A Cipher Best Practice: Configure IIS for SSL/TLS Protocol

Microsoft released a patch on November 11 to address a vulnerability in SChannel that could allow remote code execution. This patch included four new cipher suites for Windows Server versions 2003 through 2012 R2. Previously only Windows Server 2012 R2 had these cipher suites. On November 16, Microsoft updated the advisory stating that they found an issue with the new cipher suites they introduced. On November 18, Microsoft updated MS14-066 to remove the cipher suites from the default cipher suite list for Windows 2008 R2 and Windows 2012. Windows 2012 R2 does not get the update. [Note: These changes do not apply to Windows Server 2016 and later, which include newer cipher suite support by default.]

Microsoft has explained how to do this manually. The full list of cipher suites that are supported  is also outlined by Microsoft. In addition, you can also follow these steps to manually enable these changes.
 
If you want to get the full list, read on. If not, skip to the next section.
The best practices cipher suite order:

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA

The default cipher suite order:

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
  • TLS_RSA_WITH_AES_256_GCM_SHA384*
  • TLS_RSA_WITH_AES_128_GCM_SHA256*
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  • TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  • TLS_RSA_WITH_RC4_128_SHA

Note: Windows Server 2003 doesn’t support the reordering of SSL cipher suites offered by IIS. However, you can still disable weak protocols and ciphers. Also, Windows Server 2003 does not come with the AES cipher suite. Microsoft has a hotfix for this.

[Note: Windows Server 2016, 2019, and 2022 support native AES cipher suites and allow cipher suite order configuration through Group Policy and registry.]

So how do you configure these protocol orders and ciphers without manually laboring each time?
Use IIS Crypto.
IIS Crypto was created to simplify enabling and disabling various protocols and cipher suites on servers running IIS, and it sets a few registry keys to enable/disable protocols, ciphers and hashes, as well as reorder cipher suites. All the changes are made following Microsoft’s best practices. [Note: IIS Crypto 3.3 and later support Windows Server 2016, 2019, 2022, and Windows 10/11.] One of the nice things about IIS Crypto, in my opinion, is that it also supports pre-defined templates that can be set with a single button click:

  • PCI. Disables everything except SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2, RC4 128, Triple DES 168, AES 128, AES 256, MD5, SHA1, DH, and PKCS.
  • FIPS 140-2. – Disables everything except TLS 1.0, TLS 1.1, TLS 1.2, Triple DES 168, AES 128, AES 256, SHA1, DH, and PKCS.
  • BEAST. The same as PCI, but also reorders the cipher suite.

Instead of making the changes manually or using some scripting to do this on multiple servers, you can simply use IIS Crypto to ease the task of properly configuring these web servers.  

[Note: Modern PowerShell-based tools and Group Policy Objects (GPOs) can also be used on Windows Server 2016+ to automate SSL/TLS hardening.]
 
After downloading and running IIS Crypto, you will be able to select the following settings:

Nartac Software's IIS Crypto was created to simplify enabling and disabling various protocols and cipher suites on servers running IIS. (Image Credit: Daniel Petri)
Nartac Software’s IIS Crypto was created to simplify enabling and disabling various protocols and cipher suites on servers running IIS. (Image Credit: Daniel Petri)


Once used, IIS Crypto modifies some registry key and child nodes. Each registry key has an “Enabled” value that is set, while protocols have an additional value named “DisabledByDefault” that is also set.

[Note: These registry paths are still used in Windows Server 2016 and later.]
To enable/disable protocols, ciphers and hashes:

HKLMSYSTEMCurrentControlSetControlSecurityProvidersSCHANNEL

To reorder the cipher suites:

HKLMSOFTWAREPoliciesMicrosoftCryptographyConfigurationSSL0010002

It was tested on Windows Server 2003, 2008, 2008 R2 and 2012 and 2012 R2.

Note for servers running Remote Desktop Services (RDS): The default security layer in RDP is set to “Negotiate”, which supports both SSL (TLS 1.0) and the RDP Security Layer. However, if you set the security layer to SSL (TLS 1.0) and disable TLS 1.0 in IIS Crypto you will be unable to connect to RDP.

[Note: Modern Windows Server versions support RDP over TLS 1.2 or 1.3 (where available). Be sure the RDP configuration and IIS Crypto settings match.]

To check your settings, open Remote Desktop Session Host Configuration in Administrative Tools and double click RDP-Tcp under the Connections group. If it is set to SSL (TLS 1.0), make sure that you do not disable TLS 1.0 in IIS Crypto.

FAQs

What are the main benefits of implementing modern Cipher Suites in enterprise environments?

Modern Cipher Suites provide enhanced security through advanced encryption algorithms, better performance through optimized cryptographic operations, and improved compatibility with contemporary security standards. Organizations implementing current Cipher Suites can achieve better security scores in compliance audits and protect against emerging threats.

How often should Cipher Suites configurations be reviewed and updated?

Security experts recommend reviewing Cipher Suites configurations quarterly, or whenever major security vulnerabilities are discovered. Regular audits of Cipher Suites ensure optimal security posture and compliance with evolving industry standards.

What impact do Cipher Suites have on website performance and user experience?

The selection of Cipher Suites can significantly affect website loading times and server resource usage. Modern Cipher Suites with efficient algorithms can improve SSL/TLS handshake speeds while maintaining strong security levels.

How do Cipher Suites affect mobile device compatibility?

Different mobile devices support various Cipher Suites configurations, affecting their ability to establish secure connections. Implementing a balanced selection of Cipher Suites ensures broader device compatibility while maintaining security standards.

What are the consequences of using deprecated Cipher Suites?

Running outdated Cipher Suites can expose systems to known vulnerabilities, fail security compliance requirements, and potentially lead to data breaches. Modern Cipher Suites implementation is crucial for maintaining robust security posture and protecting sensitive information.