Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Minimum TLS Version

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Azure Front Door custom domains are using the latest supported version of the TLS protocol (i.e. TLS 1.2) in order to enhance security by providing stronger encryption, protecting data integrity, reducing vulnerabilities to cyber attacks, and maintaining compatibility with modern browsers.

Security

The Transport Layer Security (TLS) protocol addresses network security problems such as tampering and eavesdropping between a client and a server. Using weak and deprecated TLS protocols can increase opportunities for malicious activities such as hacking, Man-in-the-Middle (MITM), and downgrade attacks. Therefore, it is strongly recommended to use the latest TLS version supported by Azure Front Door (TLS 1.2).


Audit

To determine the TLS version configured for your Azure Front Door custom domains, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Front Door and CDN profile, and choose Apply to list only the Azure Front Door and CDN profiles available in the selected subscription.

05 Click on the name (link) of the Front Door and CDN profile that you want to examine.

06 In the resource navigation panel, under Settings, select Domains to view the custom domains managed by the selected profile.

07 Choose the domain that you want to examine and click on the status (link) of the associated SSL/TLS certificate, listed in the Certificate state.

08 On the Certificate details configuration panel, check the Minimum TLS version setting to determine the TLS version configured for the selected resource. If the Minimum TLS version is not set to TLS 1.2, the selected Azure Front Door custom domain does not use the latest supported version of the TLS protocol (i.e. TLS 1.2).

09 Repeat steps no. 7 and 8 for each custom domain managed by the selected Front Door and CDN profile.

10 Repeat steps no. 5 – 9 for each Azure Front Door and CDN profile available in the selected Azure subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run afd profile list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure Front Door and CDN profile available in the current subscription:

az afd profile list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return the requested profile identifiers:

Name                      ResourceGroup
-----------------         ------------------------------
tm-project5-cdn           cloud-shell-storage-westeurope
tm-web-portal-cdn         cloud-shell-storage-westeurope

03 Run afd custom-domain list command (Windows/macOS/Linux) with the name of the Azure Front Door and CDN profile that you want to examine and its associated resource group as the identifier parameters, to describe the name of each custom domain managed by the selected profile:

az afd custom-domain list
  --profile-name tm-project5-cdn
  --resource-group cloud-shell-storage-westeurope
  --query '[].name'

04 The command output should return the requested domain name(s):

[
	"trendmicro-com-abcd"
]

05 Run afd custom-domain show command (Windows/macOS/Linux) with the name of the Azure Front Door custom domain that you want to examine as the identifier parameter and custom output filters to describe the Transport Layer Security (TLS) protocol version configured for the selected custom domain:

az afd custom-domain show
  --custom-domain-name "trendmicro-com-abcd"
  --profile-name tm-project5-cdn
  --resource-group cloud-shell-storage-westeurope
  --query 'tlsSettings.minimumTlsVersion'

06 The command output should return the TLS protocol version configured for the custom domain:

"TLS10"

If the TLS version returned by the afd custom-domain show command output is different than "TLS12", as shown in the output example above, the selected Azure Front Door custom domain does not use the latest supported version of the TLS protocol (i.e. TLS 1.2).

07 Repeat steps no. 5 and 6 for each custom domain managed by the selected Front Door and CDN profile.

08 Repeat steps no. 3 - 7 for each Azure Front Door and CDN profile available in the selected Azure subscription.

09 Repeat steps no. 1 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that your Azure Front Door custom domains are using the latest supported version of the TLS protocol, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Front Door and CDN profile, and choose Apply to list only the Azure Front Door and CDN profiles available in the selected subscription.

05 Click on the name (link) of the Front Door and CDN profile that you want to configure.

06 In the resource navigation panel, under Settings, select Domains to view the custom domains managed by the selected profile.

07 Choose the domain that you want to configure and click on the status (link) of the associated SSL/TLS certificate, listed in the Certificate state.

08 On the Certificate details configuration panel, set the Minimum TLS version setting to TLS 1.2 and choose Update to update the TLS protocol version for the selected domain to TLS 1.2.

09 Repeat steps no. 7 and 8 for each custom domain that you want to configure, managed by the selected Front Door and CDN profile.

10 Repeat steps no. 5 – 9 for each Azure Front Door and CDN profile that you want to configure, available in the selected Azure subscription.

11 Repeat steps no. 3 – 10 for each subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Run afd custom-domain update command (Windows/macOS/Linux) with the name of the Azure Front Door custom domain that you want to configure as the identifier parameter, to update the TLS protocol version for the selected domain to TLS 1.2:

az afd custom-domain update
  --custom-domain-name "trendmicro-com-abcd"
  --profile-name tm-project5-cdn
  --resource-group cloud-shell-storage-westeurope
  --minimum-tls-version TLS12

02 The command output should return the configuration information available for the updated domain:

{
	"deploymentStatus": "Deployed",
	"domainValidationState": "Approved",
	"hostName": "trendmicro.com",
	"id": "/subscriptions/1234abcd-abcd-1234-abcd-abcd1234abcd/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.Cdn/profiles/tm-project5-cdn/customdomains/trendmicro-com-abcd",
	"name": "trendmicro-com-abcd",
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"tlsSettings": {
		"certificateType": "ManagedCertificate",
		"minimumTlsVersion": "TLS12"
	},
	"type": "Microsoft.Cdn/profiles/customdomains",
	"validationProperties": {
		"expirationDate": "2024-08-08T10:42:59.9295318+00:00",
		"validationToken": "1234abcd-abcd-1234-abcd-abcd1234"
	}
}

03 Repeat steps no. 1 and 2 for each custom domain that you want to configure, managed by the selected Front Door and CDN profile.

04 Repeat steps no. 1 – 3 for each Azure Front Door and CDN profile that you want to configure, available in the selected Azure subscription.

05 Repeat steps no. 1 - 4 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Aug 26, 2024