Microsoft IIS — Configuring HTTPS Protocols and Ciphers

phbits
3 min readApr 24, 2020

--

lock over world map

Configuring HTTPS is not a simple update to a configuration file. Making changes to HTTPS protocols in Microsoft Internet Information Services (IIS) requires modifying the registry which in turn requires a reboot for the changes to become active. For ciphers, thankfully there are PowerShell cmdlets to make changes immediately active.

The following will provide some background and PowerShell snippets to help achieve that A+ on Qualys SSL Server Test. It has been tested on an Azure VM running the following:

  • Windows Server 2019
  • Internet Information Service (IIS) 10
  • PowerShell 5.1

Update: 2021–01–08

See the update at the end of this post for more information about securing Microsoft IIS protocols and ciphers.

SCHANNEL

Schannel is a security package that provides authentication between clients and servers. It implements HTTPS protocols using two components: Client and Server. The Client refers to outgoing connections while Server refers to hosting services on the local system. For example, browsers will rely on the Client settings while IIS and other hosted services will use Server settings. These settings are at the system level meaning they will impact all services/processes. So while a specific protocol is disabled to secure IIS, that same protocol can no longer be used by other services/processes on the system.

Schannel supports a number of protocols such as the lesser known PCT and DTLS as well as the more well known SSL and TLS. Each have their own registry settings beneath the Client and/or Server registry locations. To see how these protocols are configured by default review the table on Microsoft Docs: Protocols in TLS/SSL (Schannel SSP)

PowerShell Function

The following PowerShell function will disable a protocol for both Client and Server by default. Use the -EnableProtocol switch to enable the protocol for both Client and Server.

Launching PowerShell

The following PowerShell commands are what I use to configure Schannel protocols. The commands must be launched on the system in an elevated admin prompt and a reboot is required to make changes active.

$DisableProtos = 'PCT 1.0','SSL 2.0','SSL 3.0','TLS 1.0','TLS 1.1'
$DisableProtos | %{ Set-SchannelProtocol -Protocol $_ }
Set-SchannelProtocol -Protocol 'TLS 1.2' -EnableProtocol

Ciphers

Making changes to Schannel ciphers is discouraged by Microsoft since the configuration is global and thus can impact other applications. By default, Schannel will use the best cipher available and disabling insecure protocols also disables a number of insecure ciphers. That being said, the PowerShell TLS cmdlet really makes it easy to implement changes.

Use the following to configure ciphers via Group Policy.

Computer Configuration > Administrative Templates > Network > SSL Configuration Settings

Get Enabled Ciphers

To see an ordered list of enabled ciphers run the following command.

Get-TlsCipherSuite | Format-Table Name -AutoSize

Disable Cipher

Disable TLS_RSA_WITH_NULL_SHA by issuing the following. To confirm, run the above Get-TlsCipherSuite and verify the cipher is no longer listed. These changes do not require a reboot.

Disable-TlsCipherSuite -Name TLS_RSA_WITH_NULL_SHA

Test

After making all of these changes, one must test their configuration. The best resource is Qualys SSL Server Test as they have an extensive list of tests and also have a test for clients (e.g. browsers). See the Qualys SSL Labs for more information.

If you’re on a private network, Nmap has an NSE script ssl-enum-ciphers which will perform similar tests against servers.

Update: 2021–01–08

I’ve since found a great post offering much more detail on this topic. It ends with a well documented PowerShell script complete with a changelog (history).

Setup Microsoft Windows or IIS for SSL Perfect Forward Secrecy and TLS 1.2

--

--