TLS Cipher Suite Configuration in Windows Server

Issue

How to determine which TLS Cipher Suites are enabled and the order in which they are prioritized on a Windows Server

 

Solution

To determine the order of enabled TLS Cipher Suites on the server using Powershell (Windows Server 2016 and higher):

1. Run Windows Powershell "as Administrator"
    
2. Enter the following command:
   Get-TlsCipherSuite
    
3. PowerShell returns the list of enabled TLS CipherSuites in the order of their priority. Select the entire list and copy it into a .txt file for analysis.

   The Protocols field lists the SSL/TLS versions that can use the Cipher Suite.  The SSL/TLS versions are represented as decimal numbers: 2 = SSL 2.0 768 = SSL 3.0 769 = TLS 1.0 770 = TLS 1.1 771 = TLS 1.2 772 = TLS 1.3 65279 = DTLS 1.0 65277 = DTLS 1.1

 

To determine the order of enabled TLS Cipher Suites on the server using the Group Policy Editor:

1. Run gpedit.msc to open the Local Group Policy Editor
    
2. Navigate to Computer Configuration | Administrative Templates | Network | SSL Configuration Settings
    
3. Double-click SSL Cipher Suite Order
    
4. Select the Enabled radio button to see the list in the SSL Cipher Suites field
    
5. Select all the contents of the SSL Cipher Suites field and copy/paste into a .txt file for analysis

 

To change the order of the TLS Cipher Suites on the server using Powershell (Windows Server 2016 and higher):

1. Run Windows Powershell "as Administrator"
    
2. Enter the following command to move a Cipher Suite to the highest priority position (where CipherSuiteName is the name of the Cipher Suite):
   Enable-TlsCipherSuite -Name "CipherSuiteName" -Position 0
    
3. Enter the following command to move a Cipher Suite to the lowest priority position (where CipherSuiteName is the name of the Cipher Suite):
   Enable-TlsCipherSuite -Name "CipherSuiteName" -Position 4294967295
    
4. Enter the following command to move a Cipher Sutie to a specific position on the priority list (where CipherSuiteName is the name of the Cipher Suite and n is the position -1 since the list starts at Position 0):
   Enable-TlsCipherSuite -Name "CipherSuiteName" -Position n
    
5. Enter the following command to view the new TLS Cipher Suite list to confirm that the suites are listed in the new order:
   Get-TlsCipherSuite

 

To change the order of the TLS Cipher Suites on the server using the Group Policy Editor:

1. Run gpedit.msc to open the Local Group Policy Editor
    
2. Navigate to Computer Configuration | Administrative Templates | Network | SSL Configuration Settings
    
3. Double-click SSL Cipher Suite Order
    
4. Select the Enabled radio button
    
5. Select all the contents of the SSL Cipher Suites field and copy/paste into a .txt file
    
6. Move the comma-separated Cipher Suite names into the intended order from left (higest priority) to right (lowest priority)
    
7. Copy/Paste the edited list back into the SSL Cipher Suites field, overwriting the existing contents.
    
8. Click Apply to apply the settings changes
    
9. Click OK to close the SSL Cipher Suite Order window
    
10. Reboot the server for the new Cipher Suite Order to take effect
     

Level of Complexity 

Moderate

 

Applies to  

Product	Version	Build	Environment	Hardware
Kofax Front Office Server	4.3 4.1	ALL	Windows Server	N/A
Kofax TotalAgility	7.9 7.8 7.7 7.6 7.5	ALL	Windows Server	N/A

References

• Get-TlsCipherSuite - Microsoft Docs
• Manage Transport Layer Security (TLS) - Microsoft Docs