How Do You Enforce 256-Bit Encryption in IIS 8

ktola
ktola used Ask the Experts™
on
For Windows Server 2008 and IIS 7.5, there is a good article - http://jackstromberg.com/2013/09/enabling-tls-1-2-on-iis-7-5-for-256-bit-cipher-strength/ - that describes how to turn on and enforce TLS 1.2 with 256-bit encryption.

How about IIS 8 running on Windows Server 2012?  Do I need to go through this same process?  Is there a better option?

Thank you for your help!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Dan McFaddenSystems Engineer

Commented:
The process appears to the same.

Here is MS's technet article about schannel options:  http://support.microsoft.com/kb/245030

The article references OS support up to Server 2012.  I'd venture a guess that Server 2012R2 supports 256bit as well.
Exec Consultant
Distinguished Expert 2018
Commented:
Yes the setting is the same. Note for TLS 1.2, it has only have one mandatory cipher required, as per RFC5246 http://tools.ietf.org/html/rfc5246#page-65, and that is TLS_RSA_WITH_AES_128_CBC_SHA. Thus, all other ciphers are recommended.
http://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx

You can also modify the list of cipher suites by configuring the SSL Cipher Suite Order group policy settings using the Group Policy Object snap-in in Microsoft Management Console
http://msdn.microsoft.com/en-us/library/windows/desktop/bb870930(v=vs.85).aspx

Windows 2012 already supported tls1.2 by default and IIS8.0 introduced Centralized SSL Certificate Support. Suggest you check out SslSniBindingsInfo and SslCcsBindingsInfo for scaling SSL on top of having TLS1.2
http://www.iis.net/learn/get-started/whats-new-in-iis-8/iis-80-server-name-indication-sni-ssl-scalability
http://www.iis.net/learn/get-started/whats-new-in-iis-8/iis-80-centralized-ssl-certificate-support-ssl-scalability-and-manageability

Author

Commented:
The second link you sent - http://msdn.microsoft.com/en-us/library/windows/desktop/bb870930(v=vs.85).aspx - is all that was needed.  I simply changed the order of the available cipher suites (placing the 256 bit options at the top) and everything worked great!

That said, do you know who controls what cipher suite is used?  While I understand that the server will attempt to use the top option, doesn't the device actually determine what it can handle?  Should I remove out all of the cipher suites that are not secure just in case somebody tries to use a less secure option?

Thanks again!
btanExec Consultant
Distinguished Expert 2018

Commented:
yes we should disable the cipher but doubt we can remove it cleanly off if that comes with installation and as of the order schannel and its underlying driver and crypto provider make the calls - nonetheless, you achieve the ordering of priority of choice and they will adhere that

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial