Disable TLS v1#

Security · Entra Domain Services · Rule · 2024_06 · Critical

Disable TLS v1 for Microsoft Entra Domain Services.

Description#

By default, Microsoft Entra Domain Services enables the use of ciphers and protocols such as TLS v1. These ciphers may be required for some legacy applications, but are considered weak and can be disabled if not required.

Older TLS versions such as 1.0 and 1.1 are no longer considered secure by industry standards, such as PCI DSS.

Recommendation#

Consider disabling TLS v1 which is considered weak and can be disabled if not required.

Examples#

Configure with Azure template#

To deploy domains that pass this rule:

Set the properties.domainSecuritySettings.tlsV1 property to Disabled.

For example:

Azure Template snippet

{
  "type": "Microsoft.AAD/domainServices",
  "apiVersion": "2022-12-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "ldapsSettings": {
      "ldaps": "Enabled"
    },
    "domainSecuritySettings": {
      "ntlmV1": "Disabled",
      "tlsV1": "Disabled",
      "kerberosRc4Encryption": "Disabled"
    }
  }
}

Configure with Bicep#

To deploy domains that pass this rule:

Set the properties.domainSecuritySettings.tlsV1 property to Disabled.

For example:

Azure Bicep snippet

resource ds 'Microsoft.AAD/domainServices@2022-12-01' = {
  name: name
  location: location
  properties: {
    ldapsSettings: {
      ldaps: 'Enabled'
    }
    domainSecuritySettings: {
      ntlmV1: 'Disabled'
      tlsV1: 'Disabled'
      kerberosRc4Encryption: 'Disabled'
    }
  }
}

Disable TLS v1#

Description#

Recommendation#

Examples#

Configure with Azure template#

Configure with Bicep#

Links#

Comments