Coder Social home page Coder Social logo

schanneldsc's Introduction

SChannelDsc

This module has been moved to the DSC Community area with all other DSC modules and is using the DSC Community CD/CI system.

schanneldsc's People

Contributors

guyisit avatar microsoftopensource avatar msftgits avatar ykuijs avatar

Stargazers

avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar

Forkers

guyisit bhaskers-blu-org2 taffywrinkle claudiusgonzo test-mass-forker-org-1

schanneldsc's Issues

MSFT_Protocol: Test-TargetResource erroneously returns false

Details of the scenario you tried and the problem that is occurring

I am attempting to configure every protocol except TLS 1.2 to be disabled.

In MSFT_Protocol.psm1, Test-TargetResource calls Get-TargetResource to get the current values of SChannel Protocol registry values. On my machine, the DisabledByDefault flag is set to 1 for every server protocol except TLS 1.2. However, the following lines seems to cause an issue that causes $serverResult to always be $null (and similarily for $clientResult)

$serverItemKey = $itemKey + '\Server'
$serverEnabledResult = Get-SChannelItem -ItemKey $serverItemKey
$serverDisabledByDefaultResult = Get-SChannelItem -ItemKey $serverItemKey `
                                                      -ItemValue 'DisabledByDefault'

$serverResult = $null
if ($serverEnabledResult -eq $serverDisabledByDefaultResult)
{
    $serverResult = $serverEnabledResult
}

It seems to me as if you try to set 'Enabled' = 0 on a protocol where 'DisabledByDefault' = 1, and conversely if you try to set 'Enabled' = 1 on a protocol where 'DisabledByDefault' = 0, $serverResult will always equal $null, which causes the compliancy check in Test-TargetResource to always return $false.

Verbose logs showing the problem

VERBOSE: [BAUE-BE001]: LCM: [ Start Resource ] [[Protocol]EnableTLS12]
VERBOSE: [BAUE-BE001]: LCM: [ Start Test ] [[Protocol]EnableTLS12]
VERBOSE: [BAUE-BE001]: [[Protocol]EnableTLS12] Testing configuration for protocol TLS 1.2
VERBOSE: [BAUE-BE001]: [[Protocol]EnableTLS12] Getting configuration for protocol TLS 1.2
VERBOSE: [BAUE-BE001]: [[Protocol]EnableTLS12] Current Values: IncludeClientSide=True;
Protocol=TLS 1.2; State=
VERBOSE: [BAUE-BE001]: [[Protocol]EnableTLS12] Target Values: IncludeClientSide=True;
Protocol=TLS 1.2; State=Enabled; Verbose=True
VERBOSE: [BAUE-BE001]: [[Protocol]EnableTLS12] Protocol TLS 1.2 not compliant.
VERBOSE: [BAUE-BE001]: LCM: [ End Test ] [[Protocol]EnableTLS12] in 0.1410 seconds.
VERBOSE: [BAUE-BE001]: LCM: [ Start Set ] [[Protocol]EnableTLS12]
VERBOSE: [BAUE-BE001]: [[Protocol]EnableTLS12] Setting configuration for protocol TLS 1.2
VERBOSE: [BAUE-BE001]: [[Protocol]EnableTLS12] Enabling Protocol TLS 1.2
VERBOSE: [BAUE-BE001]: [[Protocol]EnableTLS12] Enabling Protocol TLS 1.2
VERBOSE: [BAUE-BE001]: LCM: [ End Set ] [[Protocol]EnableTLS12] in 0.0620 seconds.
VERBOSE: [BAUE-BE001]: LCM: [ End Resource ] [[Protocol]EnableTLS12]
VERBOSE: [BAUE-BE001]: LCM: [ Start Resource ] [[Protocol]DisableTLS11]
VERBOSE: [BAUE-BE001]: LCM: [ Start Test ] [[Protocol]DisableTLS11]
VERBOSE: [BAUE-BE001]: [[Protocol]DisableTLS11] Testing configuration for protocol TLS 1.1
VERBOSE: [BAUE-BE001]: [[Protocol]DisableTLS11] Getting configuration for protocol TLS 1.1
VERBOSE: [BAUE-BE001]: [[Protocol]DisableTLS11] Current Values: IncludeClientSide=True;
Protocol=TLS 1.1; State=
VERBOSE: [BAUE-BE001]: [[Protocol]DisableTLS11] Target Values: IncludeClientSide=True;
Protocol=TLS 1.1; State=Disabled; Verbose=True
VERBOSE: [BAUE-BE001]: [[Protocol]DisableTLS11] Protocol TLS 1.1 not compliant.
VERBOSE: [BAUE-BE001]: LCM: [ End Test ] [[Protocol]DisableTLS11] in 0.0470 seconds.
VERBOSE: [BAUE-BE001]: LCM: [ Start Set ] [[Protocol]DisableTLS11]
VERBOSE: [BAUE-BE001]: [[Protocol]DisableTLS11] Setting configuration for protocol TLS 1.1
VERBOSE: [BAUE-BE001]: [[Protocol]DisableTLS11] Disabling Protocol TLS 1.1
VERBOSE: [BAUE-BE001]: [[Protocol]DisableTLS11] Disabling Protocol TLS 1.1
VERBOSE: [BAUE-BE001]: LCM: [ End Set ] [[Protocol]DisableTLS11] in 0.0320 seconds.
VERBOSE: [BAUE-BE001]: LCM: [ End Resource ] [[Protocol]DisableTLS11]
VERBOSE: [BAUE-BE001]: LCM: [ Start Resource ] [[Protocol]DisableTLS10]
VERBOSE: [BAUE-BE001]: LCM: [ Start Test ] [[Protocol]DisableTLS10]
VERBOSE: [BAUE-BE001]: [[Protocol]DisableTLS10] Testing configuration for protocol TLS 1.0
VERBOSE: [BAUE-BE001]: [[Protocol]DisableTLS10] Getting configuration for protocol TLS 1.0
VERBOSE: [BAUE-BE001]: [[Protocol]DisableTLS10] Current Values: IncludeClientSide=True;
Protocol=TLS 1.0; State=
VERBOSE: [BAUE-BE001]: [[Protocol]DisableTLS10] Target Values: IncludeClientSide=True;
Protocol=TLS 1.0; State=Disabled; Verbose=True
VERBOSE: [BAUE-BE001]: [[Protocol]DisableTLS10] Protocol TLS 1.0 not compliant.
VERBOSE: [BAUE-BE001]: LCM: [ End Test ] [[Protocol]DisableTLS10] in 0.0310 seconds.
VERBOSE: [BAUE-BE001]: LCM: [ Start Set ] [[Protocol]DisableTLS10]
VERBOSE: [BAUE-BE001]: [[Protocol]DisableTLS10] Setting configuration for protocol TLS 1.0
VERBOSE: [BAUE-BE001]: [[Protocol]DisableTLS10] Disabling Protocol TLS 1.0
VERBOSE: [BAUE-BE001]: [[Protocol]DisableTLS10] Disabling Protocol TLS 1.0
VERBOSE: [BAUE-BE001]: LCM: [ End Set ] [[Protocol]DisableTLS10] in 0.0310 seconds.
VERBOSE: [BAUE-BE001]: LCM: [ End Resource ] [[Protocol]DisableTLS10]
VERBOSE: [BAUE-BE001]: LCM: [ Start Resource ] [[Protocol]DisableSSL3]
VERBOSE: [BAUE-BE001]: LCM: [ Start Test ] [[Protocol]DisableSSL3]
VERBOSE: [BAUE-BE001]: [[Protocol]DisableSSL3] Testing configuration for protocol SSL 3.0
VERBOSE: [BAUE-BE001]: [[Protocol]DisableSSL3] Getting configuration for protocol SSL 3.0
VERBOSE: [BAUE-BE001]: [[Protocol]DisableSSL3] Current Values: IncludeClientSide=True;
Protocol=SSL 3.0; State=
VERBOSE: [BAUE-BE001]: [[Protocol]DisableSSL3] Target Values: IncludeClientSide=True;
Protocol=SSL 3.0; State=Disabled; Verbose=True
VERBOSE: [BAUE-BE001]: [[Protocol]DisableSSL3] Protocol SSL 3.0 not compliant.
VERBOSE: [BAUE-BE001]: LCM: [ End Test ] [[Protocol]DisableSSL3] in 0.0310 seconds.
VERBOSE: [BAUE-BE001]: LCM: [ Start Set ] [[Protocol]DisableSSL3]
VERBOSE: [BAUE-BE001]: [[Protocol]DisableSSL3] Setting configuration for protocol SSL 3.0
VERBOSE: [BAUE-BE001]: [[Protocol]DisableSSL3] Disabling Protocol SSL 3.0
VERBOSE: [BAUE-BE001]: [[Protocol]DisableSSL3] Disabling Protocol SSL 3.0
VERBOSE: [BAUE-BE001]: LCM: [ End Set ] [[Protocol]DisableSSL3] in 0.0150 seconds.
VERBOSE: [BAUE-BE001]: LCM: [ End Resource ] [[Protocol]DisableSSL3]
VERBOSE: [BAUE-BE001]: LCM: [ Start Resource ] [[Protocol]DisableSSL2]
VERBOSE: [BAUE-BE001]: LCM: [ Start Test ] [[Protocol]DisableSSL2]
VERBOSE: [BAUE-BE001]: [[Protocol]DisableSSL2] Testing configuration for protocol SSL 2.0
VERBOSE: [BAUE-BE001]: [[Protocol]DisableSSL2] Getting configuration for protocol SSL 2.0
VERBOSE: [BAUE-BE001]: [[Protocol]DisableSSL2] Current Values: IncludeClientSide=True;
Protocol=SSL 2.0; State=
VERBOSE: [BAUE-BE001]: [[Protocol]DisableSSL2] Target Values: IncludeClientSide=True;
Protocol=SSL 2.0; State=Disabled; Verbose=True
VERBOSE: [BAUE-BE001]: [[Protocol]DisableSSL2] Protocol SSL 2.0 not compliant.
VERBOSE: [BAUE-BE001]: LCM: [ End Test ] [[Protocol]DisableSSL2] in 0.0470 seconds.
VERBOSE: [BAUE-BE001]: LCM: [ Start Set ] [[Protocol]DisableSSL2]
VERBOSE: [BAUE-BE001]: [[Protocol]DisableSSL2] Setting configuration for protocol SSL 2.0
VERBOSE: [BAUE-BE001]: [[Protocol]DisableSSL2] Disabling Protocol SSL 2.0
VERBOSE: [BAUE-BE001]: [[Protocol]DisableSSL2] Disabling Protocol SSL 2.0
VERBOSE: [BAUE-BE001]: LCM: [ End Set ] [[Protocol]DisableSSL2] in 0.0160 seconds.
VERBOSE: [BAUE-BE001]: LCM: [ End Resource ] [[Protocol]DisableSSL2]
VERBOSE: [BAUE-BE001]: LCM: [ Start Resource ] [[Protocol]DisablePCT1]
VERBOSE: [BAUE-BE001]: LCM: [ Start Test ] [[Protocol]DisablePCT1]
VERBOSE: [BAUE-BE001]: [[Protocol]DisablePCT1] Testing configuration for protocol PCT 1.0
VERBOSE: [BAUE-BE001]: [[Protocol]DisablePCT1] Getting configuration for protocol PCT 1.0
VERBOSE: [BAUE-BE001]: [[Protocol]DisablePCT1] Current Values: IncludeClientSide=True;
Protocol=PCT 1.0; State=
VERBOSE: [BAUE-BE001]: [[Protocol]DisablePCT1] Target Values: IncludeClientSide=True;
Protocol=PCT 1.0; State=Disabled; Verbose=True
VERBOSE: [BAUE-BE001]: [[Protocol]DisablePCT1] Protocol PCT 1.0 not compliant.
VERBOSE: [BAUE-BE001]: LCM: [ End Test ] [[Protocol]DisablePCT1] in 0.0470 seconds.
VERBOSE: [BAUE-BE001]: LCM: [ Start Set ] [[Protocol]DisablePCT1]
VERBOSE: [BAUE-BE001]: [[Protocol]DisablePCT1] Setting configuration for protocol PCT 1.0
VERBOSE: [BAUE-BE001]: [[Protocol]DisablePCT1] Disabling Protocol PCT 1.0
VERBOSE: [BAUE-BE001]: [[Protocol]DisablePCT1] Disabling Protocol PCT 1.0
VERBOSE: [BAUE-BE001]: LCM: [ End Set ] [[Protocol]DisablePCT1] in 0.0160 seconds.
VERBOSE: [BAUE-BE001]: LCM: [ End Resource ] [[Protocol]DisablePCT1]
VERBOSE: [BAUE-BE001]: LCM: [ Start Resource ] [[Protocol]DisableMPUH]
VERBOSE: [BAUE-BE001]: LCM: [ Start Test ] [[Protocol]DisableMPUH]
VERBOSE: [BAUE-BE001]: [[Protocol]DisableMPUH] Testing configuration for protocol
Multi-Protocol Unified Hello
VERBOSE: [BAUE-BE001]: [[Protocol]DisableMPUH] Getting configuration for protocol
Multi-Protocol Unified Hello
VERBOSE: [BAUE-BE001]: [[Protocol]DisableMPUH] Current Values: IncludeClientSide=True;
Protocol=Multi-Protocol Unified Hello; State=
VERBOSE: [BAUE-BE001]: [[Protocol]DisableMPUH] Target Values: IncludeClientSide=True;
Protocol=Multi-Protocol Unified Hello; State=Disabled; Verbose=True
VERBOSE: [BAUE-BE001]: [[Protocol]DisableMPUH] Protocol Multi-Protocol Unified Hello not
compliant.
VERBOSE: [BAUE-BE001]: LCM: [ End Test ] [[Protocol]DisableMPUH] in 0.0930 seconds.
VERBOSE: [BAUE-BE001]: LCM: [ Start Set ] [[Protocol]DisableMPUH]
VERBOSE: [BAUE-BE001]: [[Protocol]DisableMPUH] Setting configuration for protocol
Multi-Protocol Unified Hello
VERBOSE: [BAUE-BE001]: [[Protocol]DisableMPUH] Disabling Protocol Multi-Protocol Unified
Hello
VERBOSE: [BAUE-BE001]: [[Protocol]DisableMPUH] Disabling Protocol Multi-Protocol Unified
Hello
VERBOSE: [BAUE-BE001]: LCM: [ End Set ] [[Protocol]DisableMPUH] in 0.0160 seconds.
VERBOSE: [BAUE-BE001]: LCM: [ End Resource ] [[Protocol]DisableMPUH]

Suggested solution to the issue

Change to

$serverResult = $null
if ($serverEnabledResult -eq 'Enabled' -or $serverEnabledResult -eq 'Disabled' -or $serverEnabledResult -eq $serverDisabledByDefaultResult)
{
    $serverResult = $serverEnabledResult
}

....

$clientResult= $null
if ($clientEnabledResult -eq 'Enabled' -or $clientEnabledResult -eq 'Disabled' -or $clientEnabledResult -eq $clientDisabledByDefaultResult)
{
    $clientResult = $clientEnabledResult
}

The DSC configuration that is used to reproduce the issue (as detailed as possible)

configuration BaueBeConfig
{
	Import-DscResource -ModuleName PSDesiredStateConfiguration
	Import-DscResource -ModuleName SChannelDsc
	
	Node localhost
	{
		# Configure TLS to only support TLS 1.2
        $protocols = @(
            @{ResourceName = "EnableTLS12"; Protocol = "TLS 1.2"; State = "Enabled"},
            @{ResourceName = "DisableTLS11"; Protocol = "TLS 1.1"; State = "Disabled"},
            @{ResourceName = "DisableTLS10"; Protocol = "TLS 1.0"; State = "Disabled"},
            @{ResourceName = "DisableSSL3"; Protocol = "SSL 3.0"; State = "Disabled"},
            @{ResourceName = "DisableSSL2"; Protocol = "SSL 2.0"; State = "Disabled"},
            @{ResourceName = "DisablePCT1"; Protocol = "PCT 1.0"; State = "Disabled"},
            @{ResourceName = "DisableMPUH"; Protocol = "Multi-Protocol Unified Hello"; State = "Disabled"}
        )

        $ciphers = @(
            @{ResourceName = "EnableAES128"; Cipher = "AES 128/128"; State = "Enabled"},
            @{ResourceName = "EnableAES256"; Cipher = "AES 256/256"; State = "Enabled"},
            @{ResourceName = "DisableDES56"; Cipher = "DES 56/56"; State = "Disabled"},
            @{ResourceName = "DisableNULL"; Cipher = "NULL"; State = "Disabled"},
            @{ResourceName = "DisableRC2128128"; Cipher = "RC2 128/128"; State = "Disabled"},
            @{ResourceName = "DisableRC240128"; Cipher = "RC2 40/128"; State = "Disabled"},
            @{ResourceName = "DisableRC256128"; Cipher = "RC2 56/128"; State = "Disabled"},
            @{ResourceName = "DisableRC4128128"; Cipher = "RC4 128/128"; State = "Disabled"},
            @{ResourceName = "DisableRC440128"; Cipher = "RC4 40/128"; State = "Disabled"},
            @{ResourceName = "DisableRC456128"; Cipher = "RC4 56/128"; State = "Disabled"},
            @{ResourceName = "DisableRC464128"; Cipher = "RC4 64/128"; State = "Disabled"},
            @{ResourceName = "DisableTripleDES168"; Cipher = "Triple DES 168"; State = "Disabled"}
        )

        $hashes = @(
            @{ResourceName = "EnableSHA256"; Hash = "SHA256"; State = "Enabled"},
            @{ResourceName = "EnableSHA384"; Hash = "SHA384"; State = "Enabled"},
            @{ResourceName = "EnableSHA512"; Hash = "SHA512"; State = "Enabled"},
            @{ResourceName = "DisableMD5"; Hash = "MD5"; State = "Disabled"},
            @{ResourceName = "DisableSHA"; Hash = "SHA"; State = "Disabled"}
        )

        $keyExchangeAlgorithms = @(
            @{ResourceName = "EnableDiffieHellman"; KeyExchangeAlgorithm = "Diffie-Hellman"; State = "Enabled"},
            @{ResourceName = "EnablePKCS"; KeyExchangeAlgorithm = "PKCS"; State = "Enabled"},
            @{ResourceName = "EnableECDH"; KeyExchangeAlgorithm = "ECDH"; State = "Enabled"}
        )

        foreach ($protocol in $protocols)
        {
            Protocol $protocol.ResourceName
            {
                Protocol    = $protocol.Protocol
                State       = $protocol.State
                IncludeClientSide = $true
            }
        }

        foreach ($cipher in $ciphers)
        {
            Cipher $cipher.ResourceName
            {
                Cipher  = $cipher.Cipher
                State   = $cipher.State
            }
        }

        foreach ($hash in $hashes)
        {
            Hash $hash.ResourceName
            {
                Hash    = $hash.Hash
                State   = $hash.State
            }
        }

        foreach ($kea in $keyExchangeAlgorithms)
        {
            KeyExchangeAlgorithm $kea.ResourceName
            {
                KeyExchangeAlgorithm = $kea.KeyExchangeAlgorithm
                State                = $kea.State
            }
        }

        CipherSuites ConfigureCipherSuites
        {
            IsSingleInstance    = "Yes"
            CipherSuitesOrder   = @(
                "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
                "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
                "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
                "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
                "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
                "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
                "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
                "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
                "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
                "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
                "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
                "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"
            )
            Ensure = "Present"
        }

        SChannelSettings ConfigureSChannel
        {
            IsSingleInstance = "Yes"
            TLS12State = "Enabled"
            DiffieHellmanMinClientKeySize = 2048
            DiffieHellmanMinServerKeySize = 2048
            EnableFIPSAlgorithmPolicy = $false
        }
	}
}

The operating system the target node is running

OsName : Microsoft Windows Server 2019 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture : 64-bit
WindowsVersion : 1809
WindowsBuildLabEx : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage : en-US
OsMuiLanguages : {en-US}
-->

Version of Windows that is used (e.g. Windows Server 2016)

Windows Server 2019

Version and build of PowerShell the target node is running

PSVersion: 5.1.17763.771
BuildVersion: 10.0.17763.771

Version of the DSC module that was used ('dev' if using current dev branch)

1.0.0.0

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.