How Do You Enforce 256-Bit Encryption in IIS 8

For Windows Server 2008 and IIS 7.5, there is a good article - - that describes how to turn on and enforce TLS 1.2 with 256-bit encryption.

How about IIS 8 running on Windows Server 2012?  Do I need to go through this same process?  Is there a better option?

Thank you for your help!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dan McFaddenSystems EngineerCommented:
The process appears to the same.

Here is MS's technet article about schannel options:

The article references OS support up to Server 2012.  I'd venture a guess that Server 2012R2 supports 256bit as well.
btanExec ConsultantCommented:
Yes the setting is the same. Note for TLS 1.2, it has only have one mandatory cipher required, as per RFC5246, and that is TLS_RSA_WITH_AES_128_CBC_SHA. Thus, all other ciphers are recommended.

You can also modify the list of cipher suites by configuring the SSL Cipher Suite Order group policy settings using the Group Policy Object snap-in in Microsoft Management Console

Windows 2012 already supported tls1.2 by default and IIS8.0 introduced Centralized SSL Certificate Support. Suggest you check out SslSniBindingsInfo and SslCcsBindingsInfo for scaling SSL on top of having TLS1.2

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ktolaAuthor Commented:
The second link you sent - - is all that was needed.  I simply changed the order of the available cipher suites (placing the 256 bit options at the top) and everything worked great!

That said, do you know who controls what cipher suite is used?  While I understand that the server will attempt to use the top option, doesn't the device actually determine what it can handle?  Should I remove out all of the cipher suites that are not secure just in case somebody tries to use a less secure option?

Thanks again!
btanExec ConsultantCommented:
yes we should disable the cipher but doubt we can remove it cleanly off if that comes with installation and as of the order schannel and its underlying driver and crypto provider make the calls - nonetheless, you achieve the ordering of priority of choice and they will adhere that
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.