neatComponents is the hybrid-cloud database engine that powers clearString.

Previous pageTechniques & KB Articles Next page
Configuring SSL protocol handling in IIS 

Configuring SSL protocol handling in IIS

Once you have installed your SSL certificate you may wish to optimise the configuration of your server.

There are five Protocols available:

ProtocolEnabled in IIS by DefaultDesirable
TLS 1.2NoYes
TLS 1.1NoYes
TLS 1.0YesYes
SSL 3YesYes*
SSL 2YesNo

From the above table we can see that SSL 2 needs to be disabled (it is now considered insecure),
and TLS 1.2 and 1.1 should be enabled. Finally you should enable Perfect Forward Secrets.

*SSL3 is only useful if you need to support IE6 on XP. Otherwise it should be disabled.

If you are unsure of the current status of your server you can check it here:

https://www.ssllabs.com/ssltest/analyze.html

Step 1: Disable SSL 2

On your server open the Registry and go to:

HKEY_LOCAL_MACHINE
 SYSTEM
  CurrentControlSet
   Control
    Security Providers
     SCHANNEL
      Protocols
       SSL 2.0

Under this, add a key "Server"

Under "Server", add a REG_DWORD named "Enabled" with a  value of 0

Reboot the server to make the change active.

Step 2: Enable TLS 1.2 and TLS 1.1

(TLS 1.2 and TLS 1.1 may not be available for versions of Windows before Windows 7 / Windows 2008 Server R2)

On your server open the Registry and go to:

HKEY_LOCAL_MACHINE
 SYSTEM
  CurrentControlSet
   Control
    Security Providers
     SCHANNEL
      Protocols

Under this, add a key "TLS 1.1", and a key "TLS 1.2"

Under each of these two, add two keys:

  • "Client"
  • "Server"

Under each of these four, add:

  • a REG_DWORD named "DisabledByDefault" with a value of 0
  • a REG_DWORD named "Enabled" with a value of 1

Reboot the server to make the change active.

Step 3: Enable Perfect Forward Secrets

At the Command Line, run:

gpedit.msc

Open the tree:

Computer Configuration
   Administrative Templates
     Network

Click  "SSL Configuration Settings"

In the right pane, double-click "SSL Cipher Suite Order"

Set the "SSL Cipher Suite Order" to Enabled

In the "SSL Cipher Suites" value, replace the existing value with the following (must be on one line):

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_NULL_SHA256,TLS_RSA_WITH_NULL_SHA
  

Click OK

Reboot the server to make the change active.

Copyright © 2025 Enstar LLC    All rights reserved Print this pageTranslate: