Configuring HTTPS is not a simple update to a configuration file. Making changes to HTTPS protocols in Microsoft Internet Information Services (IIS) requires modifying the registry which in turn requires a reboot for the changes to become active. For ciphers, thankfully there are PowerShell cmdlets to make changes immediately active.
The following will provide some background and PowerShell
snippets to help achieve that A+ on Qualys SSL Server Test. It has been tested on an Azure VM running the following:
- Windows Server 2019
- Internet Information Service (IIS) 10
- PowerShell 5.1
Update: 2021–01–08
See the update at the end of this post for more information about securing Microsoft IIS protocols and ciphers.
SCHANNEL
Schannel is a security package that provides authentication between clients and servers. It implements HTTPS protocols using two components: Client
and Server
. The Client
refers to outgoing connections while Server
refers to hosting services on the local system. For example, browsers will rely on the Client
settings while IIS and other hosted services will use Server
settings. These settings are at the system level meaning they will impact all services/processes. So while a specific protocol is disabled to secure IIS, that same protocol can no longer be used by other services/processes on the system.
Schannel supports a number of protocols such as the lesser known PCT
and DTLS
as well as the more well known SSL
and TLS
. Each have their own registry settings beneath the Client
and/or Server
registry locations. To see how these protocols are configured by default review the table on Microsoft Docs: Protocols in TLS/SSL (Schannel SSP)
PowerShell Function
The following PowerShell function will disable a protocol for both Client
and Server
by default. Use the -EnableProtocol
switch to enable the protocol for both Client
and Server
.
Launching PowerShell
The following PowerShell commands are what I use to configure Schannel protocols. The commands must be launched on the system in an elevated admin prompt and a reboot is required to make changes active.
$DisableProtos = 'PCT 1.0','SSL 2.0','SSL 3.0','TLS 1.0','TLS 1.1'
$DisableProtos | %{ Set-SchannelProtocol -Protocol $_ }
Set-SchannelProtocol -Protocol 'TLS 1.2' -EnableProtocol
Ciphers
Making changes to Schannel ciphers is discouraged by Microsoft since the configuration is global and thus can impact other applications. By default, Schannel will use the best cipher available and disabling insecure protocols also disables a number of insecure ciphers. That being said, the PowerShell TLS cmdlet really makes it easy to implement changes.
Use the following to configure ciphers via Group Policy.
Computer Configuration > Administrative Templates > Network > SSL Configuration Settings
Get Enabled Ciphers
To see an ordered list of enabled ciphers run the following command.
Get-TlsCipherSuite | Format-Table Name -AutoSize
Disable Cipher
Disable TLS_RSA_WITH_NULL_SHA
by issuing the following. To confirm, run the above Get-TlsCipherSuite
and verify the cipher is no longer listed. These changes do not require a reboot.
Disable-TlsCipherSuite -Name TLS_RSA_WITH_NULL_SHA
Test
After making all of these changes, one must test their configuration. The best resource is Qualys SSL Server Test as they have an extensive list of tests and also have a test for clients (e.g. browsers). See the Qualys SSL Labs for more information.
If you’re on a private network, Nmap
has an NSE script ssl-enum-ciphers
which will perform similar tests against servers.
Update: 2021–01–08
I’ve since found a great post offering much more detail on this topic. It ends with a well documented PowerShell script complete with a changelog (history).
Setup Microsoft Windows or IIS for SSL Perfect Forward Secrecy and TLS 1.2