Incorrect Detection of TLS Settings via Registry

[anotherbridge]

Description

When running the audit test automation tool on a hardened machine, the report is indicating that we would have not enabled TLS v1.2, i.e. the check 1.5.1 → Enable TLS1.2 Protocol (Server) fails.

It displays the following reason:

Registry value is '4294967295'. Expected: 1

The message is totally correct, since we set the registry value to 0xffffffff which converted to decimal is exactly the number shown.

Yet, since this DWORD is a boolean value all values not being 0 are counted as true.

Expectation

The test should pass.

Suggestion

From the above description I would suggest to take any value from the set $\{x \vert\ x \in \mathbb{N}_0,\ 0 < x \leq 4294967295\}$ to count as a valid setting. This would of course also hold for other boolean values set as a DWORD.

Please let me know your thoughts about this.

[SteffenWinternheimer]

Hello there!
Thank you for reaching out with this. After checking the documentation of Microsoft, it looks like they aren't covering any kind of range for setting the value "Enabled" either to "True" or "False". The documentation also points out, that the entry has to be a DWORD.
https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings?tabs=diffie-hellman

Based on your example, this is the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\Enabled

If there is any information, which i am not aware of shows, that a range is accepted for this registry key, please feel free to share it here.

[TuemmlerKelch]

@anotherbridge Thanks for opening this issue. After going through the issues opened at MicrosoftDocs, we decided to leave everything as it is, as MS decided to change their documentation rather than acknowledging that any "non zero"-value is fine.
We understand, that technically your reasoning is correct, but as MS might change this to actually only work with "1", we will discard this issue.