Require Strong Ciphers in Windows IIS 7.5 and 8

Windows Internet Information Service (or IIS) 7.5 and 8 can be configured to use only strong ciphers. This article will show you the steps required to do this.

NOTE: Cipher configuration will involve working with your system’s Local Group Policy Editor. Server configuration is outside of the scope of our support, and SSL.com cannot offer assistance with these steps.  We strongly recommend that you consult a professional Windows Administrator prior to making these changes. SSL.com offers this information as a service and reminds you that you use this information at your own risk.

View and Edit Enabled Ciphers

  1. From a command line, run gpedit.msc to start the Local Group Policy Editor,
  2. A window will pop up with the Local Group Policy Editor.  On the left pane, click Computer Configuration >> Administrative Templates >> Network >> SSL Configuration Settings.
  3. On the right pane, double click SSL Cipher Suite Order to edit the accepted ciphers.  Note that the editor will only accept up to 1023 bytes of text in the cipher string – any additional text will be disregarded without warning.
  4. Save your changes when you are finished and then restart the server to have them take effect. Don’t forget that changing your cipher suite configuration may cause older browsers to fail on your website because if are not able to use the updated stronger protocols.
Go to top

Selecting Strong Cipher Suites

A list of all available cipher suites available can be found at this link in Microsoft’s support library.

SSL.com recommends the following cipher suite configuration. These have been selected for speed and security. You may use this list as a template for your configuration, but your own needs should always take precedence. Older, less secure cipher suites may be required for legacy software (such as older browsers). You may wish to add support for these legacy browsers if your clients are not updated.

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 *
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 *

*Windows 8.1 and Windows Server 2012 R2 only.

SSL.com reminds you that this is only a recommendation. We cannot offer support with this process and again suggest you consult a professional Windows Administrator prior to making any changes. Misconfiguration can cause broken or insecure connections.
Thank you for choosing SSL.com! If you have any questions, please contact us by email at Support@SSL.com, call 1-877-SSL-SECURE, or just click the chat link at the bottom right of this page. You can also find answers to many common support questions in our knowledgebase.

Chris Kemmerer

All Posts

Related How Tos

View All How Tos
Facebook Linkedin Twitter Youtube Github

Subscribe to SSL.com’s Newsletter

What is SSL/TLS?

Play Video

Subscribe To SSL.com’s Newsletter

Don’t miss new articles and updates from SSL.com

Stay Informed and Secure

SSL.com is a global leader in cybersecurity, PKI and digital certificates. Sign up to receive the latest industry news, tips, and product announcements from SSL.com.

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.

Take Survey