So Piers came to the rescue with a Compliance Setting to manage this. Luckily TLS is set at the OS level via registry keys so it is not that difficult to manage. Piers enjoys using PowerShell so he went that route to mitigate.
Overview
Piers created a compliance baseline in ConfigMgr which reports on the following:Windows 7 requirements for TLS 1.2
- KB3140245 must be installed
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
- "DisabledByDefault"=dword:00000000
(Note this is slightly different.)
- KB3140245 must be installed
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
- "DisabledByDefault"=dword:00000000
- "Enabled=dword:00000001"
- Or "Enabled=dword:0xFFFFFFFF" (It equates to decimal 1 – see info here)
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
- "DisabledByDefault"=dword:00000000
- "Enabled=dword:00000001"
- Or "Enabled=dword:0xFFFFFFFF"
- Firefox has had TLS 1.2 support enabled since version 27
- For Chrome, TLS 1.2 is automatically enabled from version 29
Configuration
We created several compliance items to detect
TLS 1.2 and enable if not. For servers, they were eventually split out for
Server and Client functions of TLS for IIS, etc. and to make use of nice
features such as Supported Platforms so we can target them specifically for
advertisements.
We are using the
following discovery script for the client keys:
$RegPath = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client'
$RegName = 'DisabledByDefault'
$RegData = '0'
$Return = 'Not Found'
$RegLookUp = Get-ItemProperty -Name $RegName -Path $RegPath -ErrorAction SilentlyContinue
if ($RegLookUp.$RegName -eq $RegData) {
$Return = 'Found'
}
if ( $RegLookUp -and ($RegLookUp.$RegName -ne $RegData) ) {
$Return = 'Value='+$RegLookUp.$RegName
}
Write-Host $Return
He is using a
remediation script adapted fromRoger Zander:
The Compliance rule is pretty straightforward. It looks for "Found" from the Discovery Script.
The configuration baselines are pretty straightforward as well.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
# Reg2CI (c) 2019 by Roger Zander
if((Test-Path -LiteralPath "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client") -ne $true) { New-Item "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -force -ea SilentlyContinue };
New-ItemProperty -LiteralPath 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'DisabledByDefault' -Value 0 -PropertyType DWord -Force -ea SilentlyContinue;
The Compliance rule is pretty straightforward. It looks for "Found" from the Discovery Script.
The configuration baselines are pretty straightforward as well.
The Client baseline contains both workstation
and Server OS versions.
We have two advertisements: one to monitor, and one to remediate. The monitor is run daily and remediate is run every couple hours.
The advertisement is going to a collection that calls out the affected Operating Systems only.
For the server settings, just change the relevant registry path, as the rest is the same.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
This is a good read on it from a Dev perspective via a Microsoft Security post.
No comments:
Post a Comment