Search:  

Previous pageTechniques & KB Articles Next page
Configuring SSL protocol handling in IIS 

Configuring SSL protocol handling in IIS

Once you have installed your SSL certificate you may wish to optimise the configuration of your server.

There are five Protocols available:

ProtocolEnabled in IIS by DefaultDesirable
TLS 1.2NoYes
TLS 1.1NoYes
TLS 1.0YesYes
SSL 3YesYes*
SSL 2YesNo

From the above table we can see that SSL 2 needs to be disabled (it is now considered insecure),
and TLS 1.2 and 1.1 should be enabled. Finally you should enable Perfect Forward Secrets.

*SSL3 is only useful if you need to support IE6 on XP. Otherwise it should be disabled.

If you are unsure of the current status of your server you can check it here:

https://www.ssllabs.com/ssltest/analyze.html

Step 1: Disable SSL 2

On your server open the Registry and go to:

HKEY_LOCAL_MACHINE
 SYSTEM
  CurrentControlSet
   Control
    Security Providers
     SCHANNEL
      Protocols
       SSL 2.0

Under this, add a key "Server"

Under "Server", add a REG_DWORD named "Enabled" with a  value of 0

Reboot the server to make the change active.

Step 2: Enable TLS 1.2 and TLS 1.1

(TLS 1.2 and TLS 1.1 may not be available for versions of Windows before Windows 7 / Windows 2008 Server R2)

On your server open the Registry and go to:

HKEY_LOCAL_MACHINE
 SYSTEM
  CurrentControlSet
   Control
    Security Providers
     SCHANNEL
      Protocols

Under this, add a key "TLS 1.1", and a key "TLS 1.2"

Under each of these two, add two keys:

  • "Client"
  • "Server"

Under each of these four, add:

  • a REG_DWORD named "DisabledByDefault" with a value of 0
  • a REG_DWORD named "Enabled" with a value of 1

Reboot the server to make the change active.

Step 3: Enable Perfect Forward Secrets

At the Command Line, run:

gpedit.msc

Open the tree:

Computer Configuration
   Administrative Templates
     Network

Click  "SSL Configuration Settings"

In the right pane, double-click "SSL Cipher Suite Order"

Set the "SSL Cipher Suite Order" to Enabled

In the "SSL Cipher Suites" value, replace the existing value with the following (must be on one line):

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_NULL_SHA256,TLS_RSA_WITH_NULL_SHA
  

Click OK

Reboot the server to make the change active.

           
 

DATA

Managing Data

Tables

Referential Integrity 

Data Entry Forms

Queries and Views

Custom Views

 

USERS & SECURITY

Users & Permissions

User Group Manager 

User Registration

Access Codes & Agreements

Personalizing Experience

Managing Profiles

 

SaaS

SaaS Server

SaaS Site Manager

SaaS Client Accounting

SaaS Templates & Clones

SaaS Self Service

Associates System 

 

CMS

User Editable pages

CSS Editor

Editing Pages

Direct URLs

Using Javascript & JQuery

Content Approval & Workflow

 

WEB

Key Concepts

Components

Understanding Embeds

Site Building

Themes System

SEO Optimization

 
           
 
clearString   neatComponents™    © Enstar LLC  1999-2019 All Rights Reserved      Terms of Use      Privacy & Cookies      Contact us...
 
 
 
 

 

Docs HomePrint:   Print this page