How Do You Enforce 256-Bit Encryption in IIS 8

Posted on 2014-08-12
Last Modified: 2014-08-13
For Windows Server 2008 and IIS 7.5, there is a good article - - that describes how to turn on and enforce TLS 1.2 with 256-bit encryption.

How about IIS 8 running on Windows Server 2012?  Do I need to go through this same process?  Is there a better option?

Thank you for your help!
Question by:ktola
    LVL 25

    Expert Comment

    by:Dan McFadden
    The process appears to the same.

    Here is MS's technet article about schannel options:

    The article references OS support up to Server 2012.  I'd venture a guess that Server 2012R2 supports 256bit as well.
    LVL 60

    Accepted Solution

    Yes the setting is the same. Note for TLS 1.2, it has only have one mandatory cipher required, as per RFC5246, and that is TLS_RSA_WITH_AES_128_CBC_SHA. Thus, all other ciphers are recommended.

    You can also modify the list of cipher suites by configuring the SSL Cipher Suite Order group policy settings using the Group Policy Object snap-in in Microsoft Management Console

    Windows 2012 already supported tls1.2 by default and IIS8.0 introduced Centralized SSL Certificate Support. Suggest you check out SslSniBindingsInfo and SslCcsBindingsInfo for scaling SSL on top of having TLS1.2

    Author Closing Comment

    The second link you sent - - is all that was needed.  I simply changed the order of the available cipher suites (placing the 256 bit options at the top) and everything worked great!

    That said, do you know who controls what cipher suite is used?  While I understand that the server will attempt to use the top option, doesn't the device actually determine what it can handle?  Should I remove out all of the cipher suites that are not secure just in case somebody tries to use a less secure option?

    Thanks again!
    LVL 60

    Expert Comment

    yes we should disable the cipher but doubt we can remove it cleanly off if that comes with installation and as of the order schannel and its underlying driver and crypto provider make the calls - nonetheless, you achieve the ordering of priority of choice and they will adhere that

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    The article will show you how you can maintain a simple logfile of all Startup and Shutdown events on Windows servers and desktops with PowerShell. The script can be easily adapted into doing more like gracefully silencing/updating your monitoring s…
    What to do when Windows Update is not working correctly? What tools can I use to detect the cause of the malfunction problem? What does this numeric error code mean? These and other questions that you have been asking in the past are answered here (…
    In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now