity and enable the System Assigned Identity.

C. UserIdentityEnabled:

First, Go to "Managed Identities" in the portal

Create a new Managed Identity (select subscription, resource group), put it in the right region and give it a RECOGNIZABLE name (eg MY-USER-IDENTITY-VM)

Next, go to your VM again

Next, go to Settings - Identity

Now, select User Assigned Identities

Click Add

Select the User Assigned Identity that you just created (eg MY-USER-IDENTITY-VM)

D. Now, rerun the compliancescan

In my case, my test case VM was in an isolated resource group, so I ran this command:

start-azpolicycompliancescan -resourcegroupname 'my-isolated-resource-group'

An hour later, my VM was marked compliant.
Please sign in to rate this answer.
Stephen P 41 Reputation points

2021-06-11T10:01:19.547+00:00

I'm not sure what has happened, but the issue has disappeared!

KoenTee 6 Reputation points

2021-06-11T10:19:29.767+00:00

you might want to double check that.

For me, it was suddenly no longer listed in the Advisor Recommendations but it was still there, you can find it through "POLICY", it's still listed there, I'm clueless at this point as to why it's no longer appearing in the Advisor Recommendations.

Rob David 6 Reputation points

2021-06-11T13:45:16.407+00:00

Previously it seemed to flag it for all machines that did not have the guest extension. Now those machines will be classified as Not Applicable resources for reason that the guest extension is not installed. The issue I am having is that with the guest extension installed on a machine that runs IIS I am unable to remediate it. Have tried locking down TLS and ciphers for schannel, winhttp, and .NET with no luck. Have a MSFT case open but its not promising yet.

KoenTee 6 Reputation points

2021-06-11T14:28:37.833+00:00

Do your machines have the system identity on? and a user identity assigned?

These are the reg changes I did on my iis machines.

104834-hklm-all-tls-settings.txt

Rob David 6 Reputation points

2021-06-11T15:29:30.95+00:00

System Identity. I didnt have reg settings for .net that was not installed on the machine but everything else was set. I assume you have IIS installed on these servers that are showing up compliant?

I ran the compliance scan after mimicking your reg settings and still non compliant. I have min TLS set to 1.1 in the policy.

Reason for non-compliance
No related resources match the effect details in the policy definition.

KoenTee 6 Reputation points

2021-06-14T11:21:33.897+00:00

I did indeed have IIS installed.

This morning I still had one server that was not compliant. After also disabling SSL 2.0, the machine was marked as compliant.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

Rob David 6 Reputation points

2021-06-14T17:00:09.397+00:00

Where did that screengrab come from showing the detailed reason for being non-compliant? I already have SSL 2.0 reg keys in place to disable. I am working with a test server for this control and didnt actually have HTTPS enabled on the default web site so I just did that to see if that makes any difference.

KoenTee 6 Reputation points

2021-06-14T17:34:05.3+00:00

I drilled down the "compliance reason" but for the life of me (now that they all are compliant I can't reproduce it either) I can't remember how I got to that screen grab... It might have been via Policy - policies - windows web server - compliance reason...

What is the compliance reason your policy is giving you?

Rob David 6 Reputation points

2021-06-14T18:37:34.737+00:00

This is what i see in that section. Really wish I knew where you got that one from ha!

KoenTee 6 Reputation points

2021-06-15T06:39:47.743+00:00

What do you get when you click the hyperlink under "last evaluated resource"?

Rob David 6 Reputation points

2021-06-15T14:08:34.153+00:00

Well we are certainly moving the dial in the right direction now! Still not sure why its reporting this but to be honest I just installed IIS on this server and nothing else. Maybe it requires an actual cert installed and applied to a site?

KoenTee 6 Reputation points

2021-06-15T16:28:20.41+00:00

You're getting closer at least! To be sure, can you export "[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]" please? All sub-entries (all but TLS 1.2) should have two keys (Client & Server) with these two (dword) values

DisabledByDefault (value 1)
Enabled (value 0)

Also please check these:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v2.0.50727]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v3.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319]
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft.NETFramework\v1.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft.NETFramework\v2.0.50727]
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft.NETFramework\v3.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft.NETFramework\v4.0.30319]

I think these last ones (if present) should have these two values:
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

Rob David 6 Reputation points

2021-06-16T16:11:12.23+00:00

Progress! On my 2012R2 server i noticed that IISCrypto sets the enabled string to hex 0xffffffff instead of decimal 1 for TLS 1.2 reg keys. i changed that and 2012r2 box is compliant now. I am still fighting a 2019 box thats showing as non-compliant but it doesnt even have any web server components installed or listening on any web ports. Its a test box so I may just trash it and try a fresh 2019 to see. Thanks for the help here i will post some updates as I run some more tests.

KoenTee 6 Reputation points

2021-06-16T16:12:34.367+00:00

Aha! That's indeed what one would call progress!! Well done!

Matej Tomšić 1 Reputation point

2021-07-28T09:50:21.317+00:00

Have you managed to remediate this issue on your WS2019 ?

Im struggling with it for weeks now, both with MS support, and they cannot tell the exact .reg keys needed...

Is there a way to create remediation task ? I've deployed the policy and all it does it shows - NOT Compliant with reason:

Could not find any secure TLS protocol version enabled on this web server.

No related resources match the effect details in the policy definition.

Create remediation task is greyed out..

I've followed the instructions to Grant defined roles through portal, for the Policy Assignment ID, I gave Contributor rights on the relevant RG.

Still not able to create remediation task :/

Michael Greene 21 Reputation points Microsoft Employee

2021-07-31T08:43:48.543+00:00

The actual code is here and includes the HKLM path.

https://github.com/Azure/azure-policy/blob/064b26cf692ec637c2851b0545b6d4c9a40b4a60/samples/GuestConfiguration/package-samples/resource-modules/SecureProtocolWebServer/DscResources/SecureWebServer/SecureWebServer.psm1#L78

More information about the key is documented here:

https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#tls-dtls-and-ssl-protocol-version-settings

Stephen P 41 Reputation points

2022-06-06T08:42:25.22+00:00

Tired making the change. Over 48 hours later the Security Advisor still reports non-compliance, so no joy,
Sign in to comment

Janne Kujanpää 191

I think this detection is just broken:

Even https://github.com/Azure/azure-policy/blob/5ee685dc5b31e652576460d41c0dd338fc4c282d/samples/GuestConfiguration/package-samples/resource-modules/SecureProtocolWebServer/DSCResources/SecureWebServer/SecureWebServer.psm1#L351C10-L359 returns false on our machines the compliance state is

        "resources": [
            {
                "complianceStatus": "false",
                "resourceId": "[SecureWebServer]s1",
                "properties": null,
                "reasons": [
                    {
                        "phrase": "Could not find any secure TLS protocol version enabled on this server. \n",
                        "code": "SecureProtocolWebServer:SecureWebServer:SecureTLSProtocolNotEnabled"
                    },
                    {
                        "phrase": "Displaying current status of protocols: \nSSL 2.0 - Absent \nSSL 3.0 - Absent \nTLS 1.0 - Absent \nPCT 1.0 - Absent \nMulti-Protocol Unified Hello - Absent \nTLS 1.1 - Absent \nTLS 1.2 - Absent \n",
                        "code": "SecureProtocolWebServer:SecureWebServer:DisplayProtocolInfo"
                    }
                ]
            }
        ]

Why should we configure TLS 1.1 or TLS 1.2 if we are not running any server processes or IIS?

Share via

Windows web servers should be configured to use secure communication protocols

7 answers