How do I identify if anyone is using 3DES cipher suites on my IIS server?

Here's a fun one.  Windows is turning off the 3DES schannel cipher suites by default in newer server OSs, and my customer wanted to know how to identify if this would be an impact for them.

I came up with two possible ways.

If I can take network captures, I can filter for these in Wireshark with...

((tls.handshake.ciphersuite == 0x000a) || (tls.handshake.ciphersuite == 0x0013)) && (tls.handshake.type == 2)

That's a TLS server hello message and the two ID numbers for the cipher suites.

A second option is to sweet talk Schannel into dropping this into the event log.  This takes a few steps.
First, turn on the (extremely chatty) schannel informational logs.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
"EventLogging"=dword:00000007


Next, reboot so that takes effect.

Then you can filter your System event log for 36880 schannel server events for these cipher suites...




...ith this XPath filter in event viewer


<QueryList>
  <Query Id="0" Path="System">
    <Select Path="System">
*[System[Provider[@Name='Schannel'] and (EventID=36880)]]
and
*[UserData[EventXML[Type="server"]]]
and
(*[UserData[EventXML[CipherSuite="0x13"]]]
or
*[UserData[EventXML[CipherSuite="0xa"]]]
)

</Select>
  </Query>
</QueryList>

HTH.

Edit 20240313, I found one more way that's IIS specific. Microsoft added the crypto protocol, cipher, and hash algorithm as available custom fields for IIS logging.  More data here: New IIS functionality to help identify weak TLS usage | Microsoft Security Blog

Comments