Windows Internet Information Service (or IIS) 7.5 and 8 can be configured to use only strong ciphers. This article will show you the steps required to do this.
View and Edit Enabled Ciphers
- From a command line, run gpedit.msc to start the Local Group Policy Editor,
- A window will pop up with the Local Group Policy Editor. On the left pane, click Computer Configuration >> Administrative Templates >> Network >> SSL Configuration Settings.
- On the right pane, double click SSL Cipher Suite Order to edit the accepted ciphers. Note that the editor will only accept up to 1023 bytes of text in the cipher string – any additional text will be disregarded without warning.
- Save your changes when you are finished and then restart the server to have them take effect. Don’t forget that changing your cipher suite configuration may cause older browsers to fail on your website because if are not able to use the updated stronger protocols.
Selecting Strong Cipher Suites
A list of all available cipher suites available can be found at this link in Microsoft’s support library.
SSL.com recommends the following cipher suite configuration. These have been selected for speed and security. You may use this list as a template for your configuration, but your own needs should always take precedence. Older, less secure cipher suites may be required for legacy software (such as older browsers). You may wish to add support for these legacy browsers if your clients are not updated.
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 *
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 *
*Windows 8.1 and Windows Server 2012 R2 only.