Configure Azure Stack Hub security controls

This article explains the security controls that can be changed in Azure Stack Hub and highlights the tradeoffs where applicable.

Azure Stack Hub architecture is built on two security principle pillars: assume breach and hardened by default. For more information on Azure Stack Hub security, see Azure Stack Hub infrastructure security posture. While the default security posture of Azure Stack Hub is production-ready, there are some deployment scenarios that require additional hardening.

TLS version policy

The Transport Layer Security (TLS) protocol is a widely adopted cryptographic protocol to establish encrypted communication over the network. TLS has evolved over time and multiple versions have been released. Azure Stack Hub infrastructure exclusively uses TLS 1.2 for all its communications. For external interfaces, Azure Stack Hub currently defaults to use TLS 1.2. However, for backwards compatibility, it also supports negotiating down to TLS 1.1. and 1.0. When a TLS client requests to communicate over TLS 1.1 or TLS 1.0, Azure Stack Hub honors the request by negotiating to a lower TLS version. If the client requests TLS 1.2, Azure Stack Hub will establish a TLS connection using TLS 1.2.

Since TLS 1.0 and 1.1 are incrementally being deprecated or banned by organizations and compliance standards you can now configure the TLS policy in Azure Stack Hub. You can enforce a TLS 1.2 only policy where any attempt of establishing a TLS session with a version lower than 1.2 isn't permitted and is rejected.

Important

Azure recommends using TLS 1.2 only policy for Azure Stack Hub production environments.

Get TLS policy

Use the privileged endpoint (PEP) to view the TLS policy for all Azure Stack Hub endpoints:

Get-TLSPolicy

Example output:

TLS_1.2

Set TLS policy

Use the privileged endpoint (PEP) to set the TLS policy for all Azure Stack Hub endpoints:

Set-TLSPolicy -Version <String>

Parameters for Set-TLSPolicy cmdlet:

Parameter Description Type Required
Version Allowed version(s) of TLS in Azure Stack Hub String yes

Use one of the following values to configure the permitted TLS versions for all Azure Stack Hub endpoints:

Version value Description
TLS_All Azure Stack Hub TLS endpoints support TLS 1.2, but down negotiation to TLS 1.1 and TLS 1.0 is allowed.
TLS_1.2 Azure Stack Hub TLS endpoints support TLS 1.2 only.

Updating the TLS policy takes a few minutes to complete.

Enforce TLS 1.2 configuration example

This example sets your TLS policy to enforce TLS 1.2 only.

Set-TLSPolicy -Version TLS_1.2

Example output:

VERBOSE: Successfully setting enforce TLS 1.2 to True
VERBOSE: Invoking action plan to update GPOs
VERBOSE: Create Client for execution of action plan
VERBOSE: Start action plan
<...>
VERBOSE: Verifying TLS policy
VERBOSE: Get GPO TLS protocols registry 'enabled' values
VERBOSE: GPO TLS applied with the following preferences:
VERBOSE:     TLS protocol SSL 2.0 enabled value: 0
VERBOSE:     TLS protocol SSL 3.0 enabled value: 0
VERBOSE:     TLS protocol TLS 1.0 enabled value: 0
VERBOSE:     TLS protocol TLS 1.1 enabled value: 0
VERBOSE:     TLS protocol TLS 1.2 enabled value: 1
VERBOSE: TLS 1.2 is enforced

Allow all versions of TLS (1.2, 1.1, and 1.0) configuration example

This example sets your TLS policy to allow all versions of TLS (1.2, 1.1, and 1.0).

Set-TLSPolicy -Version TLS_All

Example output:

VERBOSE: Successfully setting enforce TLS 1.2 to False
VERBOSE: Invoking action plan to update GPOs
VERBOSE: Create Client for execution of action plan
VERBOSE: Start action plan
<...>
VERBOSE: Verifying TLS policy
VERBOSE: Get GPO TLS protocols registry 'enabled' values
VERBOSE: GPO TLS applied with the following preferences:
VERBOSE:     TLS protocol SSL 2.0 enabled value: 0
VERBOSE:     TLS protocol SSL 3.0 enabled value: 0
VERBOSE:     TLS protocol TLS 1.0 enabled value: 1
VERBOSE:     TLS protocol TLS 1.1 enabled value: 1
VERBOSE:     TLS protocol TLS 1.2 enabled value: 1
VERBOSE: TLS 1.2 is not enforced

There are scenarios where it's useful to display a legal notice, upon login to a privileged endpoint (PEP) session. The Set-AzSLegalNotice and Get-AzSLegalNotice cmdlets are used to manage the caption and body of such legal notice text.

To set the legal notice caption and text, see the Set-AzSLegalNotice cmdlet. If the legal notice caption and text have previously been set, you can review them by using the Get-AzSLegalNotice cmdlet.

Next steps