IIS 7/7.5 Hardening SSL TLS – Windows Server 2008 R2

     One of the first steps you should do when deploying a new public facing web server is hardening your server’s SSL/TLS connections. Disabling vulnerable protocols, ciphers, hashes and key exchange algorithms can help mitigate the now more common exploits like the BEAST attack. By default many weaker technologies are enabled, leaving IIS traffic vulnerable and exposed.

     To mitigate this issue we simply have to disable the vulnerable technologies in the schannel.dll via registry keys, described in more detail in Microsoft KB 245030. My preferred method is to use the IISCrypto utility from Nartac Software, which has FIPS, PCI and BEAST templates built in to make hardening SSL/TLS as easy as a few clicks.

SChannel.dll Registry key –


Comments are closed.