False positive in PVWA Cryptography

[matiya]

With PAS 11.4 and the master branch of this repo I get in the report:

AdvancedFIPSCryptography is not set in PVWA Configuration

In C:\inetpub\wwwroot\PasswordVault\web.config I have added the line: <add key="AdvancedFIPSCryptography" value="yes" /> Under the node appSettings.

I even can see the property in the config:

PS >  Get-WebConfiguration -PSPath $iisPath -Filter $filter -Recurse
key                   : AdvancedFIPSCryptography
value                 : yes
PSPath                : MACHINE/WEBROOT/APPHOST/Default Web Site/PasswordVault
Location              :
ConfigurationPathType : Application
ItemXPath             : /appSettings/add[@key='AdvancedFIPSCryptography']
Attributes            : {key, value}
ChildElements         : {}
ElementTagName        : add
Methods               :
Schema                : Microsoft.IIs.PowerShell.Framework.ConfigurationElementSchema

key                   : AdvancedFIPSCryptography
value                 : yes
PSPath                : MACHINE/WEBROOT/APPHOST/Default Web Site/PasswordVault/PasswordVault
Location              :
ConfigurationPathType : VirtualDirectory
ItemXPath             : /appSettings/add[@key='AdvancedFIPSCryptography']
Attributes            : {key, value}
ChildElements         : {}
ElementTagName        : add
Methods               :
Schema                : Microsoft.IIs.PowerShell.Framework.ConfigurationElementSchema

with the variables $iisPath and $filter as defined here: https://github.com/cyberark/CYBRHardeningCheck/blob/d6d7fe7e1974890f73d6a48d3810decbff235368/CYBRHardeningCheck/PVWA/PVWAHardeningSteps.psm1#L177

Unfortunately I don't know enough Windows or Powershell to correct the issue.

[NathTheDude]

@AssafMiron this line in the 'PVWA_Cryptography_Settings' function this variable needs updating from:

    $value = "yes"

to

    $value = "value.value"

using this will provide the value of the 'AdvancedFIPSCryptography' in the $currentvalue variable

@matiya are you able to update this line and confirm?

Cheers

Nathan

[NathTheDude]

I have created a pull request with updated code to fix this issue.

[matiya]

@NathTheDude Tested again with the changes in the pull request and now it works:

Thank you!

[NathTheDude-zz]

That's good however in my lab I did see something a bit weird.

In the end report if that specific test passed it will actually lower the overall total percentage of the hardening score.

Do you see the same?

Get Outlook for Androidhttps://aka.ms/AAb9ysg

---

From: Matias Siracusa @.> Sent: Friday, September 24, 2021 10:02:45 AM To: cyberark/CYBRHardeningCheck @.> Cc: Subscribed @.***> Subject: Re: [cyberark/CYBRHardeningCheck] False positive in PVWA Cryptography (#62)

@NathTheDudehttps://github.com/NathTheDude Tested again with the changes in the pull request and now it works: [image]https://user-images.githubusercontent.com/2721638/134648454-9a3dbc00-3b9f-4e0e-a24e-58960709508f.png

Thank you!

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://github.com/cyberark/CYBRHardeningCheck/issues/62#issuecomment-926467055, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ADCZH7LJ7X3FYPNQMHJOHR3UDQ5DLANCNFSM5EUFZQ4Q. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[matiya]

Yes, that has been the case for me so far. The more errors I correct, the lower the Hardening Status:

[AssafMiron]

Hi @NathTheDude-zz and @matiya , I uploaded a new branch with a fix to these issues - see #66 would you mind checking if it solves the issues like you saw them (both the hardening percentage and the fixes from @NathTheDude-zz on Cryptography settings)?

Thanks, Assaf