{"id":69789,"date":"2017-09-07T10:00:17","date_gmt":"2017-09-07T17:00:17","guid":{"rendered":"http:\/\/blogs.microsoft.com\/microsoftsecure\/?p=69789"},"modified":"2023-05-15T23:07:03","modified_gmt":"2023-05-16T06:07:03","slug":"new-iis-functionality-to-help-identify-weak-tls-usage","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/09\/07\/new-iis-functionality-to-help-identify-weak-tls-usage\/","title":{"rendered":"New IIS functionality to help identify weak TLS usage"},"content":{"rendered":"

This post is authored by\u00a0Andrew Marshall, Principal Security Program Manager, TwC Security, Yanbing Shi, Software Engineer, Internet Information Services Team, and Sourabh Shirhatti, Program Manager, Internet Information Services Team.<\/em><\/p>\n

As a follow-up to our announcement regarding TLS 1.2 support at Microsoft<\/a>, we are announcing new functionality in Windows Server 2012R2<\/a> and Windows Server 2016<\/a> to increase your awareness of clients connecting to your services with weak security protocols or cipher suites.<\/p>\n

IIS logs can already be used to correlate client IP address, user agent string, and service URI. With the addition of the new custom logging fields detailed below, you will be able to quantify the usage of outdated security protocols and ciphers by clients connecting to your services.<\/p>\n

To enable this new functionality, these four server variables need to be configured as the sources of the custom fields in IIS applicationHost.config. The custom logging can be configured on either server level or site level. Here is a sample site-level configuration:<\/p>\n

 <site name=\"Default Web Site\" id=\"1\" serverAutoStart=\"true\">\r\n <application path=\"\/\">\r\n <virtualDirectory path=\"\/\" physicalPath=\"C:\\inetpub\\wwwroot\" \/>\r\n <\/application>\r\n <bindings>\r\n <binding protocol=\"https\" bindingInformation=\"*:443:\" \/>\r\n <\/bindings>\r\n <logFile>\r\n <customFields>\r\n <clear \/>\r\n<add logFieldName=\"crypt-protocol\" sourceName=\"CRYPT_PROTOCOL\" sourceType=\"ServerVariable\" \/>\r\n<add logFieldName=\"crypt-cipher\" sourceName=\"CRYPT_CIPHER_ALG_ID\" sourceType=\"ServerVariable\" \/>\r\n<add logFieldName=\"crypt-hash\" sourceName=\"CRYPT_HASH_ALG_ID\" sourceType=\"ServerVariable\" \/>\r\n<add logFieldName=\"crypt-keyexchange\" sourceName=\"CRYPT_KEYEXCHANGE_ALG_ID\" sourceType=\"ServerVariable\" \/>\r\n <\/customFields>\r\n <\/logFile>\r\n <\/site><\/pre>\n
Each SSL info field is a hexadecimal number that maps to either a secure protocol version<\/a> or cipher suite algorithm<\/a>.
\nFor an HTTP plain-text request, all four fields will be logged as \u2018-\u2018.<\/p>\n
A sample log and explanation of the new fields follows:<\/p>\n
\"A<\/p>\n
For more information visit\u00a0Official Microsoft Documentation for Custom Logging Fields in IIS<\/a>.<\/h5>\n","protected":false},"excerpt":{"rendered":"
IIS logs can already be used to correlate client IP address, user agent string, and service URI. With the addition of the new custom logging fields detailed below, you will be able to quantify the usage of outdated security protocols and ciphers by clients connecting to your services.<\/p>\n","protected":false},"author":49,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ms_queue_id":[],"ep_exclude_from_search":false,"_classifai_error":"","_classifai_text_to_speech_error":"","footnotes":""},"content-type":[3662],"topic":[3684],"products":[],"threat-intelligence":[],"tags":[3822,3809,3819],"coauthors":[1957],"class_list":["post-69789","post","type-post","status-publish","format-standard","hentry","content-type-news","topic-security-operations","tag-microsoft-security-insights","tag-security-strategies","tag-windows"],"yoast_head":"\nNew IIS functionality to help identify weak TLS usage | Microsoft Security Blog<\/title>\n<meta name=\"description\" content=\"IIS logs can already be used to correlate client IP address, user agent string, and service URI. With the addition of the new custom logging fields detailed below, you will be able to quantify the usage of outdated security protocols and ciphers by clients connecting to your services.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/09\/07\/new-iis-functionality-to-help-identify-weak-tls-usage\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"New IIS functionality to help identify weak TLS usage | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"IIS logs can already be used to correlate client IP address, user agent string, and service URI. With the addition of the new custom logging fields detailed below, you will be able to quantify the usage of outdated security protocols and ciphers by clients connecting to your services.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/09\/07\/new-iis-functionality-to-help-identify-weak-tls-usage\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2017-09-07T17:00:17+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-05-16T06:07:03+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2017\/09\/A-sample-log-and-explanation-of-the-new-fields-follows.png\" \/>\n<meta name=\"author\" content=\"Microsoft Secure Blog Staff\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Secure Blog Staff\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/09\/07\/new-iis-functionality-to-help-identify-weak-tls-usage\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/09\/07\/new-iis-functionality-to-help-identify-weak-tls-usage\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/trustedcloudteam\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Secure Blog Staff\"}],\"headline\":\"New IIS functionality to help identify weak TLS usage\",\"datePublished\":\"2017-09-07T17:00:17+00:00\",\"dateModified\":\"2023-05-16T06:07:03+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/09\/07\/new-iis-functionality-to-help-identify-weak-tls-usage\/\"},\"wordCount\":226,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/09\/07\/new-iis-functionality-to-help-identify-weak-tls-usage\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2017\/09\/A-sample-log-and-explanation-of-the-new-fields-follows.png\",\"keywords\":[\"Microsoft Security Insights\",\"Security strategies\",\"Windows\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/09\/07\/new-iis-functionality-to-help-identify-weak-tls-usage\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/09\/07\/new-iis-functionality-to-help-identify-weak-tls-usage\/\",\"name\":\"New IIS functionality to help identify weak TLS usage | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/09\/07\/new-iis-functionality-to-help-identify-weak-tls-usage\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/09\/07\/new-iis-functionality-to-help-identify-weak-tls-usage\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2017\/09\/A-sample-log-and-explanation-of-the-new-fields-follows.png\",\"datePublished\":\"2017-09-07T17:00:17+00:00\",\"dateModified\":\"2023-05-16T06:07:03+00:00\",\"description\":\"IIS logs can already be used to correlate client IP address, user agent string, and service URI. With the addition of the new custom logging fields detailed below, you will be able to quantify the usage of outdated security protocols and ciphers by clients connecting to your services.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/09\/07\/new-iis-functionality-to-help-identify-weak-tls-usage\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/09\/07\/new-iis-functionality-to-help-identify-weak-tls-usage\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/09\/07\/new-iis-functionality-to-help-identify-weak-tls-usage\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2017\/09\/A-sample-log-and-explanation-of-the-new-fields-follows.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2017\/09\/A-sample-log-and-explanation-of-the-new-fields-follows.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/09\/07\/new-iis-functionality-to-help-identify-weak-tls-usage\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"New IIS functionality to help identify weak TLS usage\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"New IIS functionality to help identify weak TLS usage | Microsoft Security Blog","description":"IIS logs can already be used to correlate client IP address, user agent string, and service URI. With the addition of the new custom logging fields detailed below, you will be able to quantify the usage of outdated security protocols and ciphers by clients connecting to your services.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/09\/07\/new-iis-functionality-to-help-identify-weak-tls-usage\/","og_locale":"en_US","og_type":"article","og_title":"New IIS functionality to help identify weak TLS usage | Microsoft Security Blog","og_description":"IIS logs can already be used to correlate client IP address, user agent string, and service URI. With the addition of the new custom logging fields detailed below, you will be able to quantify the usage of outdated security protocols and ciphers by clients connecting to your services.","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/09\/07\/new-iis-functionality-to-help-identify-weak-tls-usage\/","og_site_name":"Microsoft Security Blog","article_published_time":"2017-09-07T17:00:17+00:00","article_modified_time":"2023-05-16T06:07:03+00:00","og_image":[{"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2017\/09\/A-sample-log-and-explanation-of-the-new-fields-follows.png","type":"","width":"","height":""}],"author":"Microsoft Secure Blog Staff","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Microsoft Secure Blog Staff","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/09\/07\/new-iis-functionality-to-help-identify-weak-tls-usage\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/09\/07\/new-iis-functionality-to-help-identify-weak-tls-usage\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/trustedcloudteam\/","@type":"Person","@name":"Microsoft Secure Blog Staff"}],"headline":"New IIS functionality to help identify weak TLS usage","datePublished":"2017-09-07T17:00:17+00:00","dateModified":"2023-05-16T06:07:03+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/09\/07\/new-iis-functionality-to-help-identify-weak-tls-usage\/"},"wordCount":226,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/09\/07\/new-iis-functionality-to-help-identify-weak-tls-usage\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2017\/09\/A-sample-log-and-explanation-of-the-new-fields-follows.png","keywords":["Microsoft Security Insights","Security strategies","Windows"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/09\/07\/new-iis-functionality-to-help-identify-weak-tls-usage\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/09\/07\/new-iis-functionality-to-help-identify-weak-tls-usage\/","name":"New IIS functionality to help identify weak TLS usage | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/09\/07\/new-iis-functionality-to-help-identify-weak-tls-usage\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/09\/07\/new-iis-functionality-to-help-identify-weak-tls-usage\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2017\/09\/A-sample-log-and-explanation-of-the-new-fields-follows.png","datePublished":"2017-09-07T17:00:17+00:00","dateModified":"2023-05-16T06:07:03+00:00","description":"IIS logs can already be used to correlate client IP address, user agent string, and service URI. With the addition of the new custom logging fields detailed below, you will be able to quantify the usage of outdated security protocols and ciphers by clients connecting to your services.","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/09\/07\/new-iis-functionality-to-help-identify-weak-tls-usage\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/09\/07\/new-iis-functionality-to-help-identify-weak-tls-usage\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/09\/07\/new-iis-functionality-to-help-identify-weak-tls-usage\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2017\/09\/A-sample-log-and-explanation-of-the-new-fields-follows.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2017\/09\/A-sample-log-and-explanation-of-the-new-fields-follows.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/09\/07\/new-iis-functionality-to-help-identify-weak-tls-usage\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"New IIS functionality to help identify weak TLS usage"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"msxcm_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/69789","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/49"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=69789"}],"version-history":[{"count":0,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/69789\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=69789"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=69789"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=69789"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=69789"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=69789"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=69789"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=69789"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}