Data encryption between the Windows agent and Log analytics

Regular Visitor

Hello!

 

I am new to Azure Sentinel.

 

I am concerned about encryption between the ms monitoring agent and the log analytics workspace (data in transit as they call it).

 

On this page :

 

https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agent-windows#configure-agent-to-use-tls...

 

This page says that these keys must exist prior to installing the agent on:

 

Create the following DWORD values under HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client:

 

Enabled [Value = 1]

DisabledByDefault [Value = 0]

 

And then configure .net with these keys:

 

Configure .NET Framework 4.6 or later to support secure cryptography, as by default it is disabled. The strong cryptography uses more secure network protocols like TLS 1.2, and blocks protocols that are not secure.

  1. Locate the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319.
  2. Create the DWORD value SchUseStrongCrypto under this subkey with a value of 1.
  3. Locate the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319.
  4. Create the DWORD value SchUseStrongCrypto under this subkey with a value of 1.
  5. Restart the system for the settings to take effect.

 

 <https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agent-windows#configure-agent-to-use-tls...>

 

 

We were in a rush to deploy back then and installed the agent from the Sentinel portal on our win2012r2 and 2016 without checking for those keys first.

 

Today I went and checked on these servers to find out that neither the TLS 1.2 key or the .Net key are present…

 

My questions are :

 

1) If the TLS 1.2 key is not present does this mean that TLS is not used by the agent?

 

If I understand correctly, Windows 2012 and 2016 have TLS enbled by default and the key is not required?

 

2) Are the .Net keys absolutely required? What is the impact of adding these keys on a domain controller?

 

3) How can I confirm that the agents are using TLS or not?

 

I already found out that :

 

MonitoringHost.exe is periodically communicating with 169.254.169.254 on port 80 = no encrypted

 

HealthService.exe is periodically communicating with 40.79.154.83 and 40.71.12.224 (microsoft owned IP addresses) on port 443 = encrypted

 

I don't know which one is uploading the data to the workspace or if there are other MS agent processes involved :(

 

 

Thanks!!

 

0 Replies