Has anyone used a fixlet to check all computers for tls 1.2? I am new to bigfix.
Thanks
This is going to be very specific to OS and the “server” side of the equation so it depends what you are asking. You need to narrow down the question significantly.
Hello, I’m looking for windows 7 & 10 OS to see if we have tls 1.2 enabled across our organization. We have it enforced via GPO but its not across the board but I know some browsers have it on by default, I would like to confirm this.
Your question appears to be pretty large in nature. If you want to get into each app, you’ll need to craft something together or use a port scanner security tool I am afraid.
Example: In our case, we opted to disable old protocols at the OS level but frequently get hits on TLS still such as BigFix, BigFix WebReports, and BigFix Server Notification service. By default, each is/was not using TLS 1.2 and the port scanner found these. We fixed each with their respective properties/fixlets/app.
How is it large? I want to scan my computers and see if its using tls 1.2, its an internet option within all browsers.
@esardinha
TLS is used outside of just browser and OS settings, so your question needs to have it’s requirements refined.
Example, Here is an article on checking IIS for TLS settings:
https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1-0-ssl-2-0-ssl-3-0-or-tls-1-0-in-internet-informat
Here is an article that talks about the TLS settings in 3 major browsers:
https://www.ssl.com/how-to/turn-off-ssl-3-0-and-tls-1-0-in-your-browser/
TLS settings are all over the place.
Can you supply a list of everywhere TLS settings might exist in all applications on your Windows 7 and Windows 10 endpoints?
Well i guess my question would be if we’re trying to use a website where they use tls 1.2 but I don’t have tls 1.2 selected in my browser settings that website would most likely not load, correct? I want to ensure that all my laptops and desktops have that turned on across 2 thousand computers.
@esardinha Thank you. That was the clarification we needed to start answering the query.
There is a Fixlet out on BigFix.me for IE that you might try testing to see if it meets your need for that browser.
https://bigfix.me/fixlet/details/652
What other browsers does your organization allow on their desktops/laptops? Chrome, Firefox, Safari, others?
Thanks! Mostly Chrome and internet explorer or “Edge”
For Chrome, it looks like you might be able to key off of Registry key:
[HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome]
“SSLVersionMin”=“tls1.2”