IIS Crypto
Introduction
Windows TLS configuration is not automatically updated with windows update, among other reasons because it can break a necessary compatibility with older clients, and the settings are therefore often outdated and insecure.
When you install a Windows server you will get the default configuration from when the operating system was first launched.
We therefore recommend that the configuration are updated each time a certificate is installed on the server.
IIS Crypto er a program developed by Nartac Software to easily change the SSL/TLS-configuration, which are configured in the Windows registry.
The configuration is used by all windows services, like IIS, Exchange, Lync og RDP.
IIS Crypto has multiple build in templates. among other PCI 3.1 and FIPS 140-2 which sets the server to follow the requirements of the respective standards.
We recommend using the Best Practices button to set Windows to a solid security level without ignoring backward compatibility.
There are services like SMTP where Best Practices is not compatible with older email systems that is still used in production.
We recommend that you always make a backup of the active configuration before changing anything, then you can always revert to the setting that works.
See Backup of active settings for information on how to make a backup.
Nartac Software updates the settings regularly, so remember to keep the client updated to the newest version.
IIS Crypto can be downloaded for free here.
This guide is created with ISS Crypto 3.2.
Backup of active settings
A backup can be created in 2 ways, either you can make a backup of the entries in the Windows registry that has to do with the TLS configuration, or you can make a template without changing any setting when you open IIS Crypto.
To make a backup of the Windows Registry:
Open Advanced.
Click Backup Registry.
Give your backup a name and a location where you can find it, e.g. c:\CryptoTemplates\fairssl.dk-backup.reg
Note: You can not import the registry backup into IIS Crypto, if you need to restore the configuration you will have to import it directly into the Windows registry.
To make a template:
If you have changed any setting, close down IIS Crypto and reopen it.
Open Templates.
Give your template a name, an author and a description.
Click on the disk icon Save the selected template.
Give your template file a name and a location where you can find it, e.g. c:\CryptoTemplates\fairssl.dk-backup.ictpl
Best Practices
By clicking Best Practices you will get the configuration that are generally considered the best combination of high security and high compatibility.
Note: any changes in the configuration, incl. Best Practices can potentially create compatibility issues, so we recommend that you create a backup of the active settings so you caneasily get back if something doesn't work.
See Backup of active settings for information on how to make a backup.
In Schannel it will remove the most insecure protocols and chiphers.
Server Protocols is for when the server acts as server.
Client Protocols is for when the server acts as client.
In Cipher Suites it will deselect the least secure and change the order to give a good combination high security and of high compatibility.
The order is important as the server will start from the top when it is negotiating with a client, so if there is an insecure Cipher Suite at the top, that will be used most often.
It is possible to change all settings to cover special needs.
When you have the configuration you want you have to press Apply for the changes to be saved on the server, and reboot Windows to activate the new configuration.
If you flag Reboot then IIS Crypto will initiate a reboot, otherwise you have to do it manually.
Roll-out on multiple servers
If you have multiple servers that needs the same security configuration, or if you just want a backup of the configuration, then you can create your own template.
If there is already selected a template in the list, e.g. by pressing the Best Practices button, you can not create an empty template.
Select one of the build in, e.g. Vest Practices and click the disk icon Save the selected template.
You will get a warning that you can't save on top of a build-in template, but that you can create a new instead.
Click OK.
Give your template a name, and save it somewhere where you can find it, e.g. c:\CryptoTemplates\fairssl.dk.ictpl
You can now give your template a name, and author and a description.
Don't forget to click the disk icon again to save the description.
You can now use IIS Crypto to import the same configuration via the template file on other servers.
Go to Templates and press the folder icon Open a template from file to import the template.
Select the template you moved from the other server.
Don't forget to press Apply to save the new settings, and restart the server to activate them.
Default settings
When a server is installed it will have the default configuration for it's operating system.
This configuration was created when the operating system was initially rolled out, and will therefore often be outdated.
You can see if a setting is the server default by it being greyed out, these can all be changed.
Note: This is not the active server setting, but the default for the operating system, so if you press Apply it will remove the active settings and replace them with the default.
The same applies under Cipher Suites.
You can always return to this point by selecting Server Defaults in Templates.
Site Scanner
You can use Site Scanner to scan your website.
Enter the DNS name you want to scan and click Scan then the program will open a browser and start a scanning with SSL Labs.
This will give you an overview of which protocols, ciphers, etc. that is active on your site, and if there are any known security holes in your setup.
You should not look solely on the rating, you risk losing customers that can not get onto your website if you set the security so high that it's not compatible with their older browser.
