dsccommunity
xDscWebService: UseSecurityBestPractices sets wrong Enabled Value
Problem description
When using the UseSecurityBestPractices Parameter with $true the underlying Function Set-SChannelProtocol sets a wrong value for the Enabled DWord Property.
Currently the Function sets the value to 0xffffffff, but based on the documentation it should be 1
Quote from TLS 1.1
To disable the TLS 1.1 protocol, create an Enabled entry in the appropriate subkey. This entry does not exist in the registry by default. After you have created the entry, change the DWORD value to 0. To enable the protocol, change the DWORD value to 1.
We had an issue where a Netscaler Client was not able to create a Secure Connection while the enabled value was set to 0xffffffff, but could connect when it had been set to 1
Verbose logs
n/a
DSC configuration
n/a
Suggested solution
Change the Line $null = New-ItemProperty -Path $registryPath -Name Enabled -Value '0xffffffff' -PropertyType 'DWord' -Force
to
$null = New-ItemProperty -Path $registryPath -Name Enabled -Value '1' -PropertyType 'DWord' -Force
Operating system the target node is running
OsName : Microsoft Windows Server 2012 R2 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture : 64-bit
WindowsBuildLabEx : 9600.20173.amd64fre.winblue_ltsb_escrow.211029-1700
OsLanguage : en-US
OsMuiLanguages : {en-US}
PowerShell version and build the target node is running
Name Value
---- -----
PSVersion 5.1.14409.1018
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.14409.1018
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
xPSDesiredStateConfiguration version
Name Version Path
---- ------- ----
xPSDesiredStateConfiguration 9.1.0 C:\Program Files\WindowsPowerShell\Modules\xPSDesiredStateConfiguration\9.1.0\xPSDesiredStateConfiguration.psd1
