Welcome! Log In


disable weak ssl protocols

https://www.nartac.com/Products/IISCrypto


Nartac Software Logo

Home
Products
Support
About
Blog

Home IIS Crypto

IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2008, 2012 and 2016. It also lets you reorder SSL/TLS cipher suites offered by IIS, implement best practices with a single click, create custom templates and test your website.
Features

Single click to secure your website using best practices
Create custom templates that can be saved and run on multiple servers
Stop DROWN, logjam, FREAK, POODLE and BEAST attacks
Disable weak protocols and ciphers such as SSL 2.0, 3.0 and MD5
Enable TLS 1.1 and 1.2
Enable forward secrecy
Reorder cipher suites
Built in Best Practices, PCI, PCI 3.1 and FIPS 140-2 templates
Site scanner to test your configuration
Command line version

IIS Crypto Screen Shot
What Does IIS Crypto Do?

IIS Crypto updates the registry using the same settings from this article by Microsoft. It also updates the cipher suite order in the same way that the Group Policy Editor (gpedit.msc) does. Additionally IIS Crypto lets your create custom templates that can be saved for use on multiple servers. The command line version contains the same built-in templates as the GUI version and can also be used with your own custom templates. IIS Crypto has been tested on Windows Server 2008, 2008 R2 and 2012, 2012 R2 and 2016.

IIS Crypto requires administrator privileges. If you are running under a non-administrator account, the GUI version will prompt for elevated permissions. The command line version must be run from a command line that already has elevated permissions.
Downloads

IIS Crypto is offered in both a GUI and a command line version. Click here to choose your version and download.
Custom Templates

IIS Crypto 2.0 introduces the ability to create your own custom templates which can be saved and then executed on any number of servers. To create your own template, select all of the settings for your configuration. Click on the Templates button and give your template a name, author and description if desired. Then click on the Save button to save your template to disk. Copy your template to another server, run IIS Crypto and click on the Open button to load your template. You can also use it from the command line version of IIS Crypto.

Load the Best Practices template before you start customizing your own template to ensure your template is setup securely.

If your template is in the same folder as IIS Crypto it will show up automatically in the drop down box without having to click the Open button first.
Command Line Help

The following are the switches for the command line version of IIS Crypto:
Switch Option Description
/template default This template restores the server to the default settings.
best This template sets your server to use the best practices for TLS. It aims to be compatible with as many browsers as possible while disabling weak protocols and cipher suites.
pci This template is used to make your server PCI compliant. It is not full PCI 3.1 compliance as TLS 1.0 is still enabled. It also leaves the default order for the cipher suites which is not as secure as the Best Practices template.
pci31 This template is used to make your server PCI 3.1 compliant. It will disable TLS 1.0 which will break many client connections to your website. Please make sure that RDP will continue to function as Windows 2008 R2 require an update. See our FAQ for more information.
fips140 This template makes your server FIPS 140-2 compliant. It is similar to the Best Practices template, however, it is not as secure as Best Practices because some of the weaker DHE cipher suites are enabled.
<filename> Specify the filename of a template to use.
/reboot Reboot the server after a template is applied.
/help|? Show the help screen.

Here is an example that applies a custom template named MyServers.ictpl and reboots the server:

iiscryptocli /template "C:\temp\MyServers.ictpl" /reboot

Support

Please take a look at our FAQ. If you have any other questions, feel free to contact us.
Test Your Site

In order to test your site after you have applied your changes, click the Site Scanner button, enter in the URL and click the Scan button. You can also scan online from here:
URL
Additional Information

Here are some additional resources you may find useful:

Default cipher suites for all Windows Server versions
Cipher suites supported in Windows Server 2008 R2 and above with updates
SSL/TLS Best Practices
Updated BEAST information
POODLE information
FREAK information
logjam information
DROWN attack

Copyright © 2017 Nartac Software. All Rights Reserved.

Home
Blog
@nartac
Contact
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
TLS_RSA_WITH_AES_256_GCM_SHA384*
TLS_RSA_WITH_AES_128_GCM_SHA256*
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
Sorry, only registered users may post in this forum.

Click here to login