MicrosoftHello BrandonWilson (can't find the handle for @NathanPenn). I would really appreciate if you would identify a tool or method -- officially provided or recommended by Microsoft -- that lists all Enabled (as opposed to Available) cipher suites on a device.
Microsoft lists 36 [1] cipher suites available to TLS 1.2 protocol enabled in a vanilla installation of Windows Server 2016 Build 1607:
Accounting for enabled=false Ciphers and KeyExchangeAlgorithms (registry HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL), and verifying that Cipher Suite Order and Elliptic Curve Order is default (using local Group Policy Editor and observing that both are "Not Configured"), the list of enabled cipher suites is reduced to 32.
Why does nmap 7.9.1 (nmap.org) return only 10 cipher suites (for TLS 1.2 protocol)?
nmap --script ssl-enum-ciphers -p3389 TestServerName.domain.tld
results
4 x TLS_DHE_RSA_WITH_AES_*, and
6 x TLS_ECDHE_RSA_WITH_AES_*
I've tested with IIS Crypto (which is not officially recommended by Microsoft based on a Microsoft Case I participated in during December 2020). I cannot find where changes made using IIS Crypto are recorded/visible in the operating system registry. Changes include:
I can perform a network trace and view the ClientHello data for the Cipher Suites offered to the destination server.
So, to reiterate: please identify a tool or method that lists all Enabled cipher suites on a device.
Thank you.
