Entra Domain Services allows insecure version of TLS

Security · Entra Domain Services · Rule · 2024_06 · Critical

Disable TLS v1 for Microsoft Entra Domain Services.

Description

By default, Microsoft Entra Domain Services enables the use of ciphers and protocols such as TLS v1. These ciphers may be required for some legacy applications, but are considered weak and can be disabled if not required.

Older TLS versions such as 1.0 and 1.1 are no longer considered secure by industry standards, such as PCI DSS.

Recommendation

Consider disabling TLS v1 which is considered weak and can be disabled if not required.

Examples

Configure with Bicep

To deploy domains that pass this rule:

• Set the properties.domainSecuritySettings.tlsV1 property to Disabled.

For example:

Azure Bicep snippet

resource ds 'Microsoft.AAD/domainServices@2022-12-01' = {
  name: name
  location: location
  properties: {
    sku: 'Enterprise'
    ldapsSettings: {
      ldaps: 'Enabled'
    }
    domainSecuritySettings: {
      ntlmV1: 'Disabled'
      tlsV1: 'Disabled'
      kerberosRc4Encryption: 'Disabled'
    }
    replicaSets: [
      {
        subnetId: primarySubnetId
        location: location
      }
      {
        subnetId: secondarySubnetId
        location: secondaryLocation
      }
    ]
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/aad/domain-service:<version>

To use the latest version:

br/public:avm/res/aad/domain-service:0.4.0

---

• What is Azure Verified Modules?
• Usage and parameters for this module

Configure with Azure template

To deploy domains that pass this rule:

• Set the properties.domainSecuritySettings.tlsV1 property to Disabled.

For example:

Azure Template snippet

{
  "type": "Microsoft.AAD/domainServices",
  "apiVersion": "2022-12-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "sku": "Enterprise",
    "ldapsSettings": {
      "ldaps": "Enabled"
    },
    "domainSecuritySettings": {
      "ntlmV1": "Disabled",
      "tlsV1": "Disabled",
      "kerberosRc4Encryption": "Disabled"
    },
    "replicaSets": [
      {
        "subnetId": "[parameters('primarySubnetId')]",
        "location": "[parameters('location')]"
      },
      {
        "subnetId": "[parameters('secondarySubnetId')]",
        "location": "[parameters('secondaryLocation')]"
      }
    ]
  }
}

Links

• SE:07 Encryption
• Harden a Microsoft Entra Domain Services managed domain
• DP-3: Encrypt sensitive data in transit
• Azure deployment reference

Comments