6

You can configure Windows to use only certain cipher suites during things like Remote Desktop sessions. Cipher suites such as RC4 56 bit, RC4 128 bit, Triple DES 168 bit, etc.

SSL/TLS is not in play here so I'm talking about RDP encryption.

You can see what I'm talking about here.

I thought to run a packet capture using Wireshark or Network Monitor while I connected to a computer across the network, but I cannot see anywhere in the packet capture the bits I need to verify exactly which cipher suite it is using.

Ryan Ries
  • 949
  • 1
  • 10
  • 14

1 Answers1

5

Enable SCHANNEL logging;

http://support.microsoft.com/kb/260729

The following will log everything;

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL] "EventLogging"=dword:00000007

You will then have events in the SYSTEM log for example;

An SSL client handshake completed successfully. The negotiated cryptographic parameters are as follows.

Protocol: TLS 1.0 CipherSuite: 0x2f Exchange strength: 1024

Google the resulting cipher suite.

FAWC

When using Elliptic Curve certificates you will also get something like the following as the certificates are exchanged;

An SSL server handshake completed successfully. The negotiated cryptographic parameters are as follows.

Protocol: TLS 1.0 CipherSuite: 0xc009 Exchange strength: 256

Steve_N
  • 66
  • 2
  • 1
    Default value for EventLogging is 1. Above setting is applied on target RDP machine. – Ivan Chau Jul 03 '16 at 16:20
  • This answer does not seem to work on Windows 7 (client) / Windows Server 2016 (server). The key was already set to 1 on both, and the mentioned logs are nowhere to be found. – Zero3 Jan 28 '20 at 15:41
  • 1
    @zero3 This does work on all Windows client/server version to date. The value 1 is the default, try setting it to 7. You may have skimmed over this post a little too quickly. :) – Steve_N Feb 15 '20 at 10:22
  • @Steve_N Ah, my bad. You are right. Thanks! It works for me with a value of 7. – Zero3 Mar 17 '20 at 14:21