System HardeningWindows

Fixing SSL/TLS Config Issues Windows Server – IISCrypto

This post is all about the software IISCrypto and how to fix SSL/TLS issues. You can also find walk through video is here.

During the last 2 posts, I covered how to fix certain SSL/TLS issues using manually by using native Windows functionality. These posts are linked below:

https://www.phr33fall.co.uk/ciphers/

https://www.phr33fall.co.uk/ssl-tls-issues-server-2012/

Software is available which automates the whole process with just a few mouse clicks, but the reason I first covered how to make the changes manually is twofold:

  1. You understand the process of how to make the changes manually yourself and also understand what the software is changing in the Registry Editor.
  2. If, like me, you prefer to keep the amount of 3rd party software within your environment to a minimum, then you can do it manually.

IISCrypto

IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2008, 2012 and 2016. It also lets you reorder SSL/TLS cipher suites offered by IIS, implement best practices with a single click, create custom templates and test your website.

https://www.nartac.com/Products/IISCrypto
Download IIS Crypto GUI

The Windows Server 2012 used in this demonstration is straight out of the box. Using sslscan to scan the 2012 machine, you can see the multitude of SSL/TLS issues highlighted.

Issues highlighted

Rather than manually making changes to the Registry Editor, IISCrypto does all of this work for you. The GUI is easy to use and gives you plenty of options to chose from.

Selecting your options

For the changes to take effect, you first need to restart your Windows Server 2012 machine.

Upon re-scanning the Windows Server, you’ll now see that all the depreciated ciphers, protocols and hashes have been removed.

The end result

Ideally, you can harden the configuration even further by removing support for SHA hashes. Please remember to test these changes on a dev environment before pushing them onto your live systems.