Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Minimum TLS Version

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Azure Service Bus namespaces are using the latest supported version of the TLS protocol (i.e. TLS 1.2) in order to enhance security by providing stronger encryption, protecting data integrity, and reducing vulnerabilities to cyber attacks.

Security

The Transport Layer Security (TLS) protocol addresses network security problems such as tampering and eavesdropping between a client and a server. Using weak and deprecated TLS protocols can increase opportunities for malicious activities such as hacking, Man-in-the-Middle (MITM), and downgrade attacks. Therefore, it is strongly recommended to use the latest TLS version supported by Azure Service Bus (TLS 1.2).

Audit

To determine the TLS version configured for your Azure Service Bus namespaces, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Service Bus Namespace, and choose Apply to list only the Azure Service Bus namespaces available in the selected subscription.

05 Click on the name (link) of the Service Bus namespaces that you want to examine.

06 In the resource navigation panel, under Settings, select Configuration to access the configuration settings available for the selected namespace.

07 In the Security section, check the Minimum TLS version setting to determine the TLS version configured for the selected resource. If the Minimum TLS version is not set to Version 1.2, the selected Azure Service Bus namespace does not use the latest supported version of the TLS protocol (i.e. TLS 1.2).

08 Repeat steps no. 5 – 7 for each Azure Service Bus namespace available in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Run servicebus namespace list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure Service Bus namespace available in the current subscription: 

az servicebus namespace list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return the requested namespace identifiers: 

Name                       ResourceGroup
------------------------   ------------------------------
tm-project5-namespace      cloud-shell-storage-westeurope
tm-dev-service-namespace   cloud-shell-storage-westeurope

03 Run az servicebus namespace show command (Windows/macOS/Linux) with the name of the Azure Service Bus namespace that you want to examine as the identifier parameter and custom output filters to describe the Transport Layer Security (TLS) protocol version configured for the selected namespace: 

az servicebus namespace show
  --name tm-project5-namespace
  --resource-group cloud-shell-storage-westeurope
  --query 'minimumTlsVersion'

04 The command output should return the TLS protocol version configured for the selected namespace: 

"1.0"

If the TLS version returned by the az servicebus namespace show command output is different than "1.2", as shown in the output example above, the selected Azure Service Bus namespace does not use the latest supported version of the TLS protocol (i.e. TLS 1.2).

05 Repeat steps no. 3 and 4 for each Azure Service Bus namespace available in the selected Azure subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that your Azure Service Bus namespaces are using the latest supported version of the TLS protocol, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Service Bus Namespace, and choose Apply to list only the Azure Service Bus namespaces available in the selected subscription.

05 Click on the name (link) of the Service Bus namespaces that you want to configure.

06 In the resource navigation panel, under Settings, select Configuration to access the configuration settings available for the selected namespace.

07 In the Security section, set the Minimum TLS version to Version 1.2 to update the TLS protocol version for the selected namespace to TLS 1.2. This will prevent connections using a lower TLS version from connecting to your namespace. Choose Apply to apply the configuration changes.

08 Repeat steps no. 5 – 7 for each Azure Service Bus namespace that you want to configure, available in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Run servicebus namespace update command (Windows/macOS/Linux) with the name of the Azure Service Bus namespace that you want to configure as the identifier parameter, to update the TLS protocol version for the selected namespace to TLS 1.2: 

az servicebus namespace update
  --name tm-project5-namespace
  --resource-group cloud-shell-storage-westeurope
  --minimum-tls-version 1.2

02 The command output should return the configuration information available for the updated namespace: 

{
	"createdAt": "2024-08-06T10:35:17.5143854Z",
	"disableLocalAuth": false,
	"id": "/subscriptions/1234abcd-abcd-1234-abcd-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.ServiceBus/namespaces/tm-project5-namespace",
	"location": "westeurope",
	"metricId": "1234abcd-abcd-1234-abcd-abcd1234abcd:tm-project5-namespace",
	"minimumTlsVersion": "1.2",
	"name": "tm-project5-namespace",
	"provisioningState": "Succeeded",
	"publicNetworkAccess": "Enabled",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"sku": {
		"name": "Basic",
		"tier": "Basic"
	},
	"status": "Active",
	"tags": {},
	"type": "Microsoft.ServiceBus/Namespaces",
	"updatedAt": "2024-08-06T11:23:34.5237706Z",
	"zoneRedundant": false
}

03 Repeat steps no. 1 and 2 for each Azure Service Bus namespace that you want to configure, available in the selected Azure subscription.

04 Repeat steps no. 1 - 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Aug 26, 2024

Related ServiceBus rules