Microsoft IIS10.ps1 - Ensure AES 256/256 Cipher Suite is enabled - Line 2487

[CanMonster]

The Microsoft IIS 10.0 test '"AES 256/256 Cipher is disabled"' always fails even though the registry value is correct ...

Line 2487 of the 'Microsoft IIS10.ps1' report file needs to be updated from:

if ($value -eq 0xffffffff) {

to:

if ($value -eq 4294967295) {

The Get-ItemProperty CmdLet will always read in the decimal value so updating the condition to evaluate the decimal value is easier than converting it to hexadecimal.

[TuemmlerKelch]

Hi @CanMonster,

thanks for the issue.

I suppose you were using ATAP 5.8.0. With 5.9.0 we actually updated the check to look for '1'.
This is because MS have updated all their documentation to not use 0xffffffff / 4294967295 anymore.

So if you configured 4294967295, the check will still fail and link you to the corresponding learn page:
https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings?tabs=diffie-hellman#tls-dtls-and-ssl-protocol-version-settings

I will discuss, if we change this from False to Warn with our next iteration.

[CanMonster]

Hi @TuemmlerKelch,

Thanks for the update and I agree with the value being 1. I have just downloaded 5.9.0 and can confirm that the value '0xffffffff' is still present in the 'Microsoft IIS10.ps1' report file. Not sure if this is supposed to be the case ATM or if the change is slated for a future update.

[TuemmlerKelch]

@CanMonster Hey Nathan,
hang on. We will update IIS report to CIS 1.2.1 [#558] and solve this.
I will update this post as soon as we have a working branch, so you can test this before our next release, if you wish.