10 IIS Crypto Best Practices

IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2008, 2012 and 2016. It also sets the priority of the selected protocols.

IIS Crypto is a great tool for hardening your SSL/TLS configuration. However, it’s important to understand the tool and the options available before making changes to your server. This article will discuss 10 IIS Crypto best practices that you should follow when using the tool.

1. Use TLS 1.2

TLS 1.2 is the most recent version of the TLS protocol and includes a number of security improvements over previous versions, including better encryption algorithms and more secure key exchange mechanisms.

While TLS 1.2 is not yet widely supported, it is slowly gaining traction and will eventually become the standard. In the meantime, it’s important to use TLS 1.2 whenever possible to take advantage of its improved security features.

IIS Crypto can help you configure your server to use TLS 1.2 by enabling the “Best Practices” settings. This will automatically enable TLS 1.2 and disable all older versions of the TLS protocol.

2. Disable SSL 2.0 and 3.0

SSL 2.0 and 3.0 are outdated protocols that are no longer considered secure. In fact, SSL 3.0 is so insecure that it’s been officially deprecated by the IETF.

Disabling SSL 2.0 and 3.0 will help to ensure that your server is not vulnerable to attack.

3. Enable Forward Secrecy (ECDHE)

When a client and server first establish a connection, they use the Diffie-Hellman key exchange algorithm to generate a shared secret. This shared secret is then used to encrypt all further communications between the two parties.

However, if an attacker is able to intercept this initial key exchange, they can decrypt all future traffic. This is where Forward Secrecy comes in.

With Forward Secrecy enabled, the server will generate a new key for each individual connection. This means that even if an attacker is able to intercept one key, they will not be able to decrypt any other traffic.

Enabling Forward Secrecy is a critical IIS Crypto best practice because it helps protect your site from attackers who may have compromised your server’s private key.

4. Disable Weak Ciphers

Weak ciphers are those with key lengths less than 128 bits, and they can be easily broken by brute force attacks. By disabling them, you make it much harder for attackers to decrypt your traffic.

To disable weak ciphers, open IIS Crypto and click the Best Practices button. This will automatically disable all weak ciphers and set some other security settings to recommended values.

5. Disable RC4

RC4 is a stream cipher that was first used in 1987. It’s been broken several times, most recently in 2015 by Google researchers. While there are no known practical attacks against RC4, it’s still considered to be weak and should not be used.

Instead, IIS Crypto recommends using one of the stronger ciphers such as AES-GCM or ChaCha20-Poly1305.

6. Disable MD5

MD5 is a hashing algorithm that has known vulnerabilities. These vulnerabilities allow for collisions, which means that two different inputs can produce the same output hash. This makes it possible to create a fake certificate that appears to be valid.

Because of these vulnerabilities, MD5 should no longer be used. If you’re using IIS Crypto, make sure that MD5 is disabled.

7. Disable DES, 3DES, IDEA, SEED, Camellia

DES is an outdated cipher that has been broken for many years. 3DES is a variation of DES that is still used in some legacy systems, but it’s also been broken and should not be used. IDEA, SEED, and Camellia are all ciphers that are weaker than AES and should not be used.

The only cipher that should be enabled in IIS Crypto is AES. AES is a strong cipher that is used by the US government for classified information. If AES is good enough for the US government, it’s good enough for you.

8. Disable NULL Ciphers

NULL ciphers are a class of ciphers that offer no encryption whatsoever. That’s right, none. They’re used as a placeholder in the cipher suite order when the client and server can’t agree on any other ciphers.

While this might not seem like a big deal, it’s actually a huge security risk. NULL ciphers are easy to exploit, and they leave your data completely exposed.

Fortunately, disabling NULL ciphers is easy to do with IIS Crypto. Simply open up the tool, click the Best Practices button, and then check the box next to “Disabled NULL Ciphers”. That’s it!

9. Disable Anonymous Diffie-Hellman

Anonymous Diffie-Hellman (ADH) is a key agreement protocol that allows two parties to agree on a shared secret without exchanging any sensitive information. The problem with ADH is that it’s vulnerable to man-in-the-middle attacks.

If an attacker can intercept the communication between the two parties, they can impersonate one of the parties and trick them into using a weaker secret. This gives the attacker the ability to decrypt the traffic and read the contents of the communication.

To prevent this type of attack, you should disable anonymous Diffie-Hellman in IIS Crypto. By doing this, you’ll force IIS to use stronger protocols that are not vulnerable to man-in-the-middle attacks.

10. Disable Export Ciphers

Export ciphers are those that use 40-bit or 56-bit encryption. They were designed for countries with restrictions on the use of strong cryptography. However, these ciphers are now considered weak and can be easily broken by modern computers.

As such, it’s important to disable them to prevent attackers from using them to decrypt your data. To do this, simply open IIS Crypto and select the “Best Practices” option. This will automatically disable all export ciphers for you.