KB0062 - TLS Cipher Suites
Problem
Your organization has security concerns about the TLS cipher suites that are utilized by PowerShell Universal. You may have been informed by your security team (pen testers) that your instance of PowerShell Universal is vulnerable due to the TLS cipher suites that it supports.
Scope
This topic applies to all installation types of PowerShell Universal as all versions support using the HTTPS protocol[1].
Conclusion
PowerShell Universal uses and supports the TLS cipher suites that the operating system instructs it to. The configuration and availability of the TLS cipher suites that PowerShell Universal is the responsibility of the server owner. The server owner must consult with the security officers of the organization to determine which TLS cipher suites are considered acceptable for client connections.
Recommended Remediations
Below are two recommended apps that admins can use to assess the situation. Assess with the security officers of your organization. Plan any needed changes with your organization. Always test the changes in your test environment first.
Option 1
For Windows servers, the recommended option is to use the free lightweight app
IIS Crypto by
Nartac Software. It provides a UI to easily change the preference and availability of the TLS cipher suites.
(figure shows the UI version of IIS Crypto running on a Windows Server 2016 server with default settings)
Option 2
sslscan can provide a useful assessment report. Consult with your administrators to make the needed changes.
(figure shows running sslscan from Kali Linux against an instance of PowerShell Universal running on Windows Server 2016 with default TLS settings in a test lab)
Related Articles
KB0003 - Slow Endpoints and TLS Settings
Be advised that if the TLS settings on a Windows Server are modified, this can result in a severe performance degradation Symptom #1 In the Event Viewer (System Log) there are errors with source Schannel indicating that a "fatal error that occurred ...
KB - 1008 Tax/VAT Exempt at checkout
Scope In this article you will learn how to make a tax-free purchase at checkout. Problem How do you remove the Tax/VAT on an order? Impact Orders will then need to be refunded for tax if processed without the tax deducted. Resolution Follow the ...
PowerShell Universal cmdlets return a 404 over HTTPS
Version: 1.4 PowerShell Version: Windows PowerShell 5.1 Problem When issue commands against the PowerShell Universal Management API (such as Get-UAJob, Get-UAScript, etc), the cmdlet will return a 404 error. This can happen when running scripts ...
KB0074 - Connecting to PSU API w/Windows Auth
Scope This article applies only to PSU environments where Windows Authentication[1] is enabled and known to be working[2]. Problem You are not able to interact with the PSU instance using the Invoke-WebRequest PowerShell cmdlet even though logging in ...
KB0011 - Are licenses different between Production, QA and Test/Development servers?
Update January 24th, 2023 Adam recently summarized the Developer's license per below: The only real limitation on the developer license is that it cannot be accessed remotely. The server is only available on loopback when using the dev license. If ...