[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3084
  • Last Modified:

How Do You Enforce 256-Bit Encryption in IIS 8

For Windows Server 2008 and IIS 7.5, there is a good article - http://jackstromberg.com/2013/09/enabling-tls-1-2-on-iis-7-5-for-256-bit-cipher-strength/ - that describes how to turn on and enforce TLS 1.2 with 256-bit encryption.

How about IIS 8 running on Windows Server 2012?  Do I need to go through this same process?  Is there a better option?

Thank you for your help!
0
ktola
Asked:
ktola
  • 2
1 Solution
 
Dan McFaddenSystems EngineerCommented:
The process appears to the same.

Here is MS's technet article about schannel options:  http://support.microsoft.com/kb/245030

The article references OS support up to Server 2012.  I'd venture a guess that Server 2012R2 supports 256bit as well.
0
 
btanExec ConsultantCommented:
Yes the setting is the same. Note for TLS 1.2, it has only have one mandatory cipher required, as per RFC5246 http://tools.ietf.org/html/rfc5246#page-65, and that is TLS_RSA_WITH_AES_128_CBC_SHA. Thus, all other ciphers are recommended.
http://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx

You can also modify the list of cipher suites by configuring the SSL Cipher Suite Order group policy settings using the Group Policy Object snap-in in Microsoft Management Console
http://msdn.microsoft.com/en-us/library/windows/desktop/bb870930(v=vs.85).aspx

Windows 2012 already supported tls1.2 by default and IIS8.0 introduced Centralized SSL Certificate Support. Suggest you check out SslSniBindingsInfo and SslCcsBindingsInfo for scaling SSL on top of having TLS1.2
http://www.iis.net/learn/get-started/whats-new-in-iis-8/iis-80-server-name-indication-sni-ssl-scalability
http://www.iis.net/learn/get-started/whats-new-in-iis-8/iis-80-centralized-ssl-certificate-support-ssl-scalability-and-manageability
0
 
ktolaAuthor Commented:
The second link you sent - http://msdn.microsoft.com/en-us/library/windows/desktop/bb870930(v=vs.85).aspx - is all that was needed.  I simply changed the order of the available cipher suites (placing the 256 bit options at the top) and everything worked great!

That said, do you know who controls what cipher suite is used?  While I understand that the server will attempt to use the top option, doesn't the device actually determine what it can handle?  Should I remove out all of the cipher suites that are not secure just in case somebody tries to use a less secure option?

Thanks again!
0
 
btanExec ConsultantCommented:
yes we should disable the cipher but doubt we can remove it cleanly off if that comes with installation and as of the order schannel and its underlying driver and crypto provider make the calls - nonetheless, you achieve the ordering of priority of choice and they will adhere that
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now