You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When running the audit test automation tool on a hardened machine, the report is indicating that we would have not enabled TLS v1.2, i.e. the check 1.5.1 → Enable TLS1.2 Protocol (Server) fails.
It displays the following reason:
Registry value is '4294967295'. Expected: 1
The message is totally correct, since we set the registry value to 0xffffffff which converted to decimal is exactly the number shown.
Yet, since this DWORD is a boolean value all values not being 0 are counted as true.
Expectation
The test should pass.
Suggestion
From the above description I would suggest to take any value from the set $\{x \vert\ x \in \mathbb{N}_0,\ 0 < x \leq 4294967295\}$ to count as a valid setting. This would of course also hold for other boolean values set as a DWORD.
Please let me know your thoughts about this.
The text was updated successfully, but these errors were encountered:
Based on your example, this is the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\Enabled
If there is any information, which i am not aware of shows, that a range is accepted for this registry key, please feel free to share it here.
@anotherbridge Thanks for opening this issue. After going through the issues opened at MicrosoftDocs, we decided to leave everything as it is, as MS decided to change their documentation rather than acknowledging that any "non zero"-value is fine.
We understand, that technically your reasoning is correct, but as MS might change this to actually only work with "1", we will discard this issue.
Description
When running the audit test automation tool on a hardened machine, the report is indicating that we would have not enabled TLS v1.2, i.e. the check 1.5.1 → Enable TLS1.2 Protocol (Server) fails.
It displays the following reason:
The message is totally correct, since we set the registry value to
0xffffffff
which converted to decimal is exactly the number shown.Yet, since this DWORD is a boolean value all values not being
0
are counted astrue
.Expectation
The test should pass.
Suggestion
From the above description I would suggest to take any value from the set$\{x \vert\ x \in \mathbb{N}_0,\ 0 < x \leq 4294967295\}$ to count as a valid setting. This would of course also hold for other boolean values set as a DWORD.
Please let me know your thoughts about this.
The text was updated successfully, but these errors were encountered: