More Info:

Ensure that the tls_version parameter is set to TLSV1.2

Risk Level

Medium

Address

Security

Compliance Standards

SOC2, ISO27001

Triage and Remediation

Remediation

Using Console

To remediate the TLS Protocol Latest Version misconfiguration in Azure using the Azure console, follow the steps below:Step 1: Log in to the Azure portal and navigate to the virtual machine that needs to be remediated.Step 2: Open the virtual machine and click on the “Networking” tab.Step 3: Under “Settings”, click on “Network Security Group”.Step 4: Click on the Network Security Group that is associated with the virtual machine.Step 5: Click on “Inbound security rules” and then click on “Add”.Step 6: In the “Add inbound security rule” page, enter the following details:
  • Name: A name for the rule (e.g. “TLS Latest Version”)
  • Priority: A priority number for the rule (e.g. 100)
  • Source: Any
  • Source port ranges: *
  • Destination: Any
  • Destination port ranges: 443
  • Protocol: TCP
  • Action: Allow
  • Priority: 100
Step 7: Click on “Review + create” and then click on “Create” to create the new inbound security rule.Step 8: Once the rule is created, it will be automatically applied to the virtual machine.By following these steps, you have successfully remediated the TLS Protocol Latest Version misconfiguration in Azure using the Azure console.

To remediate the TLS protocol version misconfiguration in Azure using Azure CLI, you can follow the below steps:
  1. Open the Azure CLI on your local machine or Azure Cloud Shell.
  2. Run the following command to check the TLS protocol version: 
    az webapp config ssl list --resource-group <resource_group_name> --name <app_name> --query "[].{protocolVersion:protocols[0].protocol}" --output table
    This command will list the TLS protocol version of the specified App Service.
  3. If the TLS protocol version is not the latest version, you can update it by running the following command: 
    az webapp config ssl update --resource-group <resource_group_name> --name <app_name> --protocols 'TLSv1.2'
    This command will update the TLS protocol version to the latest version (TLSv1.2).
  4. After running the above command, you can verify the TLS protocol version again by running the first command mentioned above. 
    az webapp config ssl list --resource-group <resource_group_name> --name <app_name> --query "[].{protocolVersion:protocols[0].protocol}" --output table
    This command should now display the updated TLS protocol version.
By following these steps, you can remediate the TLS protocol version misconfiguration in Azure using Azure CLI.
To remediate the TLS Protocol Latest Version misconfiguration in AZURE using Python, follow these steps:
  1. Identify the resources that are affected by the misconfiguration. This can be done by using the Azure CLI command az resource list.
  2. For each affected resource, check if the TLS protocol version is up to date. This can be done by using the requests library in Python to make a test request to the resource using the TLSv1_2 protocol. If the request succeeds, then the TLS protocol version is up to date. If the request fails, then the TLS protocol version is not up to date.
  3. If the TLS protocol version is not up to date, update the resource to use the latest TLS protocol version. This can be done by using the Azure Python SDK to update the resource’s configuration. The specific steps will depend on the type of resource that is affected.
  4. After updating the resource, verify that the TLS protocol version is up to date by repeating step 2.
Here is a sample Python code that can be used to check and remediate the TLS Protocol Latest Version misconfiguration for Azure Web Apps:
import requests
from azure.identity import DefaultAzureCredential
from azure.mgmt.web import WebSiteManagementClient

# Set the Azure subscription ID, resource group name, and web app name
subscription_id = 'your-subscription-id'
resource_group_name = 'your-resource-group-name'
web_app_name = 'your-web-app-name'

# Authenticate using the default Azure credentials
credential = DefaultAzureCredential()

# Create the Azure Web Apps management client
web_client = WebSiteManagementClient(credential, subscription_id)

# Get the web app resource ID
web_app = web_client.web_apps.get(resource_group_name, web_app_name)
web_app_id = web_app.id

# Check if the TLS protocol version is up to date
test_url = f'https://{web_app_name}.azurewebsites.net'
response = requests.get(test_url, verify=False)
if response.status_code == 200:
    print('TLS protocol version is up to date')
else:
    print('TLS protocol version is not up to date')

    # Update the web app to use the latest TLS protocol version
    web_app_config = web_client.web_apps.get_configuration(resource_group_name, web_app_name)
    web_app_config.min_tls_version = '1.2'
    web_client.web_apps.update_configuration(resource_group_name, web_app_name, web_app_config)

    # Verify that the TLS protocol version is up to date
    response = requests.get(test_url, verify=False)
    if response.status_code == 200:
        print('TLS protocol version has been updated')
    else:
        print('Failed to update TLS protocol version')