diff --git a/docs/ninjaone/automations/enforce-tls-ssl-hardnening.md b/docs/ninjaone/automations/enforce-tls-ssl-hardnening.md index 4709e36ba..50261a20a 100644 --- a/docs/ninjaone/automations/enforce-tls-ssl-hardnening.md +++ b/docs/ninjaone/automations/enforce-tls-ssl-hardnening.md @@ -9,12 +9,12 @@ tags: ['tls','windows'] draft: false unlisted: false last_update: - date: 2026-04-10 + date: 2026-06-10 --- ## Overview -This script is designed to disable SSL 3.0, TLS 1.0, and TLS 1.1 at both server and client levels. Additionally, it disables below Cipher Suites: +Enforces Windows TLS/SSL security hardening by disabling legacy protocols (SSL 3.0, TLS 1.0, and TLS 1.1), enabling supported modern TLS versions (TLS 1.2 and TLS 1.3), configuring .NET Framework strong cryptography settings to help maintain application compatibility when legacy protocols are disabled, removing weak TLS cipher suites, and optionally initiating a reboot or enabling the `Reboot Pending Prompt` solution to notify users that a restart is required for the changes to take effect. It disables below Cipher Suites: - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - TLS_RSA_WITH_AES_256_CBC_SHA256 @@ -23,7 +23,7 @@ This script is designed to disable SSL 3.0, TLS 1.0, and TLS 1.1 at both server - TLS_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 -**NOTE:** `A system reboot is required for all changes to take full effect.` +**NOTE:** `A system reboot is required for all changes to take full effect. Either use 'Force Reboot' paramter to immediately restart the machine after hardening so the TLS/SSL changes are fully applied. Or enable 'cPVAL Enable Reboot Prompts' custom field to send user prompts for Reboot. 'Reboot Pending Prompt' solution must be enabled in the environment to use this feature.` ## Sample Run @@ -31,6 +31,17 @@ This script is designed to disable SSL 3.0, TLS 1.0, and TLS 1.1 at both server ![SampleRun1](../../../static/img/docs/5a33db63-8a92-4ab3-9984-e0af4db8f576/enforce.webp) +## Dependencies + +- [Solution - TLS/SSL Security Hardening](/docs/5e391e0f-088e-41be-8b6c-306e02a2cadb) +- [Solution - Reboot Pending Prompt](/docs/d7758fa4-9fcc-4259-a7a5-0ca65dda10eb) + +## Parameters + +| Name | Example | Accepted Values | Required | Default | Type | Description | +| ---- | ------- | --------------- | -------- | ------- | ---- | ----------- | +|Force Reboot| - | - | False | Not selected | Check-box |Select it to immediately reboot the machine after applying the TLS Hardening.| + ## Automation Setup/Import [Automation Configuration](https://github.com/ProVal-Tech/ninjarmm/blob/main/scripts/enforce-tls-ssl-hardening.ps1) @@ -41,6 +52,13 @@ This script is designed to disable SSL 3.0, TLS 1.0, and TLS 1.1 at both server ## Changelog +### 2026-06-10 + +- Updated the script to configure .NET Framework strong cryptography settings, helping maintain application compatibility when legacy protocols are disabled and modern TLS versions are enforced. +- Added a Force Reboot parameter that can immediately restart the machine after hardening so the TLS/SSL changes are fully applied. +- Added an option for reboot prompts through the `cPVAL Enable Reboot Prompts` custom field. When enabled, the script sets `cPVAL Pending Reboot` to trigger user notifications. This feature requires the `Reboot Pending Prompt` solution to be enabled in the environment. + + ### 2026-04-10 - Initial version of the document. \ No newline at end of file diff --git a/docs/ninjaone/automations/tls-enabled-list-audit.md b/docs/ninjaone/automations/tls-enabled-list-audit.md index 55dd43f26..b83ae47f7 100644 --- a/docs/ninjaone/automations/tls-enabled-list-audit.md +++ b/docs/ninjaone/automations/tls-enabled-list-audit.md @@ -9,7 +9,7 @@ tags: ['tls', 'audit'] draft: false unlisted: false last_update: - date: 2026-04-15 + date: 2026-06-10 --- ## Overview @@ -42,6 +42,10 @@ Click `Run` ## Changelog +### 2026-06-10 + +- Updated script to include SSL 3.0 as well. + ### 2026-04-15 - Initial version of the document \ No newline at end of file diff --git a/docs/ninjaone/automations/validate-tls-ssl-hardnening.md b/docs/ninjaone/automations/validate-tls-ssl-hardnening.md index e52063e1d..614728a79 100644 --- a/docs/ninjaone/automations/validate-tls-ssl-hardnening.md +++ b/docs/ninjaone/automations/validate-tls-ssl-hardnening.md @@ -4,17 +4,17 @@ slug: /f4505cf9-915f-464f-ab45-95f9eaea7a8d title: 'Validate TLS SSL Hardening' title_meta: 'Validate TLS SSL Hardening' keywords: ['tls','ssl','validate','disable'] -description: 'This script validates whether insecure SSL/TLS protocols and specified weak TLS 1.2 cipher suites have been successfully disabled on the target system.' +description: 'This script validates that insecure protocols (SSL 3.0, TLS 1.0, TLS 1.1) and specified weak cipher suites are disabled at both the server and client levels on the system, while ensuring TLS 1.2 and TLS 1.3 are enabled when supported, providing a clear PASS/FAIL status without making any changes.' tags: ['tls','windows'] draft: false unlisted: false last_update: - date: 2026-04-10 + date: 2026-06-10 --- ## Overview -This script is designed to validate if SSL 3.0, TLS 1.0, and TLS 1.1 are disabled at both the server and client levels. Additionally, it checks if below cipher suites are disabled: +This script validates that insecure protocols (SSL 3.0, TLS 1.0, TLS 1.1) and specified weak cipher suites are disabled at both the server and client levels on the system, while ensuring TLS 1.2 and TLS 1.3 are enabled when supported, providing a clear PASS/FAIL status without making any changes. - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - TLS_RSA_WITH_AES_256_CBC_SHA256 @@ -29,6 +29,10 @@ This script is designed to validate if SSL 3.0, TLS 1.0, and TLS 1.1 are disable ![SampleRun1](../../../static/img/docs/f4505cf9-915f-464f-ab45-95f9eaea7a8d/validate.webp) +## Dependencies + +- [Solution - TLS/SSL Security Hardening](/docs/5e391e0f-088e-41be-8b6c-306e02a2cadb) + ## Automation Setup/Import [Automation Configuration](https://github.com/ProVal-Tech/ninjarmm/blob/main/scripts/validate-tls-ssl-hardening.ps1) @@ -39,6 +43,10 @@ This script is designed to validate if SSL 3.0, TLS 1.0, and TLS 1.1 are disable ## Changelog +### 2026-06-10 + +- Updated the script to validate that TLS 1.2 and TLS 1.3 are enabled when supported by the operating system. The script now updates the `cpvalTlsSslHardeningRequired` custom field if any insecure protocol is enabled, any weak cipher suite is present, or if TLS 1.2 and/or TLS 1.3 are not enabled when supported. + ### 2026-04-10 - Initial version of the document. \ No newline at end of file diff --git a/docs/ninjaone/compound-conditions/execute-enforce-tls-ssl-hardening-servers.md b/docs/ninjaone/compound-conditions/execute-enforce-tls-ssl-hardening-servers.md new file mode 100644 index 000000000..fb40d2380 --- /dev/null +++ b/docs/ninjaone/compound-conditions/execute-enforce-tls-ssl-hardening-servers.md @@ -0,0 +1,37 @@ +--- +id: '93609405-1ef4-4aaa-b421-4f86a7e51145' +slug: /93609405-1ef4-4aaa-b421-4f86a7e51145 +title: 'Execute - Enforce TLS SSL Hardening - Servers' +title_meta: 'Execute - Enforce TLS SSL Hardening - Servers' +keywords: ['tls','ssl','disable'] +description: 'Triggers `Enforce TLS SSL Hardening` script on opted windows servers.' +tags: ['tls','windows'] +draft: false +unlisted: false +last_update: + date: 2026-06-10 +--- + +## Summary + +Triggers [Enforce TLS SSL Hardening](/docs/5a33db63-8a92-4ab3-9984-e0af4db8f576) script on windows servers where [cPVAL TLS Hardening](/docs/f4505cf9-915f-464f-ab45-95f9eaea7a8d) is either set to `Enforce and Validation (servers)`,`Enforce and Validation (Both)`. + +## Details + +- **Name:** `Execute - Enforce TLS SSL Hardening` +- **Description:** `Triggers 'Enforce TLS SSL Hardening' script on opted windows servers.` +- **Recommended Agent Policies:** `Windows servers` + +## Dependencies + +- [Solution - TLS/SSL Security Hardening](/docs/5e391e0f-088e-41be-8b6c-306e02a2cadb) + +## Compound Condition Creation + +- [Compound Condition Configuration](https://github.com/ProVal-Tech/ninjarmm/blob/main/compound-conditions/execute-enforce-tls-ssl-hardening-servers.toml) + +## Changelog + +### 2026-06-10 + +- Initial version of the document \ No newline at end of file diff --git a/docs/ninjaone/compound-conditions/execute-enforce-tls-ssl-hardening-workstations.md b/docs/ninjaone/compound-conditions/execute-enforce-tls-ssl-hardening-workstations.md new file mode 100644 index 000000000..84a9d95ab --- /dev/null +++ b/docs/ninjaone/compound-conditions/execute-enforce-tls-ssl-hardening-workstations.md @@ -0,0 +1,37 @@ +--- +id: '52a43eef-d4d7-4f91-b8c1-cb6e786ddcce' +slug: /52a43eef-d4d7-4f91-b8c1-cb6e786ddcce +title: 'Execute - Enforce TLS SSL Hardening - Workstations' +title_meta: 'Execute - Enforce TLS SSL Hardening - Workstations' +keywords: ['tls','ssl','disable'] +description: 'Triggers `Enforce TLS SSL Hardening`script on opted windows workstations.' +tags: ['tls','windows'] +draft: false +unlisted: false +last_update: + date: 2026-06-10 +--- + +## Summary + +Triggers [Enforce TLS SSL Hardening](/docs/5a33db63-8a92-4ab3-9984-e0af4db8f576) script on windows workstations where [cPVAL TLS Hardening](/docs/f4505cf9-915f-464f-ab45-95f9eaea7a8d) is either set to `Enforce and Validation (Workstations)`,`Enforce and Validation (Both)`. + +## Details + +- **Name:** `Execute - Enforce TLS SSL Hardening` +- **Description:** `Triggers 'Enforce TLS SSL Hardening' script on opted windows workstations.` +- **Recommended Agent Policies:** `Windows Workstations` + +## Dependencies + +- [Solution - TLS/SSL Security Hardening](/docs/5e391e0f-088e-41be-8b6c-306e02a2cadb) + +## Compound Condition Creation + +- [Compound Condition Configuration](https://github.com/ProVal-Tech/ninjarmm/blob/main/compound-conditions/execute-enforce-tls-ssl-hardening-workstations.toml) + +## Changelog + +### 2026-06-10 + +- Initial version of the document \ No newline at end of file diff --git a/docs/ninjaone/compound-conditions/execute-validate-tls-ssl-hardening-servers.md b/docs/ninjaone/compound-conditions/execute-validate-tls-ssl-hardening-servers.md new file mode 100644 index 000000000..05df72078 --- /dev/null +++ b/docs/ninjaone/compound-conditions/execute-validate-tls-ssl-hardening-servers.md @@ -0,0 +1,37 @@ +--- +id: '79c1901b-3e55-42e3-8152-360605a4dbce' +slug: /79c1901b-3e55-42e3-8152-360605a4dbce +title: 'Execute - Validate TLS SSL Hardening - Servers' +title_meta: 'Execute - Validate TLS SSL Hardening - Servers' +keywords: ['tls','ssl','disable'] +description: 'Triggers `Validate TLS SSL Hardening`script on opted windows Servers.' +tags: ['tls','windows'] +draft: false +unlisted: false +last_update: + date: 2026-06-10 +--- + +## Summary + +Triggers [Validate TLS SSL Hardening](/docs/f4505cf9-915f-464f-ab45-95f9eaea7a8d) on windows Servers where [cPVAL TLS Hardening](/docs/f4505cf9-915f-464f-ab45-95f9eaea7a8d) is either set to `Validation (Both)`, `Validation (Servers)`, `Enforce and Validation (Servers)`,`Enforce and Validation (Both)`. + +## Details + +- **Name:** `Execute - Validate TLS SSL Hardening` +- **Description:** `Triggers 'Validate TLS SSL Hardening' script on opted windows Servers.` +- **Recommended Agent Policies:** `Windows Servers` + +## Dependencies + +- [Solution - TLS/SSL Security Hardening](/docs/5e391e0f-088e-41be-8b6c-306e02a2cadb) + +## Compound Condition Creation + +- [Compound Condition Configuration](https://github.com/ProVal-Tech/ninjarmm/blob/main/compound-conditions/execute-validate-tls-ssl-hardening-servers.toml) + +## Changelog + +### 2026-06-10 + +- Initial version of the document \ No newline at end of file diff --git a/docs/ninjaone/compound-conditions/execute-validate-tls-ssl-hardening-workstations.md b/docs/ninjaone/compound-conditions/execute-validate-tls-ssl-hardening-workstations.md new file mode 100644 index 000000000..6430f6bb3 --- /dev/null +++ b/docs/ninjaone/compound-conditions/execute-validate-tls-ssl-hardening-workstations.md @@ -0,0 +1,37 @@ +--- +id: '28f17281-2502-43a0-8d4d-5da2b06580f8' +slug: /28f17281-2502-43a0-8d4d-5da2b06580f8 +title: 'Execute - Validate TLS SSL Hardening - Workstations' +title_meta: 'Execute - Validate TLS SSL Hardening - Workstations' +keywords: ['tls','ssl','disable'] +description: 'Triggers `Validate TLS SSL Hardening`script on opted windows workstations.' +tags: ['tls','windows'] +draft: false +unlisted: false +last_update: + date: 2026-06-10 +--- + +## Summary + +Triggers [Validate TLS SSL Hardening](/docs/f4505cf9-915f-464f-ab45-95f9eaea7a8d) script on windows workstations where [cPVAL TLS Hardening](/docs/f4505cf9-915f-464f-ab45-95f9eaea7a8d) is either set to `Validation (Both)`, `Validation (Workstations)`, `Enforce and Validation (Workstations)`,`Enforce and Validation (Both)`. + +## Details + +- **Name:** `Execute - Validate TLS SSL Hardening` +- **Description:** `Triggers 'Validate TLS SSL Hardening' script on opted windows workstations.` +- **Recommended Agent Policies:** `Windows Workstations` + +## Dependencies + +- [Solution - TLS/SSL Security Hardening](/docs/5e391e0f-088e-41be-8b6c-306e02a2cadb) + +## Compound Condition Creation + +- [Compound Condition Configuration](https://github.com/ProVal-Tech/ninjarmm/blob/main/compound-conditions/execute-validate-tls-ssl-hardening-workstations.toml) + +## Changelog + +### 2026-06-10 + +- Initial version of the document \ No newline at end of file diff --git a/docs/ninjaone/custom-fields/cpval-enable-reboot-prompts.md b/docs/ninjaone/custom-fields/cpval-enable-reboot-prompts.md new file mode 100644 index 000000000..182f338fc --- /dev/null +++ b/docs/ninjaone/custom-fields/cpval-enable-reboot-prompts.md @@ -0,0 +1,40 @@ +--- +id: '6f8d4110-f4ee-4965-8853-8b4a7b03bda5' +slug: /6f8d4110-f4ee-4965-8853-8b4a7b03bda5 +title: 'cPVAL Enable Reboot Prompts' +title_meta: 'cPVAL Enable Reboot Prompts' +keywords: ['tls','ssl','disable'] +description: 'Enables reboot prompts following TLS Hardening. Requires the Reboot Pending Prompt solution to be enabled in the environment.' +tags: ['tls','windows'] +draft: false +unlisted: false +last_update: + date: 2026-06-10 +--- + +## Summary +Enables reboot prompts following TLS Hardening. Requires the [Solution - Reboot Pending Prompt](/docs/d7758fa4-9fcc-4259-a7a5-0ca65dda10eb) to be enabled in the environment. + +## Details + +| Label | Field Name | Definition Scope | Type | Required | Default Value | Options | Technician Permission | Automation Permission | API Permission | Description | Tool Tip | Footer Text | Custom Field Tab Name | +| ----- | ---- | ---------------- | ---- | -------- | ------------- | ------------- | --------------------- | --------------------- | -------------- | ----------- | -------- | ----------- | ----------- | +| cPVAL Enable Reboot Prompts | cpvalEnableRebootPrompts | `Organization`,`Location`,`Device` | CheckBox | False | - | - | Editable | Read_Write | Read_Write | Enables reboot prompts following TLS Hardening. Requires the Reboot Pending Prompt solution to be enabled in the environment. | Select it to display reboot prompts on the machine after TLS Hardening has been applied. Requires the 'Reboot Pending Prompt solution' to be enabled in the environment. | Select it to display reboot prompts on the machine after TLS Hardening has been applied.| TLS/SSL | + +## Dependencies + +- [Solution - TLS/SSL Security Hardening](/docs/5e391e0f-088e-41be-8b6c-306e02a2cadb) + +## Custom Field Creation + +[Custom Field Configuration](https://github.com/ProVal-Tech/ninjarmm/blob/main/custom-fields/cpval-tls-ssl-hardening-required.toml) + +## Sample Screenshot + +![Image1](../../../static/img/docs/6f8d4110-f4ee-4965-8853-8b4a7b03bda5/image1.webp) + +## Changelog + +### 2026-06-10 + +- Initial version of the document diff --git a/docs/ninjaone/custom-fields/cpval-tls-client-enabled.md b/docs/ninjaone/custom-fields/cpval-tls-client-enabled.md index 287fd4325..53cd57b30 100644 --- a/docs/ninjaone/custom-fields/cpval-tls-client-enabled.md +++ b/docs/ninjaone/custom-fields/cpval-tls-client-enabled.md @@ -9,7 +9,7 @@ tags: ['tls', 'audit'] draft: false unlisted: false last_update: - date: 2026-04-15 + date: 2026-06-10 --- ## Summary @@ -20,7 +20,7 @@ This stores the enabled TLS Client versions on an endpoint. | Label | Field Name | Definition Scope | Type | Required | Default Value | Technician Permission | Automation Permission | API Permission | Description | Tool Tip | Footer Text | Custom Field Tab Name | | ----- | ---- | ---------------- | ---- | -------- | ------------- | --------------------- | --------------------- | -------------- | ----------- | -------- | ----------- | ----------- | -| cPVAL TLS Client Enabled | cpvalTlsClientEnabled | Device | Text | False | | Read Only | Read/Write | Read/Write | This stores the enabled TLS Client versions on an endpoint. | This stores the enabled TLS Client versions on an endpoint. | This stores the enabled TLS Client versions on an endpoint. | TLS Audit | +| cPVAL TLS Client Enabled | cpvalTlsClientEnabled | Device | Text | False | | Read Only | Read/Write | Read/Write | This stores the enabled TLS Client versions on an endpoint. | This stores the enabled TLS Client versions on an endpoint. | This stores the enabled TLS Client versions on an endpoint. | TLS/SSL | ## Dependencies diff --git a/docs/ninjaone/custom-fields/cpval-tls-hardening.md b/docs/ninjaone/custom-fields/cpval-tls-hardening.md new file mode 100644 index 000000000..140656b0b --- /dev/null +++ b/docs/ninjaone/custom-fields/cpval-tls-hardening.md @@ -0,0 +1,42 @@ +--- +id: '6959568a-a814-4c96-8b5a-d83e315c637d' +slug: /6959568a-a814-4c96-8b5a-d83e315c637d +title: 'cPVAL TLS Hardening' +title_meta: 'cPVAL TLS Hardening' +keywords: ['tls','ssl','disable'] +description: 'Enables TLS hardening for workstations and servers. `Validate` identifies devices that require TLS hardening without making changes. `Enforce` applies hardening to devices flagged by Validate. `Validate` must be enabled for Enforce to work properly.' +tags: ['tls','windows'] +draft: false +unlisted: false +last_update: + date: 2026-06-10 +--- + +## Summary + +Enables TLS hardening for workstations and servers. `Validate` identifies devices that require TLS hardening without making changes. `Enforce` applies hardening to devices flagged by Validate. `Validate` must be enabled for Enforce to work properly. + +## Details + +| Label | Field Name | Definition Scope | Type | Option Value | Required | Default Value | Technician Permission | Automation Permission | API Permission | Description | Tool Tip | Footer Text | Custom Field Tab Name | +| ----- | ---- | ---------------- | ---- | -------- | ------------- | --------------------- | --------------------- | -------------- | ----------- | -------- | ----------- |----------- | ---- | +| cPVAL TLS Hardening | cpvalTlsHardening | `Organization`, `Location`, `Device` | DropDown | `Validation (Both)`, `Validation (Servers)`, `Validation (Workstations)`,`Disabled`,`Enforce and Validation (Servers)`,`Enforce and Validation (Workstations)`,`Enforce and Validation (Both)` | True | - | Editable | Read/Write | Read/Write | Enables TLS hardening for workstations and servers. `Validate` identifies devices that require TLS hardening without making changes. `Enforce` applies hardening to devices flagged by Validate. `Validate` must be enabled for Enforce to work properly.| Enables TLS hardening for workstations and servers. `Validate` identifies devices that require TLS hardening without making changes. `Enforce` applies hardening to devices flagged by Validate. `Validate` must be enabled for Enforce to work properly. | Enables TLS hardening for workstations and servers. | TLS/SSL | + +## Dependencies + +- [Solution - TLS/SSL Security Hardening](/docs/5e391e0f-088e-41be-8b6c-306e02a2cadb) + +## Custom Field Creation + +- [Custom Field Configuration](https://github.com/ProVal-Tech/ninjarmm/blob/main/custom-fields/cpval-tls-hardening.toml) + +## Sample Screenshot + +![Image1](../../../static/img/docs/6959568a-a814-4c96-8b5a-d83e315c637d/image1.webp) + +## Changelog + +### 2026-06-10 + +- Initial version of the document + diff --git a/docs/ninjaone/custom-fields/cpval-tls-server-enabled.md b/docs/ninjaone/custom-fields/cpval-tls-server-enabled.md index 4b417a5bd..9682b8dd0 100644 --- a/docs/ninjaone/custom-fields/cpval-tls-server-enabled.md +++ b/docs/ninjaone/custom-fields/cpval-tls-server-enabled.md @@ -9,7 +9,7 @@ tags: ['tls', 'audit'] draft: false unlisted: false last_update: - date: 2026-04-15 + date: 2026-06-10 --- ## Summary @@ -20,7 +20,7 @@ This stores the enabled TLS Server versions on an endpoint. | Label | Field Name | Definition Scope | Type | Required | Default Value | Technician Permission | Automation Permission | API Permission | Description | Tool Tip | Footer Text | Custom Field Tab Name | | ----- | ---- | ---------------- | ---- | -------- | ------------- | --------------------- | --------------------- | -------------- | ----------- | -------- | ----------- | ----------- | -| cPVAL TLS Server Enabled | cpvalTlsServerEnabled | Device | Text | False | | Read Only | Read/Write | Read/Write | This stores the enabled TLS Server versions on an endpoint. | This stores the enabled TLS Server versions on an endpoint. | This stores the enabled TLS Server versions on an endpoint. | TLS Audit | +| cPVAL TLS Server Enabled | cpvalTlsServerEnabled | Device | Text | False | | Read Only | Read/Write | Read/Write | This stores the enabled TLS Server versions on an endpoint. | This stores the enabled TLS Server versions on an endpoint. | This stores the enabled TLS Server versions on an endpoint. | TLS/SSL | ## Dependencies diff --git a/docs/ninjaone/custom-fields/cpval-tls-ssl-hardening-required.md b/docs/ninjaone/custom-fields/cpval-tls-ssl-hardening-required.md new file mode 100644 index 000000000..dad31005f --- /dev/null +++ b/docs/ninjaone/custom-fields/cpval-tls-ssl-hardening-required.md @@ -0,0 +1,40 @@ +--- +id: '89a6d344-ae79-42fb-ae76-b855a3081201' +slug: /89a6d344-ae79-42fb-ae76-b855a3081201 +title: 'cPVAL TLS SSL Hardening Required' +title_meta: 'cPVAL TLS SSL Hardening Required' +keywords: ['tls','ssl','disable'] +description: 'This custom field is populated by the "Validate TLS SSL Hardening" script and flags devices that require TLS/SSL hardening to meet security best practices.' +tags: ['tls','windows'] +draft: false +unlisted: false +last_update: + date: 2026-06-10 +--- + +## Summary +This custom field is populated by the [Validate TLS SSL Hardening](/docs/f4505cf9-915f-464f-ab45-95f9eaea7a8d) and flags devices that require TLS/SSL hardening to meet security best practices. + +## Details + +| Label | Field Name | Definition Scope | Type | Required | Default Value | Options | Technician Permission | Automation Permission | API Permission | Description | Tool Tip | Footer Text | Custom Field Tab Name | +| ----- | ---- | ---------------- | ---- | -------- | ------------- | ------------- | --------------------- | --------------------- | -------------- | ----------- | -------- | ----------- | ----------- | +| cPVAL TLS SSL Hardening Required | cpvalTlsSslHardeningRequired | `Device` | Text | False | - | - | Editable | Read_Write | Read_Write | This custom field is populated by the "Validate TLS SSL Hardening" script and flags devices that require TLS/SSL hardening to meet security best practices. | This custom field is populated by the "Validate TLS SSL Hardening" script and flags devices that require TLS/SSL hardening to meet security best practices. | "This custom field is populated by the "Validate TLS SSL Hardening" script. | TLS/SSL | + +## Dependencies + +- [Solution - TLS/SSL Security Hardening](/docs/5e391e0f-088e-41be-8b6c-306e02a2cadb) + +## Custom Field Creation + +[Custom Field Configuration](https://github.com/ProVal-Tech/ninjarmm/blob/main/custom-fields/cpval-tls-ssl-hardening-required.toml) + +## Sample Screenshot + +![Image1](../../../static/img/docs/89a6d344-ae79-42fb-ae76-b855a3081201/image1.webp) + +## Changelog + +### 2026-06-10 + +- Initial version of the document diff --git a/docs/solutions/tls-ssl-hardening-ninja.md b/docs/solutions/tls-ssl-hardening-ninja.md new file mode 100644 index 000000000..1ef85d765 --- /dev/null +++ b/docs/solutions/tls-ssl-hardening-ninja.md @@ -0,0 +1,71 @@ +--- +id: '5e391e0f-088e-41be-8b6c-306e02a2cadb' +slug: /5e391e0f-088e-41be-8b6c-306e02a2cadb +title: 'TLS/SSL Security Hardening' +title_meta: 'TLS/SSL Security Hardening' +keywords: ['tls','ssl','disable'] +description: 'This solution validates and hardens the system`s SSL/TLS configuration by disabling insecure protocols and weak cipher suites while enabling secure protocols and supporting optional reboot management.' +tags: ['tls','windows'] +draft: false +unlisted: false +last_update: + date: 2026-06-10 +--- + +## Purpose + +This solution validates and hardens the system's SSL/TLS configuration by disabling insecure protocols (SSL 3.0, TLS 1.0, and TLS 1.1) and ensuring that specified weak cipher suites are disabled for both server and client communications. It also verifies that TLS 1.2 and TLS 1.3 are enabled where supported. Additionally, the solution configures .NET Framework strong cryptography settings to help maintain application compatibility after legacy protocols are disabled. With an Optional settings to either enforce an immediate reboot upon completion of the hardening process or present users with reboot prompts to complete the changes. Solution verifies below Cipher suites : + +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 +- TLS_RSA_WITH_AES_256_CBC_SHA256 +- TLS_RSA_WITH_AES_256_GCM_SHA384 +- TLS_RSA_WITH_AES_128_CBC_SHA256 +- TLS_RSA_WITH_AES_128_GCM_SHA256 +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + +**Note** : `[Solution - Reboot Pending Prompt](/docs/d7758fa4-9fcc-4259-a7a5-0ca65dda10eb) should be imported to use prompt feature for reboot.` + +## Associated Content + +| Content | Type | Function | +|---------------------|--------------------------------|-------------------------------------| +| [Custom Field - cPVAL TLS Hardening](/docs/6959568a-a814-4c96-8b5a-d83e315c637d) | Custom Field | Custom Fields to enable TLS hardening for workstations and servers. `Validate` identifies devices that require TLS hardening without making changes. `Enforce` applies hardening to devices flagged by Validate. `Validate` must be enabled for Enforce to work properly.| +| [Custom Field - cPVAL TLS SSL Hardening Required](/docs/89a6d344-ae79-42fb-ae76-b855a3081201) | Custom Field | This custom field is populated by [Script - Validate TLS SSL Hardening](/docs/f4505cf9-915f-464f-ab45-95f9eaea7a8d) and flags devices that require TLS/SSL hardening to meet security best practices. | +| [Custom Field - cPVAL Enable Reboot Prompts](/docs/6f8d4110-f4ee-4965-8853-8b4a7b03bda5) | Custom Field | Enables reboot prompts following TLS Hardening. Requires the [Solution - Reboot Pending Prompt](/docs/d7758fa4-9fcc-4259-a7a5-0ca65dda10eb) to be enabled in the environment. | +| [Script - Validate TLS SSL Hardening](/docs/6f8d4110-f4ee-4965-8853-8b4a7b03bda5) | Script | Validates that insecure protocols (SSL 3.0, TLS 1.0, TLS 1.1) and specified weak cipher suites are disabled at both the server and client levels on the system, while ensuring TLS 1.2 and TLS 1.3 are enabled when supported, providing a clear PASS/FAIL status without making any changes. | +| [Script - Enforce TLS SSL Hardening](/docs/5a33db63-8a92-4ab3-9984-e0af4db8f576) | Script | Enforces Windows TLS/SSL security hardening by disabling legacy protocols (SSL 3.0, TLS 1.0, and TLS 1.1), enabling supported modern TLS versions (TLS 1.2 and TLS 1.3), configuring .NET Framework strong cryptography settings to help maintain application compatibility when legacy protocols are disabled, removing weak TLS cipher suites, and optionally initiating a reboot or enabling the [Solution - Reboot Pending Prompt](/docs/d7758fa4-9fcc-4259-a7a5-0ca65dda10eb) to notify users that a restart is required for the changes to take effect. **Note** [Custom Field - cPVAL Enable Reboot Prompts](/docs/6f8d4110-f4ee-4965-8853-8b4a7b03bda5) needs to be selected and [Solution - Reboot Pending Prompt](/docs/d7758fa4-9fcc-4259-a7a5-0ca65dda10eb) should be imported to use prompt feature for reboot. | +| [Compound Condition - Execute - Validate TLS SSL Hardening - Workstations](/docs/28f17281-2502-43a0-8d4d-5da2b06580f8) | Compound Condition | Triggers [Validate TLS SSL Hardening](/docs/f4505cf9-915f-464f-ab45-95f9eaea7a8d) script on windows workstations where [cPVAL TLS Hardening](/docs/f4505cf9-915f-464f-ab45-95f9eaea7a8d) is either set to `Validation (Both)`, `Validation (Workstations)`, `Enforce and Validation (Workstations)`,`Enforce and Validation (Both)`. | +| [Compound Condition - Execute - Validate TLS SSL Hardening - Servers](/docs/79c1901b-3e55-42e3-8152-360605a4dbce) | Compound Condition | Triggers [Validate TLS SSL Hardening](/docs/f4505cf9-915f-464f-ab45-95f9eaea7a8d) on windows Servers where [cPVAL TLS Hardening](/docs/f4505cf9-915f-464f-ab45-95f9eaea7a8d) is either set to `Validation (Both)`, `Validation (Servers)`, `Enforce and Validation (Servers)`,`Enforce and Validation (Both)`. | +| [Compound Condition - Execute - Enforce TLS SSL Hardening - Workstations](/docs/52a43eef-d4d7-4f91-b8c1-cb6e786ddcce) | Compound Condition | Triggers [Enforce TLS SSL Hardening](/docs/5a33db63-8a92-4ab3-9984-e0af4db8f576) script on windows workstations where [cPVAL TLS Hardening](/docs/f4505cf9-915f-464f-ab45-95f9eaea7a8d) is either set to `Enforce and Validation (Workstations)`,`Enforce and Validation (Both)`. | +| [Compound Condition - Execute - Enforce TLS SSL Hardening - Servers](/docs/93609405-1ef4-4aaa-b421-4f86a7e51145) | Compound Condition |Triggers [Enforce TLS SSL Hardening](/docs/5a33db63-8a92-4ab3-9984-e0af4db8f576) script on windows servers where [cPVAL TLS Hardening](/docs/f4505cf9-915f-464f-ab45-95f9eaea7a8d) is either set to `Enforce and Validation (servers)`,`Enforce and Validation (Both)`. | + + +## Implementation + +- Create the following Custom Fields as per instructions provided in the documents + - [Custom Field - cPVAL TLS Hardening](/docs/6959568a-a814-4c96-8b5a-d83e315c637d) + - [Custom Field - cPVAL TLS SSL Hardening Required](/docs/89a6d344-ae79-42fb-ae76-b855a3081201) + - [Custom Field - cPVAL Enable Reboot Prompts](/docs/6f8d4110-f4ee-4965-8853-8b4a7b03bda5) +- Create the following Scripts as per instructions provided in the documents + - [Script - Validate TLS SSL Hardening](/docs/6f8d4110-f4ee-4965-8853-8b4a7b03bda5) + - [Script - Enforce TLS SSL Hardening](/docs/5a33db63-8a92-4ab3-9984-e0af4db8f576) +- Create the following Compound Conditions as per instructions provided in the documents + - [Compound Condition - Execute - Validate TLS SSL Hardening - Workstations](/docs/28f17281-2502-43a0-8d4d-5da2b06580f8) + - [Compound Condition - Execute - Validate TLS SSL Hardening - Servers](/docs/79c1901b-3e55-42e3-8152-360605a4dbce) + - [Compound Condition - Execute - Enforce TLS SSL Hardening - Workstations](/docs/52a43eef-d4d7-4f91-b8c1-cb6e786ddcce) + - [Compound Condition - Execute - Enforce TLS SSL Hardening - Servers](/docs/93609405-1ef4-4aaa-b421-4f86a7e51145) + +## FAQ + +**Can the scripts be used independently?** +- Yes. Both scripts can be used independently, however, the associated custom fields must be imported into the environment for the scripts to function correctly. + +**Can `Enforce TLS SSL Hardening` works automatically to enforce Hardening** +- No, `Validate TLS SSL Hardening` scripts should be executed as `Validate TLS SSL Hardening` marks the machines that requires SSL Hardening. + + +## Changelog + +### 2026-06-10 + +- Initial version of the document \ No newline at end of file diff --git a/static/img/docs/5a33db63-8a92-4ab3-9984-e0af4db8f576/enforce.webp b/static/img/docs/5a33db63-8a92-4ab3-9984-e0af4db8f576/enforce.webp index 7f1b50085..c87562dc0 100644 Binary files a/static/img/docs/5a33db63-8a92-4ab3-9984-e0af4db8f576/enforce.webp and b/static/img/docs/5a33db63-8a92-4ab3-9984-e0af4db8f576/enforce.webp differ diff --git a/static/img/docs/6959568a-a814-4c96-8b5a-d83e315c637d/image1.webp b/static/img/docs/6959568a-a814-4c96-8b5a-d83e315c637d/image1.webp new file mode 100644 index 000000000..5f57f8901 Binary files /dev/null and b/static/img/docs/6959568a-a814-4c96-8b5a-d83e315c637d/image1.webp differ diff --git a/static/img/docs/6f8d4110-f4ee-4965-8853-8b4a7b03bda5/image1.webp b/static/img/docs/6f8d4110-f4ee-4965-8853-8b4a7b03bda5/image1.webp new file mode 100644 index 000000000..c67192988 Binary files /dev/null and b/static/img/docs/6f8d4110-f4ee-4965-8853-8b4a7b03bda5/image1.webp differ diff --git a/static/img/docs/89a6d344-ae79-42fb-ae76-b855a3081201/image1.webp b/static/img/docs/89a6d344-ae79-42fb-ae76-b855a3081201/image1.webp new file mode 100644 index 000000000..006e94eee Binary files /dev/null and b/static/img/docs/89a6d344-ae79-42fb-ae76-b855a3081201/image1.webp differ