{"id":2655,"date":"2020-09-03T13:30:49","date_gmt":"2020-09-03T11:30:49","guid":{"rendered":"https:\/\/laurentvanacker.com\/?p=2655"},"modified":"2022-12-09T09:50:12","modified_gmt":"2022-12-09T08:50:12","slug":"nouvelle-fonctionnalite-iis-pour-aider-a-identifier-une-version-tls-obsolete-new-iis-functionality-to-help-identify-weak-tls-usage","status":"publish","type":"post","link":"https:\/\/laurentvanacker.com\/index.php\/2020\/09\/03\/nouvelle-fonctionnalite-iis-pour-aider-a-identifier-une-version-tls-obsolete-new-iis-functionality-to-help-identify-weak-tls-usage\/","title":{"rendered":"Nouvelle fonctionnalit\u00e9 IIS pour aider \u00e0 identifier une version TLS obsol\u00e8te \/ New IIS functionality to help identify weak TLS usage"},"content":{"rendered":"<p><a href=\"#en-us\" name=\"fr-fr\">Go to English version<\/a><\/p>\n<p>[MAJ :\u00a0 03\/09\/2020] R\u00e9\u00e9criture de l&rsquo;article et ajout de scripts <a href=\"https:\/\/laurentvanacker.com\/index.php\/2016\/03\/30\/logparser-your-best-friend\/\">LogParser<\/a> pour une meilleure exploitation des donn\u00e9es<\/p>\n<p>L&rsquo;article <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2017\/09\/07\/new-iis-functionality-to-help-identify-weak-tls-usage\/\">https:\/\/www.microsoft.com\/security\/blog\/2017\/09\/07\/new-iis-functionality-to-help-identify-weak-tls-usage\/<\/a> explique comment utiliser les champs de log personnalis\u00e9s pour r\u00e9cup\u00e9rer des informations (en provenance des <a href=\"https:\/\/docs.microsoft.com\/en-us\/iis\/web-dev-reference\/server-variables\">variables serveurs IIS<\/a>) relatives aux requ\u00eates chiffr\u00e9es. Les informations renvoy\u00e9es sont tr\u00e8s utiles mais non exploitables directement sous leur forme hexad\u00e9cimales. Je me propose ici de vous fournir dans un premier temps le code permettant de mettre en place ces 4 champs dans vos logs IIS (au niveau des valeurs par d\u00e9faut des sites web) et ensuite de vous fournir un script <a href=\"https:\/\/github.com\/lavanack\/laurentvanacker.com\/blob\/master\/Command%20Prompt\/IIS\/Log\/LogParser\/TLS%20Usage\/Add-IISUserFriendlyTLSInfo.ps1\">PowerShell<\/a> (pr\u00e9requis : ce <a href=\"https:\/\/github.com\/lavanack\/laurentvanacker.com\/blob\/master\/Command%20Prompt\/IIS\/Log\/LogParser\/TLS%20Usage\/IISTLSUsage.sql\">fichier<\/a> dans le m\u00eame r\u00e9pertoire) afin de les exploiter plus facilement.<\/p>\n<p>Le code PowerShell permettant d&rsquo;activer les 4 enregistrements dans les logs IIS est le suivant :<\/p>\n<pre class=\"brush: powershell; collapse: false; title: ; notranslate\" title=\"\">\r\nAdd-WebConfigurationProperty -pspath 'MACHINE\/WEBROOT\/APPHOST' -filter &quot;system.applicationHost\/sites\/siteDefaults\/logFile\/customFields&quot; -name &quot;.&quot; -value @{logFieldName='crypt-protocol';sourceName='CRYPT_PROTOCOL';sourceType='ServerVariable'}\r\nAdd-WebConfigurationProperty -pspath 'MACHINE\/WEBROOT\/APPHOST' -filter &quot;system.applicationHost\/sites\/siteDefaults\/logFile\/customFields&quot; -name &quot;.&quot; -value @{logFieldName='crypt-cipher';sourceName='CRYPT_CIPHER_ALG_ID';sourceType='ServerVariable'}\r\nAdd-WebConfigurationProperty -pspath 'MACHINE\/WEBROOT\/APPHOST' -filter &quot;system.applicationHost\/sites\/siteDefaults\/logFile\/customFields&quot; -name &quot;.&quot; -value @{logFieldName='crypt-hash';sourceName='CRYPT_HASH_ALG_ID';sourceType='ServerVariable'}\r\nAdd-WebConfigurationProperty -pspath 'MACHINE\/WEBROOT\/APPHOST' -filter &quot;system.applicationHost\/sites\/siteDefaults\/logFile\/customFields&quot; -name &quot;.&quot; -value @{logFieldName='crypt-keyexchange';sourceName='CRYPT_KEYEXCHANGE_ALG_ID';sourceType='ServerVariable'}\r\n<\/pre>\n<p>Ce qui aura pour effet d&rsquo;ajouter les 4 nouveaux champs suivants dans vos log IIS.<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2931\" src=\"https:\/\/laurentvanacker.com\/wp-content\/uploads\/2020\/09\/cipher.jpg\" alt=\"\" width=\"382\" height=\"123\" srcset=\"https:\/\/laurentvanacker.com\/wp-content\/uploads\/2020\/09\/cipher.jpg 382w, https:\/\/laurentvanacker.com\/wp-content\/uploads\/2020\/09\/cipher-300x97.jpg 300w\" sizes=\"auto, (max-width: 382px) 100vw, 382px\" \/><\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Remarque :<\/strong><\/span> Vos logs seront pr\u00e9fix\u00e9s par un _x (par exemple u_ex200903_x.log pour le 23 septembre 2020) pour un indiquer que vous utilisez la fonctionnalit\u00e9 de \u00ab\u00a0Custom Fields\u00a0\u00bb.<\/p>\n<p>Comme affich\u00e9 dans la capture d&rsquo;\u00e9cran pr\u00e9c\u00e9dente, les valeurs enregistr\u00e9es pour ces champs ne sont pas tr\u00e8s explicites. C&rsquo;est pour cette raison que je vous propose le script PowerShell <a href=\"https:\/\/github.com\/lavanack\/laurentvanacker.com\/blob\/master\/Command%20Prompt\/IIS\/Log\/LogParser\/TLS%20Usage\/Add-IISUserFriendlyTLSInfo.ps1\">suivant<\/a> qui vous permettra de rajouter 4 nouveaux champs plus explicites\u00a0 comme le montre la capture d&rsquo;\u00e9cran suivante :<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2932\" src=\"https:\/\/laurentvanacker.com\/wp-content\/uploads\/2020\/09\/cipher_avanced.jpg\" alt=\"\" width=\"851\" height=\"122\" srcset=\"https:\/\/laurentvanacker.com\/wp-content\/uploads\/2020\/09\/cipher_avanced.jpg 851w, https:\/\/laurentvanacker.com\/wp-content\/uploads\/2020\/09\/cipher_avanced-300x43.jpg 300w, https:\/\/laurentvanacker.com\/wp-content\/uploads\/2020\/09\/cipher_avanced-768x110.jpg 768w\" sizes=\"auto, (max-width: 851px) 100vw, 851px\" \/><\/p>\n<p>Ces 4 nouveaux champs (Protocol, Cipher, Hash, KeyExchange)\u00a0 sont une interpr\u00e9tation plus explicite des 4 autres champs pr\u00e9c\u00e9dents (crypt-protocol, crypt-cipher, crypt-hash et crypt-keyexchange) en basant sur les liens en bas de cet article. Par exemple SP_PROT_TLS1_2_SERVER est la traduction de 400 (en r\u00e9alit\u00e9 0x400 soit 1024 en d\u00e9cimal) pour le champs crypt-protocol.<br \/>\nCe <a href=\"https:\/\/github.com\/lavanack\/laurentvanacker.com\/blob\/master\/Command%20Prompt\/IIS\/Log\/LogParser\/TLS%20Usage\/Add-IISUserFriendlyTLSInfo.ps1\">script<\/a> est \u00e0 lancer une fois que le fichier de logs IIS quotidien (par d\u00e9faut) \u00e0 fini d&rsquo;\u00eatre trait\u00e9 (\u00e0 minuit UTC par d\u00e9faut &#8211; pas en temps r\u00e9el donc). Il va , en r\u00e9alit\u00e9, cr\u00e9er un nouveau fichier de log avec le pr\u00e9fixe\u00a0 _TLS dans le m\u00eame r\u00e9pertoire. Par exemple le fichier u_ex200903_x.log deviendra u_ex200903_x_TLS.log. Le traitement ne prend que quelques secondes car <a href=\"https:\/\/laurentvanacker.com\/index.php\/2016\/03\/30\/logparser-your-best-friend\/\">Logparser<\/a> est utilis\u00e9 pour l&rsquo;op\u00e9ration. Il est donc n\u00e9cessaire de l&rsquo;avoir install\u00e9 sur la machine de traitement des logs.<\/p>\n<p>Hormis l&rsquo;ajout des 4 nouveaux champs\u00a0 (Protocol, Cipher, Hash, KeyExchange), l&rsquo;ent\u00eate du fichier sera \u00e9galement chang\u00e9 pour passer de \u00ab\u00a0#Software: Microsoft Internet Information Services 10.0\u00a0\u00bb \u00e0\u00a0 \u00ab\u00a0#Software: Microsoft Log Parser\u00a0\u00bb dans le fichier de destination (*_TLS.log).<\/p>\n<p>Apr\u00e8s cela libre \u00e0 vous d&rsquo;utiliser le fichier de requ\u00eates <a href=\"https:\/\/laurentvanacker.com\/index.php\/2016\/03\/30\/logparser-your-best-friend\/\">LogParser<\/a> <a href=\"https:\/\/github.com\/lavanack\/laurentvanacker.com\/blob\/master\/Command%20Prompt\/IIS\/Log\/LogParser\/TLS%20Usage\/LogParserQueries.cmd\">suivant<\/a> pour avoir des statistiques sur l&rsquo;utilisation SSL\/TLS sur vos serveurs IIS.<\/p>\n<p>Quelques liens utiles :<\/p>\n<ul>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/schannel\/ns-schannel-secpkgcontext_connectioninfo?redirectedfrom=MSDN\">https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/schannel\/ns-schannel-secpkgcontext_connectioninfo<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/seccrypto\/alg-id\">https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/seccrypto\/alg-id<\/a><\/li>\n<\/ul>\n<p><img decoding=\"async\" src=\"http:\/\/laurentvanacker.com\/wp-content\/uploads\/2017\/01\/012717_1333_Fusionnerde1.png\" alt=\"\" \/><\/p>\n<p><a href=\"#fr-FR\" name=\"en-us\">Aller \u00e0 la version fran\u00e7aise<\/a><\/p>\n<p>[Update: 09\/03\/2020] Rewriting the article and adding LogParser scripts for better data exploitation<\/p>\n<p>The article <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2017\/09\/07\/new-iis-functionality-to-help-identify-weak-tls-usage\/\">https:\/\/www.microsoft.com\/security\/blog\/2017\/09\/07\/new-iis-functionality-to-help-identify-weak-tls-usage\/<\/a> explains how to use custom log fields for retrieve information (from <a href=\"https:\/\/docs.microsoft.com\/en-us\/iis\/web-dev-reference\/server-variables\">IIS server variables<\/a>) relating to encrypted requests. The information returned is very useful but cannot be used directly in its hexadecimal form. I propose here to first provide you with the code allowing to set up these 4 fields in your IIS logs (at the level of the default values of websites) and then to provide you with one PowerShell (prerequisite: this <a href=\"https:\/\/github.com\/lavanack\/laurentvanacker.com\/blob\/master\/Command%20Prompt\/IIS\/Log\/LogParser\/TLS%20Usage\/IISTLSUsage.sql\">file<\/a>\u00a0in the same directory) <a href=\"https:\/\/github.com\/lavanack\/laurentvanacker.com\/blob\/master\/Command%20Prompt\/IIS\/Log\/LogParser\/TLS%20Usage\/Add-IISUserFriendlyTLSInfo.ps1\">script<\/a> in order to exploit them more simply.<\/p>\n<p>The PowerShell code for activating the 4 records in the IIS logs is as follows:<\/p>\n<div class=\"tlid-input input\">\n<div class=\"source-wrap\">\n<div class=\"input-full-height-wrapper tlid-input-full-height-wrapper\">\n<div class=\"source-input\">\n<div class=\"source-footer-wrap source-or-target-footer\">\n<div class=\"character-count tlid-character-count\">\n<pre class=\"brush: powershell; collapse: false; title: ; notranslate\" title=\"\">\r\nAdd-WebConfigurationProperty -pspath 'MACHINE\/WEBROOT\/APPHOST' -filter &quot;system.applicationHost\/sites\/siteDefaults\/logFile\/customFields&quot; -name &quot;.&quot; -value @{logFieldName='crypt-protocol';sourceName='CRYPT_PROTOCOL';sourceType='ServerVariable'}\r\nAdd-WebConfigurationProperty -pspath 'MACHINE\/WEBROOT\/APPHOST' -filter &quot;system.applicationHost\/sites\/siteDefaults\/logFile\/customFields&quot; -name &quot;.&quot; -value @{logFieldName='crypt-cipher';sourceName='CRYPT_CIPHER_ALG_ID';sourceType='ServerVariable'}\r\nAdd-WebConfigurationProperty -pspath 'MACHINE\/WEBROOT\/APPHOST' -filter &quot;system.applicationHost\/sites\/siteDefaults\/logFile\/customFields&quot; -name &quot;.&quot; -value @{logFieldName='crypt-hash';sourceName='CRYPT_HASH_ALG_ID';sourceType='ServerVariable'}\r\nAdd-WebConfigurationProperty -pspath 'MACHINE\/WEBROOT\/APPHOST' -filter &quot;system.applicationHost\/sites\/siteDefaults\/logFile\/customFields&quot; -name &quot;.&quot; -value @{logFieldName='crypt-keyexchange';sourceName='CRYPT_KEYEXCHANGE_ALG_ID';sourceType='ServerVariable'}\r\n<\/pre>\n<\/div>\n<div class=\"character-count tlid-character-count\">This will add the following 4 new fields in your IIS log.<\/div>\n<div class=\"character-count tlid-character-count\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2931\" src=\"https:\/\/laurentvanacker.com\/wp-content\/uploads\/2020\/09\/cipher.jpg\" alt=\"\" width=\"382\" height=\"123\" srcset=\"https:\/\/laurentvanacker.com\/wp-content\/uploads\/2020\/09\/cipher.jpg 382w, https:\/\/laurentvanacker.com\/wp-content\/uploads\/2020\/09\/cipher-300x97.jpg 300w\" sizes=\"auto, (max-width: 382px) 100vw, 382px\" \/><\/div>\n<div><\/div>\n<div class=\"character-count tlid-character-count\"><span style=\"text-decoration: underline;\"><strong>Note:<\/strong><\/span> Your logs will be prefixed with an _x (eg. u_ex200903_x.log for September 23, 2020) to indicate that you are using the \u00ab\u00a0Custom Fields\u00a0\u00bb feature.<\/div>\n<div><\/div>\n<div class=\"character-count tlid-character-count\">\n<div class=\"tlid-input input\">\n<div class=\"source-wrap\">\n<div class=\"input-full-height-wrapper tlid-input-full-height-wrapper\">\n<div class=\"source-input\">\n<div class=\"source-footer-wrap source-or-target-footer\">\n<div class=\"source-footer\">\n<div class=\"src-tts left-positioned ttsbutton jfk-button-flat source-or-target-footer-button jfk-button\" tabindex=\"0\" role=\"button\" aria-label=\"Listen\" data-tooltip=\"Listen\" aria-pressed=\"false\" data-tooltip-align=\"t,c\" aria-hidden=\"false\" aria-disabled=\"false\">\n<div class=\"jfk-button-img\"><span title=\"\">As shown in the previous screenshot, the values recorded for these fields are not very self-explanatory.<\/span> <span class=\"\" title=\"\">It is for this reason that I am offering you the following PowerShell <a href=\"https:\/\/github.com\/lavanack\/laurentvanacker.com\/blob\/master\/Command%20Prompt\/IIS\/Log\/LogParser\/TLS%20Usage\/Add-IISUserFriendlyTLSInfo.ps1\">script<\/a> which will allow you to add 4 new more explicit fields as shown in the following screenshot:<\/span><\/div>\n<div><\/div>\n<div><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2932\" src=\"https:\/\/laurentvanacker.com\/wp-content\/uploads\/2020\/09\/cipher_avanced.jpg\" alt=\"\" width=\"851\" height=\"122\" srcset=\"https:\/\/laurentvanacker.com\/wp-content\/uploads\/2020\/09\/cipher_avanced.jpg 851w, https:\/\/laurentvanacker.com\/wp-content\/uploads\/2020\/09\/cipher_avanced-300x43.jpg 300w, https:\/\/laurentvanacker.com\/wp-content\/uploads\/2020\/09\/cipher_avanced-768x110.jpg 768w\" sizes=\"auto, (max-width: 851px) 100vw, 851px\" \/><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"character-count tlid-character-count\">\n<p>These 4 new fields (Protocol, Cipher, Hash, KeyExchange) are a more explicit interpretation of the other 4 previous fields (crypt-protocol, crypt-cipher, crypt-hash and crypt-keyexchange) based on the links at the bottom of this article . For example SP_PROT_TLS1_2_SERVER is the translation of 400 (actually 0x400 or 1024 in decimal) for the crypt-protocol field.<\/p>\n<p>This script should be run once the daily IIS log file (by default) has finished being processed (at midnight UTC by default &#8211; not in real time therefore). It will actually create a new log file with the _TLS prefix in the same directory. For example the u_ex200903_x.log file will become u_ex200903_x_TLS.log. Processing only takes a few seconds because <a href=\"https:\/\/laurentvanacker.com\/index.php\/2016\/03\/30\/logparser-your-best-friend\/\">LogParser<\/a> is used for the operation. It is therefore necessary to have it installed on the log processing machine.<\/p>\n<p>Apart from adding the 4 new fields (Protocol, Cipher, Hash, KeyExchange), the file header will also be changed to go from \u00ab\u00a0#Software: Microsoft Internet Information Services 10.0\u00a0\u00bb to \u00ab\u00a0#Software: Microsoft Log Parser\u00a0\u00bb in the destination file (* _TLS.log).<\/p>\n<p>After that you are free to use the following <a href=\"https:\/\/laurentvanacker.com\/index.php\/2016\/03\/30\/logparser-your-best-friend\/\">LogParser<\/a> <a href=\"https:\/\/github.com\/lavanack\/laurentvanacker.com\/blob\/master\/Command%20Prompt\/IIS\/Log\/LogParser\/TLS%20Usage\/LogParserQueries.cmd\">script<\/a> to have statistics on SSL \/ TLS usage on your IIS servers.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"tlid-results-container results-container\">\n<div class=\"tlid-result result-dict-wrapper\">\n<div class=\"result tlid-copy-target\">\n<div class=\"result-header\">\n<div class=\"starbutton jfk-button-flat jfk-button unstarred\" tabindex=\"0\" role=\"button\" aria-label=\"Star translation\" data-tooltip=\"Star translation\" data-tooltip-align=\"t,c\">\n<div class=\"jfk-button-img\">Some useful links :<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<ul>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/schannel\/ns-schannel-secpkgcontext_connectioninfo?redirectedfrom=MSDN\">https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/schannel\/ns-schannel-secpkgcontext_connectioninfo<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/seccrypto\/alg-id\">https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/seccrypto\/alg-id<\/a><\/li>\n<\/ul>\n<p>Laurent.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Go to English version [MAJ :\u00a0 03\/09\/2020] R\u00e9\u00e9criture de l&rsquo;article et ajout de scripts LogParser pour une meilleure exploitation des donn\u00e9es L&rsquo;article https:\/\/www.microsoft.com\/security\/blog\/2017\/09\/07\/new-iis-functionality-to-help-identify-weak-tls-usage\/ explique comment [&#8230;]<\/p>\n","protected":false},"author":2,"featured_media":2465,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,7,19,12],"tags":[25,55,39,42],"class_list":["post-2655","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-divers-misc","category-iis","category-powershell","category-securite-security","tag-iis","tag-logparser","tag-powershell","tag-security"],"_links":{"self":[{"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/posts\/2655","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/comments?post=2655"}],"version-history":[{"count":36,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/posts\/2655\/revisions"}],"predecessor-version":[{"id":2966,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/posts\/2655\/revisions\/2966"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/media\/2465"}],"wp:attachment":[{"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/media?parent=2655"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/categories?post=2655"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/tags?post=2655"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}