Securing IIS
First up I recommend you head over to SSL Labs server test and enter the url of your site. Several tests will be run that check the certificate and cryptographic protocols of the site.
After a few minutes you'll be given a graded report
Not bad, but we can do better. If you scroll down to the configuration section you'll find a colour coded set of Protocols and Cipher suites. Any red entries have got to go.
Disabling protocols
The protocols we're going to disable are set by registry keys on the machine at HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
. The following PowerShell will disable the keys, and then after a machine restart the protocols will no longer be available.
function Disable-InsecureProtocol {
param (
[parameter(Mandatory=$true)]
[ValidateNotNullOrEmpty()]
[string]
$name
)
$protocolsPath = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols"
$path = "$protocolsPath\$name"
Ensure-Path "$path"
Ensure-Path "$path\Client"
New-ItemProperty -Path "$path\Client" -Name DisabledByDefault -Value 1 -PropertyType DWORD -Force | Out-Null
Ensure-Path "$path\Server"
New-ItemProperty -Path "$path\Server" -Name Enabled -Value 0 -PropertyType DWORD -Force | Out-Null
Write-Information "Disabled $name protocol"
}
function Disable-InsecureProtocols {
Disable-InsecureProtocol "SSL 3.0"
Disable-InsecureProtocol "TLS 1.0"
Disable-InsecureProtocol "TLS 1.1"
}
Disable-InsecureProtocols
Disabling Cipher Suites
These will also disable the ciphers using the registry, this time at HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers
. For a complete list and more details see How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll
The following PowerShell will disable the suites that we found were giving us a poor score.
function Disable-InsecureCipher {
param (
[parameter(Mandatory=$true)]
[ValidateNotNullOrEmpty()]
[string]
$name
)
$ciphersPath = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers"
$Writable = $True
$Key = (Get-Item HKLM:\).OpenSubKey("SYSTEM", $Writable).CreateSubKey("CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\$name")
$Key.SetValue("Enabled", "0", [Microsoft.Win32.RegistryValueKind]::DWORD)
Write-Information "Disabled $name ciphers"
}
function Disable-InsecureCiphers {
Disable-InsecureCipher "RC4 128/128"
Disable-InsecureCipher "Triple DES 168"
}
Disable-InsecureCiphers
After running both of these scripts (and restarting the machine) your grade should have improved greatly.
Top comments (0)