Security

There are a lot of security concerns with DSC. Perhaps the first that jumps to mind is, “our configurations contain a lot of important and proprietary information!” True. Also true is, “if someone can modify our configurations, then they can control our environment.” So we’ll try and address both of these concerns.

Securing Configurations

All uploaded configurations are automatically signed with our Code Signing Certificate. So you don´t have to take care of securing your configurations.

During client registration an additional Certificate is installed on the client to identify requests from trusted nodes.

Securing the Pull Server

Our DSC implementation doen´t run at all on a web server. We are running .NET Core serverless functions behind an API gateway with user authentication.

Configure for strong cryptography

Configure .NET Framework to support strong cryptography. Set the SchUseStrongCrypto registry setting to DWORD:00000001. This value disables the RC4 stream cipher and requires a restart. For more information about this setting, see Microsoft Security Advisory 296038.

Make sure to set the following registry keys on any computer that communicates across the network with a TLS 1.2-enabled system. For example, Configuration Manager clients, remote site system roles not installed on the site server, and the site server itself.

For 32-bit applications that are running on 32-bit OSs and for 64-bit applications that are running on 64-bit OSs, update the following subkey values:

Registry

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v2.0.50727] “SystemDefaultTlsVersions” = dword:00000001 “SchUseStrongCrypto” = dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319] “SystemDefaultTlsVersions” = dword:00000001 “SchUseStrongCrypto” = dword:00000001

For 32-bit applications that are running on 64-bit OSs, update the following subkey values:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft.NETFramework\v2.0.50727] “SystemDefaultTlsVersions” = dword:00000001 “SchUseStrongCrypto” = dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft.NETFramework\v4.0.30319] “SystemDefaultTlsVersions” = dword:00000001 “SchUseStrongCrypto” = dword:00000001

The SchUseStrongCrypto setting allows .NET to use TLS 1.1 and TLS 1.2. The SystemDefaultTlsVersions setting allows .NET to use the OS configuration. For more information, see TLS bes