This module has been moved to the DSC Community area with all other DSC modules and is using the DSC Community CD/CI system.
microsoft / schanneldsc Goto Github PK
View Code? Open in Web Editor NEWSChannel DSC module
License: MIT License
SChannel DSC module
License: MIT License
This module has been moved to the DSC Community area with all other DSC modules and is using the DSC Community CD/CI system.
I am attempting to configure every protocol except TLS 1.2 to be disabled.
In MSFT_Protocol.psm1, Test-TargetResource calls Get-TargetResource to get the current values of SChannel Protocol registry values. On my machine, the DisabledByDefault flag is set to 1 for every server protocol except TLS 1.2. However, the following lines seems to cause an issue that causes $serverResult
to always be $null
(and similarily for $clientResult
)
$serverItemKey = $itemKey + '\Server'
$serverEnabledResult = Get-SChannelItem -ItemKey $serverItemKey
$serverDisabledByDefaultResult = Get-SChannelItem -ItemKey $serverItemKey `
-ItemValue 'DisabledByDefault'
$serverResult = $null
if ($serverEnabledResult -eq $serverDisabledByDefaultResult)
{
$serverResult = $serverEnabledResult
}
It seems to me as if you try to set 'Enabled' = 0 on a protocol where 'DisabledByDefault' = 1, and conversely if you try to set 'Enabled' = 1 on a protocol where 'DisabledByDefault' = 0, $serverResult
will always equal $null
, which causes the compliancy check in Test-TargetResource to always return $false
.
VERBOSE: [BAUE-BE001]: LCM: [ Start Resource ] [[Protocol]EnableTLS12]
VERBOSE: [BAUE-BE001]: LCM: [ Start Test ] [[Protocol]EnableTLS12]
VERBOSE: [BAUE-BE001]: [[Protocol]EnableTLS12] Testing configuration for protocol TLS 1.2
VERBOSE: [BAUE-BE001]: [[Protocol]EnableTLS12] Getting configuration for protocol TLS 1.2
VERBOSE: [BAUE-BE001]: [[Protocol]EnableTLS12] Current Values: IncludeClientSide=True;
Protocol=TLS 1.2; State=
VERBOSE: [BAUE-BE001]: [[Protocol]EnableTLS12] Target Values: IncludeClientSide=True;
Protocol=TLS 1.2; State=Enabled; Verbose=True
VERBOSE: [BAUE-BE001]: [[Protocol]EnableTLS12] Protocol TLS 1.2 not compliant.
VERBOSE: [BAUE-BE001]: LCM: [ End Test ] [[Protocol]EnableTLS12] in 0.1410 seconds.
VERBOSE: [BAUE-BE001]: LCM: [ Start Set ] [[Protocol]EnableTLS12]
VERBOSE: [BAUE-BE001]: [[Protocol]EnableTLS12] Setting configuration for protocol TLS 1.2
VERBOSE: [BAUE-BE001]: [[Protocol]EnableTLS12] Enabling Protocol TLS 1.2
VERBOSE: [BAUE-BE001]: [[Protocol]EnableTLS12] Enabling Protocol TLS 1.2
VERBOSE: [BAUE-BE001]: LCM: [ End Set ] [[Protocol]EnableTLS12] in 0.0620 seconds.
VERBOSE: [BAUE-BE001]: LCM: [ End Resource ] [[Protocol]EnableTLS12]
VERBOSE: [BAUE-BE001]: LCM: [ Start Resource ] [[Protocol]DisableTLS11]
VERBOSE: [BAUE-BE001]: LCM: [ Start Test ] [[Protocol]DisableTLS11]
VERBOSE: [BAUE-BE001]: [[Protocol]DisableTLS11] Testing configuration for protocol TLS 1.1
VERBOSE: [BAUE-BE001]: [[Protocol]DisableTLS11] Getting configuration for protocol TLS 1.1
VERBOSE: [BAUE-BE001]: [[Protocol]DisableTLS11] Current Values: IncludeClientSide=True;
Protocol=TLS 1.1; State=
VERBOSE: [BAUE-BE001]: [[Protocol]DisableTLS11] Target Values: IncludeClientSide=True;
Protocol=TLS 1.1; State=Disabled; Verbose=True
VERBOSE: [BAUE-BE001]: [[Protocol]DisableTLS11] Protocol TLS 1.1 not compliant.
VERBOSE: [BAUE-BE001]: LCM: [ End Test ] [[Protocol]DisableTLS11] in 0.0470 seconds.
VERBOSE: [BAUE-BE001]: LCM: [ Start Set ] [[Protocol]DisableTLS11]
VERBOSE: [BAUE-BE001]: [[Protocol]DisableTLS11] Setting configuration for protocol TLS 1.1
VERBOSE: [BAUE-BE001]: [[Protocol]DisableTLS11] Disabling Protocol TLS 1.1
VERBOSE: [BAUE-BE001]: [[Protocol]DisableTLS11] Disabling Protocol TLS 1.1
VERBOSE: [BAUE-BE001]: LCM: [ End Set ] [[Protocol]DisableTLS11] in 0.0320 seconds.
VERBOSE: [BAUE-BE001]: LCM: [ End Resource ] [[Protocol]DisableTLS11]
VERBOSE: [BAUE-BE001]: LCM: [ Start Resource ] [[Protocol]DisableTLS10]
VERBOSE: [BAUE-BE001]: LCM: [ Start Test ] [[Protocol]DisableTLS10]
VERBOSE: [BAUE-BE001]: [[Protocol]DisableTLS10] Testing configuration for protocol TLS 1.0
VERBOSE: [BAUE-BE001]: [[Protocol]DisableTLS10] Getting configuration for protocol TLS 1.0
VERBOSE: [BAUE-BE001]: [[Protocol]DisableTLS10] Current Values: IncludeClientSide=True;
Protocol=TLS 1.0; State=
VERBOSE: [BAUE-BE001]: [[Protocol]DisableTLS10] Target Values: IncludeClientSide=True;
Protocol=TLS 1.0; State=Disabled; Verbose=True
VERBOSE: [BAUE-BE001]: [[Protocol]DisableTLS10] Protocol TLS 1.0 not compliant.
VERBOSE: [BAUE-BE001]: LCM: [ End Test ] [[Protocol]DisableTLS10] in 0.0310 seconds.
VERBOSE: [BAUE-BE001]: LCM: [ Start Set ] [[Protocol]DisableTLS10]
VERBOSE: [BAUE-BE001]: [[Protocol]DisableTLS10] Setting configuration for protocol TLS 1.0
VERBOSE: [BAUE-BE001]: [[Protocol]DisableTLS10] Disabling Protocol TLS 1.0
VERBOSE: [BAUE-BE001]: [[Protocol]DisableTLS10] Disabling Protocol TLS 1.0
VERBOSE: [BAUE-BE001]: LCM: [ End Set ] [[Protocol]DisableTLS10] in 0.0310 seconds.
VERBOSE: [BAUE-BE001]: LCM: [ End Resource ] [[Protocol]DisableTLS10]
VERBOSE: [BAUE-BE001]: LCM: [ Start Resource ] [[Protocol]DisableSSL3]
VERBOSE: [BAUE-BE001]: LCM: [ Start Test ] [[Protocol]DisableSSL3]
VERBOSE: [BAUE-BE001]: [[Protocol]DisableSSL3] Testing configuration for protocol SSL 3.0
VERBOSE: [BAUE-BE001]: [[Protocol]DisableSSL3] Getting configuration for protocol SSL 3.0
VERBOSE: [BAUE-BE001]: [[Protocol]DisableSSL3] Current Values: IncludeClientSide=True;
Protocol=SSL 3.0; State=
VERBOSE: [BAUE-BE001]: [[Protocol]DisableSSL3] Target Values: IncludeClientSide=True;
Protocol=SSL 3.0; State=Disabled; Verbose=True
VERBOSE: [BAUE-BE001]: [[Protocol]DisableSSL3] Protocol SSL 3.0 not compliant.
VERBOSE: [BAUE-BE001]: LCM: [ End Test ] [[Protocol]DisableSSL3] in 0.0310 seconds.
VERBOSE: [BAUE-BE001]: LCM: [ Start Set ] [[Protocol]DisableSSL3]
VERBOSE: [BAUE-BE001]: [[Protocol]DisableSSL3] Setting configuration for protocol SSL 3.0
VERBOSE: [BAUE-BE001]: [[Protocol]DisableSSL3] Disabling Protocol SSL 3.0
VERBOSE: [BAUE-BE001]: [[Protocol]DisableSSL3] Disabling Protocol SSL 3.0
VERBOSE: [BAUE-BE001]: LCM: [ End Set ] [[Protocol]DisableSSL3] in 0.0150 seconds.
VERBOSE: [BAUE-BE001]: LCM: [ End Resource ] [[Protocol]DisableSSL3]
VERBOSE: [BAUE-BE001]: LCM: [ Start Resource ] [[Protocol]DisableSSL2]
VERBOSE: [BAUE-BE001]: LCM: [ Start Test ] [[Protocol]DisableSSL2]
VERBOSE: [BAUE-BE001]: [[Protocol]DisableSSL2] Testing configuration for protocol SSL 2.0
VERBOSE: [BAUE-BE001]: [[Protocol]DisableSSL2] Getting configuration for protocol SSL 2.0
VERBOSE: [BAUE-BE001]: [[Protocol]DisableSSL2] Current Values: IncludeClientSide=True;
Protocol=SSL 2.0; State=
VERBOSE: [BAUE-BE001]: [[Protocol]DisableSSL2] Target Values: IncludeClientSide=True;
Protocol=SSL 2.0; State=Disabled; Verbose=True
VERBOSE: [BAUE-BE001]: [[Protocol]DisableSSL2] Protocol SSL 2.0 not compliant.
VERBOSE: [BAUE-BE001]: LCM: [ End Test ] [[Protocol]DisableSSL2] in 0.0470 seconds.
VERBOSE: [BAUE-BE001]: LCM: [ Start Set ] [[Protocol]DisableSSL2]
VERBOSE: [BAUE-BE001]: [[Protocol]DisableSSL2] Setting configuration for protocol SSL 2.0
VERBOSE: [BAUE-BE001]: [[Protocol]DisableSSL2] Disabling Protocol SSL 2.0
VERBOSE: [BAUE-BE001]: [[Protocol]DisableSSL2] Disabling Protocol SSL 2.0
VERBOSE: [BAUE-BE001]: LCM: [ End Set ] [[Protocol]DisableSSL2] in 0.0160 seconds.
VERBOSE: [BAUE-BE001]: LCM: [ End Resource ] [[Protocol]DisableSSL2]
VERBOSE: [BAUE-BE001]: LCM: [ Start Resource ] [[Protocol]DisablePCT1]
VERBOSE: [BAUE-BE001]: LCM: [ Start Test ] [[Protocol]DisablePCT1]
VERBOSE: [BAUE-BE001]: [[Protocol]DisablePCT1] Testing configuration for protocol PCT 1.0
VERBOSE: [BAUE-BE001]: [[Protocol]DisablePCT1] Getting configuration for protocol PCT 1.0
VERBOSE: [BAUE-BE001]: [[Protocol]DisablePCT1] Current Values: IncludeClientSide=True;
Protocol=PCT 1.0; State=
VERBOSE: [BAUE-BE001]: [[Protocol]DisablePCT1] Target Values: IncludeClientSide=True;
Protocol=PCT 1.0; State=Disabled; Verbose=True
VERBOSE: [BAUE-BE001]: [[Protocol]DisablePCT1] Protocol PCT 1.0 not compliant.
VERBOSE: [BAUE-BE001]: LCM: [ End Test ] [[Protocol]DisablePCT1] in 0.0470 seconds.
VERBOSE: [BAUE-BE001]: LCM: [ Start Set ] [[Protocol]DisablePCT1]
VERBOSE: [BAUE-BE001]: [[Protocol]DisablePCT1] Setting configuration for protocol PCT 1.0
VERBOSE: [BAUE-BE001]: [[Protocol]DisablePCT1] Disabling Protocol PCT 1.0
VERBOSE: [BAUE-BE001]: [[Protocol]DisablePCT1] Disabling Protocol PCT 1.0
VERBOSE: [BAUE-BE001]: LCM: [ End Set ] [[Protocol]DisablePCT1] in 0.0160 seconds.
VERBOSE: [BAUE-BE001]: LCM: [ End Resource ] [[Protocol]DisablePCT1]
VERBOSE: [BAUE-BE001]: LCM: [ Start Resource ] [[Protocol]DisableMPUH]
VERBOSE: [BAUE-BE001]: LCM: [ Start Test ] [[Protocol]DisableMPUH]
VERBOSE: [BAUE-BE001]: [[Protocol]DisableMPUH] Testing configuration for protocol
Multi-Protocol Unified Hello
VERBOSE: [BAUE-BE001]: [[Protocol]DisableMPUH] Getting configuration for protocol
Multi-Protocol Unified Hello
VERBOSE: [BAUE-BE001]: [[Protocol]DisableMPUH] Current Values: IncludeClientSide=True;
Protocol=Multi-Protocol Unified Hello; State=
VERBOSE: [BAUE-BE001]: [[Protocol]DisableMPUH] Target Values: IncludeClientSide=True;
Protocol=Multi-Protocol Unified Hello; State=Disabled; Verbose=True
VERBOSE: [BAUE-BE001]: [[Protocol]DisableMPUH] Protocol Multi-Protocol Unified Hello not
compliant.
VERBOSE: [BAUE-BE001]: LCM: [ End Test ] [[Protocol]DisableMPUH] in 0.0930 seconds.
VERBOSE: [BAUE-BE001]: LCM: [ Start Set ] [[Protocol]DisableMPUH]
VERBOSE: [BAUE-BE001]: [[Protocol]DisableMPUH] Setting configuration for protocol
Multi-Protocol Unified Hello
VERBOSE: [BAUE-BE001]: [[Protocol]DisableMPUH] Disabling Protocol Multi-Protocol Unified
Hello
VERBOSE: [BAUE-BE001]: [[Protocol]DisableMPUH] Disabling Protocol Multi-Protocol Unified
Hello
VERBOSE: [BAUE-BE001]: LCM: [ End Set ] [[Protocol]DisableMPUH] in 0.0160 seconds.
VERBOSE: [BAUE-BE001]: LCM: [ End Resource ] [[Protocol]DisableMPUH]
Change to
$serverResult = $null
if ($serverEnabledResult -eq 'Enabled' -or $serverEnabledResult -eq 'Disabled' -or $serverEnabledResult -eq $serverDisabledByDefaultResult)
{
$serverResult = $serverEnabledResult
}
....
$clientResult= $null
if ($clientEnabledResult -eq 'Enabled' -or $clientEnabledResult -eq 'Disabled' -or $clientEnabledResult -eq $clientDisabledByDefaultResult)
{
$clientResult = $clientEnabledResult
}
configuration BaueBeConfig
{
Import-DscResource -ModuleName PSDesiredStateConfiguration
Import-DscResource -ModuleName SChannelDsc
Node localhost
{
# Configure TLS to only support TLS 1.2
$protocols = @(
@{ResourceName = "EnableTLS12"; Protocol = "TLS 1.2"; State = "Enabled"},
@{ResourceName = "DisableTLS11"; Protocol = "TLS 1.1"; State = "Disabled"},
@{ResourceName = "DisableTLS10"; Protocol = "TLS 1.0"; State = "Disabled"},
@{ResourceName = "DisableSSL3"; Protocol = "SSL 3.0"; State = "Disabled"},
@{ResourceName = "DisableSSL2"; Protocol = "SSL 2.0"; State = "Disabled"},
@{ResourceName = "DisablePCT1"; Protocol = "PCT 1.0"; State = "Disabled"},
@{ResourceName = "DisableMPUH"; Protocol = "Multi-Protocol Unified Hello"; State = "Disabled"}
)
$ciphers = @(
@{ResourceName = "EnableAES128"; Cipher = "AES 128/128"; State = "Enabled"},
@{ResourceName = "EnableAES256"; Cipher = "AES 256/256"; State = "Enabled"},
@{ResourceName = "DisableDES56"; Cipher = "DES 56/56"; State = "Disabled"},
@{ResourceName = "DisableNULL"; Cipher = "NULL"; State = "Disabled"},
@{ResourceName = "DisableRC2128128"; Cipher = "RC2 128/128"; State = "Disabled"},
@{ResourceName = "DisableRC240128"; Cipher = "RC2 40/128"; State = "Disabled"},
@{ResourceName = "DisableRC256128"; Cipher = "RC2 56/128"; State = "Disabled"},
@{ResourceName = "DisableRC4128128"; Cipher = "RC4 128/128"; State = "Disabled"},
@{ResourceName = "DisableRC440128"; Cipher = "RC4 40/128"; State = "Disabled"},
@{ResourceName = "DisableRC456128"; Cipher = "RC4 56/128"; State = "Disabled"},
@{ResourceName = "DisableRC464128"; Cipher = "RC4 64/128"; State = "Disabled"},
@{ResourceName = "DisableTripleDES168"; Cipher = "Triple DES 168"; State = "Disabled"}
)
$hashes = @(
@{ResourceName = "EnableSHA256"; Hash = "SHA256"; State = "Enabled"},
@{ResourceName = "EnableSHA384"; Hash = "SHA384"; State = "Enabled"},
@{ResourceName = "EnableSHA512"; Hash = "SHA512"; State = "Enabled"},
@{ResourceName = "DisableMD5"; Hash = "MD5"; State = "Disabled"},
@{ResourceName = "DisableSHA"; Hash = "SHA"; State = "Disabled"}
)
$keyExchangeAlgorithms = @(
@{ResourceName = "EnableDiffieHellman"; KeyExchangeAlgorithm = "Diffie-Hellman"; State = "Enabled"},
@{ResourceName = "EnablePKCS"; KeyExchangeAlgorithm = "PKCS"; State = "Enabled"},
@{ResourceName = "EnableECDH"; KeyExchangeAlgorithm = "ECDH"; State = "Enabled"}
)
foreach ($protocol in $protocols)
{
Protocol $protocol.ResourceName
{
Protocol = $protocol.Protocol
State = $protocol.State
IncludeClientSide = $true
}
}
foreach ($cipher in $ciphers)
{
Cipher $cipher.ResourceName
{
Cipher = $cipher.Cipher
State = $cipher.State
}
}
foreach ($hash in $hashes)
{
Hash $hash.ResourceName
{
Hash = $hash.Hash
State = $hash.State
}
}
foreach ($kea in $keyExchangeAlgorithms)
{
KeyExchangeAlgorithm $kea.ResourceName
{
KeyExchangeAlgorithm = $kea.KeyExchangeAlgorithm
State = $kea.State
}
}
CipherSuites ConfigureCipherSuites
{
IsSingleInstance = "Yes"
CipherSuitesOrder = @(
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"
)
Ensure = "Present"
}
SChannelSettings ConfigureSChannel
{
IsSingleInstance = "Yes"
TLS12State = "Enabled"
DiffieHellmanMinClientKeySize = 2048
DiffieHellmanMinServerKeySize = 2048
EnableFIPSAlgorithmPolicy = $false
}
}
}
OsName : Microsoft Windows Server 2019 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture : 64-bit
WindowsVersion : 1809
WindowsBuildLabEx : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage : en-US
OsMuiLanguages : {en-US}
-->
Windows Server 2019
PSVersion: 5.1.17763.771
BuildVersion: 10.0.17763.771
1.0.0.0
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.