question

BipinP-0506 avatar image
1 Vote"
BipinP-0506 asked StephenP-4813 commented

Windows web servers should be configured to use secure communication protocols

I have 1 Azure VM named rabbitMQ-rm-1. This machine has Windows (Windows Server 2012 R2 Datacenter). I have installed only RabbitMQ 3.8.11 and the latest Erlang OTP 23 installers. Basically, this machine provides a scalable platform for sending and receiving messages with the help of the RabbitMQ message broker.

In the Azure Portal, I have allowed only inbound port rule 5672 port in the Network security group. I have gone through the given articles but Windows web servers should be configured to use secure communication protocols is not getting resolved.

In Advisor recommendations facing following issues
1) All network ports should be restricted on network security groups associated with your virtual machine
2) Windows web servers should be configured to use secure communication protocols

Can you please help me to resolve these issues? 78640-image.png



azure-dns
image.png (15.0 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

deanjohnson-3248 avatar image
1 Vote"
deanjohnson-3248 answered deanjohnson-3248 edited



To get to the screen that people couldn't find, you go the VM -> Policies -> "Azure Security Benchmark" -> "Policies" -> "Windows web servers should be configured to use secure communication protocols" -> "Details".

I hope this helps someone.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

migreene avatar image
1 Vote"
migreene answered migreene commented

The following doc page was published as a result of this discussion, to help make it easier to find the actual scripts used to audit/apply built-in content packages.

https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-packages

· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@migreene Why do we get a error if everything is configured correctly?

0 Votes 0 ·
migreene avatar image migreene LeandroRampanelli-3284 ·

Can you confirm:
The machine has the GC extension
The machine has a MI
The reg key inside the machine is set to use a secure protocol for Server

In most cases, the issue has been #1 or #2. The error messages for missing dependencies will be more clear very soon. We also are working with the security center team on making provisioning of the extension easier.

Keep feedback coming. It is appreciated.

1 Vote 1 ·

The machine don't have 1 and 2 but everything regarding security is configured.

Maybe the message is not that clear as you mention.

Also, doc you provided is quite hard to understand, that is to stop the message? to solve the issue? How can I start?

Thank you for your help

0 Votes 0 ·
Show more comments
TheyssensKoen-8228 avatar image
0 Votes"
TheyssensKoen-8228 answered StephenP-4813 commented

@StephenP-4813

Have a look at the exact compliance reason in the recommendation.

In my case, on my end it said GCExtensionInstalled=False;MSIEnabled=False;UserIdentityEnabled=False
103864-compliance.png

This is what I did to fix it:

A. GCextensionInstalled:

Install the Guest Configuration extension on your VM - I did this via Azure CLI:

az account set --subscription "MY SUBSCRIPTION NAME"
select-azsubscription - subscriptionname "MY SUBSCRIPTION NAME"
az vm extension set --publisher Microsoft.GuestConfiguration --name ConfigurationforWindows --extension-instance-name AzurePolicyforWindows --resource-group MYRESOURCEGROUP --vm-name MYVM

B. MSIEnabled:

Don't go looking for installation (msi) options. This means your VM doesn't have a Managed System Identity

To fix this, follow this article: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm

Or in short, open the Azure PORTAL, go to your VM - Settings - Identity and enable the System Assigned Identity.

C. UserIdentityEnabled:

  • First, Go to "Managed Identities" in the portal

  • Create a new Managed Identity (select subscription, resource group), put it in the right region and give it a RECOGNIZABLE name (eg MY-USER-IDENTITY-VM)

  • Next, go to your VM again

  • Next, go to Settings - Identity

  • Now, select User Assigned Identities

  • Click Add

  • Select the User Assigned Identity that you just created (eg MY-USER-IDENTITY-VM)

D. Now, rerun the compliancescan

In my case, my test case VM was in an isolated resource group, so I ran this command:

start-azpolicycompliancescan -resourcegroupname 'my-isolated-resource-group'


An hour later, my VM was marked compliant.



compliance.png (92.8 KiB)
· 17
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I'm not sure what has happened, but the issue has disappeared!

0 Votes 0 ·

you might want to double check that.

For me, it was suddenly no longer listed in the Advisor Recommendations but it was still there, you can find it through "POLICY", it's still listed there, I'm clueless at this point as to why it's no longer appearing in the Advisor Recommendations.

0 Votes 0 ·

Previously it seemed to flag it for all machines that did not have the guest extension. Now those machines will be classified as Not Applicable resources for reason that the guest extension is not installed. The issue I am having is that with the guest extension installed on a machine that runs IIS I am unable to remediate it. Have tried locking down TLS and ciphers for schannel, winhttp, and .NET with no luck. Have a MSFT case open but its not promising yet.

0 Votes 0 ·
Show more comments

Tired making the change. Over 48 hours later the Security Advisor still reports non-compliance, so no joy,

0 Votes 0 ·
SaiKishor-MSFT avatar image
1 Vote"
SaiKishor-MSFT answered StephenP-4813 commented

I see our internal team has mentioned the below steps as a probable solution to this issue:


In order for the quest configuration to work properly you need to have the Guest Configuration Extension enabled on the machine

· https://docs.microsoft.com/en-us/azure/governance/policy/concepts/guest-configuration#deploy-requirements-for-azure-virtual-machines

Below is the name of the definition which is pushing the extension

· Deploy prerequisites to enable Guest Configuration policies on virtual machines

Afterwards you need to have a managed identity which is going to authenticate the machine as it reads and writes to the Guest Configuration service.

· Add system-assigned managed identity to enable Guest Configuration assignments

· AND

· Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
After you have these in place, run the remediation tasks for the non compliant resource.

· Remediate non-compliant resources - Azure Policy | Microsoft Docs

If you have everything ok till this point, run a policy scan on that resource as in the below docs (note that the Policy blade take 24 h to refresh, while forcing the scan you should see it in less than 20 minutes)

· https://docs.microsoft.com/en-us/azure/governance/policy/how-to/get-compliance-data#on-demand-evaluation-scan---azure-cli

Please let us know if following these steps help you resolve your issue. Thank you!

· 11
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I can confirm that this is the solution (combined with setting the TLS version on the VM to the minimal TLS version in the policy at least) to remediate the recommendation.

0 Votes 0 ·

Thanks Joerg!

0 Votes 0 ·

Quick correction: If the VM doesn't have the web server role, TLS settings are irrelevant because the recommendation relates only to web servers.

0 Votes 0 ·

I think I have tried the remedies above, but still no joy. The recommendation also claims a freshness interval of 30 minutes, but despite it being 9:32 BST on 9 April, the last entry is 8 April at 15:44! I ran the script that is supposed to update the recommendations after making the latest change.

Why, oh why, isn't there a script to run to correct this? It takes a few minutes to create a VM, and then days to implement all the security recommendations.

1 Vote 1 ·
Show more comments
MorsiMASMOUDI-7440 avatar image
0 Votes"
MorsiMASMOUDI-7440 answered StephenP-4813 commented

I have the same issue with my windows server 2019 vm. The security center advise me to "Windows web servers should be configured to use secure communication protocols" so as i think we can not ignore the recommendation. i use the vm with a desktop software.
The Remediation steps in Azure portal is not very clear, and i can't find the key for Winhttp for exemple.

So please, how can we resolve the issue ?

Thanks.

· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@MorsiMASMOUDI-7440 Could you confirm if you have the guest configuration extension installed on the VM?

1 Vote 1 ·

I have exactly the same issue on two VMs, both Windows Server 2019 Datacenter. I had, I thought, tweaked the Registry as per the remediation instructions, but you cannot tell IIS to deny legacy protocols in Windows Server 2019 Datacenter (build 1809) it seems. The Security Center shouldn't be flagging up deficiencies that cannot be remediated, as that obscures the ones that can. It is my major disappointment with Azure.

@SaiKishor-MSFT What does the Guest Configuration Extension look like? It isn't on my main machine, and I couldn't find it in the list of extension when I asked to add it.

A general observation is that the Security Center is great at pointing out deficiencies, but not so good at remediation instructions, not does it seem possible to run a quick interrogation to check if one has remediated the deficiency correctly.

0 Votes 0 ·

Are you talking about the "Guest + Host update" menu of the Azure portal? I just enabled the "update management"

0 Votes 0 ·

@MorsiMASMOUDI-7440

Here are more details regarding Guest Extension- https://docs.microsoft.com/en-us/azure/governance/policy/how-to/guest-configuration-create.

At the moment we are investigating internally regarding this and will update this thread soon with any further updates from our internal team. We appreciate your patience in the meanwhile. Thank you!

1 Vote 1 ·
Show more comments
SaiKishor-MSFT avatar image
0 Votes"
SaiKishor-MSFT answered Joerg-9481 commented

@BipinP-0506 This seems to be happening when Azure detects that the server is a web server (it is likely installed as part of your application) and it checks that TLS 1.3 is being used. Your application might not be using TLS 1.3, or even be able to use 1.3. If this is the case, you can ignore this advisory. Hope this helps.

Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.



· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@SaiKishor-MSFT I have nearly the same issue (and ignoring the recommendation isn't an option for me). How does Azure detect if a server is a web server? I thought it maybe detects it via an installed IIS but removing it from the server didn't make the warning go away. Unfortunately TLS 1.3 isn't available for our version of Windows Server, so we can't follow this recommendation.

0 Votes 0 ·

I am seeing the same behavior on servers that are not even web servers. Do you know how this is being detected? Is it simply looking for the presence of certain registry keys?

0 Votes 0 ·