Azure Introduction
Azure Pricing
Azure Threats
Unsafe TLS Version Supported
More Info:
The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App Service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCIDSS.
Risk Level
Medium
Address
Security
Compliance Standards
SOC2, CISAZURE, CBP, ISO27001
Triage and Remediation
Remediation
To remediate the unsafe TLS version supported misconfiguration in Azure using the Azure console, follow these steps:
- Log in to the Azure portal (https://portal.azure.com/).
- Navigate to the resource group that contains the affected resource.
- Select the affected resource.
- Click on the “Networking” tab.
- Under the “Settings” section, click on “SSL/TLS settings”.
- In the “Minimum TLS version” dropdown, select the recommended version (TLS 1.2 or higher).
- Save the changes by clicking on the “Save” button.
Once the changes are saved, the affected resource will only allow connections using the recommended TLS version (TLS 1.2 or higher), which will ensure that the communication is secure and encrypted.
To remediate the “Unsafe TLS Version Supported” misconfiguration for AZURE using AZURE CLI, follow these steps:
-
Open the AZURE CLI and login to your AZURE account using the command
az login. -
Once you are logged in, run the following command to list all the available App Services in your AZURE account:
az webapp list --query "[].{name:name, resourceGroup:resourceGroup}"This command will list all the available App Services in your AZURE account along with their resource group.
-
Choose the App Service for which you want to remediate the “Unsafe TLS Version Supported” misconfiguration and note down its name and resource group.
-
Run the following command to update the TLS version for the chosen App Service:
az webapp config set --name <app-name> --resource-group <resource-group> --min-tls-version 1.2Replace
<app-name>with the name of your chosen App Service and<resource-group>with its resource group.This command will set the minimum TLS version to 1.2 for the chosen App Service, which is the recommended version for secure communication.
-
Verify that the TLS version has been updated successfully by running the following command:
az webapp config show --name <app-name> --resource-group <resource-group> --query "minTlsVersion"This command will return the minimum TLS version set for the chosen App Service. If it returns “1.2”, then the remediation is successful.
By following these steps, you can remediate the “Unsafe TLS Version Supported” misconfiguration for an App Service in AZURE using AZURE CLI.
To remediate the “Unsafe TLS Version Supported” misconfiguration in AZURE using Python, you can follow the below steps:
Step 1: Identify the affected resources
- Use the Azure Security Center to identify the affected resources that have unsafe TLS versions enabled.
Step 2: Update the TLS Version
- Use the Azure Python SDK to update the TLS version for the affected resources.
- Install the Azure Python SDK using the following command:
pip install azure - Use the following code to update the TLS version for an App Service:
from azure.mgmt.web import WebSiteManagementClient
from azure.common.credentials import ServicePrincipalCredentials
# Set up Azure credentials
subscription_id = 'your-subscription-id'
client_id = 'your-client-id'
secret = 'your-client-secret'
tenant = 'your-tenant-id'
credentials = ServicePrincipalCredentials(client_id=client_id, secret=secret, tenant=tenant)
# Set up the WebSiteManagementClient
web_client = WebSiteManagementClient(credentials, subscription_id)
# Update TLS version for the App Service
app_service_name = 'your-app-service-name'
resource_group_name = 'your-resource-group-name'
site_config = web_client.web_apps.get_configuration(resource_group_name, app_service_name)
site_config.min_tls_version = '1.2'
web_client.web_apps.update_configuration(resource_group_name, app_service_name, site_config)
Step 3: Verify the remediation
- Use the Azure Security Center to verify that the unsafe TLS versions have been disabled for the affected resources.
- You can also use the Azure Python SDK to verify the TLS version for an App Service:
# Verify TLS version for the App Service
site_config = web_client.web_apps.get_configuration(resource_group_name, app_service_name)
print(site_config.min_tls_version)
This should remediate the “Unsafe TLS Version Supported” misconfiguration for Azure using Python.