Invoke-SqlVulnerabilityAssessment VA1220 False Fail?

Question

If I run the vulnerability scan on a SQL Server without a cert and force encryption set I get fails on

VA1220: Database communication using TDS should protected through TLS Microsoft SQL Server can use Secure Sockets Layer (SSL) or Transport Layer Security (TLS) to encrypt data that is transmitted across a network between an instance of SQL Server and a client application. This rule checks that connections to the SQL Server Change the Force Encryption option in SQL Configuration Manager, or force the encryption on the client applications

and

VA1279: Force encryption should be enabled for TDS When the Force Encryption option for the Database Engine is enabled, all communications between client and server is encrypted regardless of whether the 'Encrypt connection' option (such as from SSMS) is checked or not. This rule checks that Force Encrypt Change the ForceEncryption setting on SQL Server Control Manager.

If I run the scan on a SQL Server with a valid cert and Force Encryption I still get VA1220. Can anyone tell me why please?

Answer 1

Hi @Saransvan,

As said in the documentation, database communication using TDS should be protected through TLS.

Please have a double check on the TDS and TLS.

Rule ID	Rule Title	Change details
VA1220	Database communication using TDS should be protected through TLS	Logic change
VA1220	Database communication using TDS should be protected through TLS	Logic change

Regards，

Zoe Hui

---

If the answer is helpful, please click "Accept Answer" and upvote it.