DEV Community

Warren
Warren

Posted on

Securing IIS

Securing IIS

First up I recommend you head over to SSL Labs server test and enter the url of your site. Several tests will be run that check the certificate and cryptographic protocols of the site.

After a few minutes you'll be given a graded report
Alt Text

Not bad, but we can do better. If you scroll down to the configuration section you'll find a colour coded set of Protocols and Cipher suites. Any red entries have got to go.

Disabling protocols

The protocols we're going to disable are set by registry keys on the machine at HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols. The following PowerShell will disable the keys, and then after a machine restart the protocols will no longer be available.

function Disable-InsecureProtocol {
    param (
        [parameter(Mandatory=$true)]
        [ValidateNotNullOrEmpty()]
        [string]
        $name
    )
    $protocolsPath = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols"
    $path = "$protocolsPath\$name"
    Ensure-Path "$path"
    Ensure-Path "$path\Client"
    New-ItemProperty -Path "$path\Client" -Name DisabledByDefault -Value 1 -PropertyType DWORD -Force | Out-Null
    Ensure-Path "$path\Server"
    New-ItemProperty -Path "$path\Server" -Name Enabled -Value 0 -PropertyType DWORD -Force | Out-Null
    Write-Information "Disabled $name protocol"
}

function Disable-InsecureProtocols {  
    Disable-InsecureProtocol "SSL 3.0"
    Disable-InsecureProtocol "TLS 1.0"
    Disable-InsecureProtocol "TLS 1.1"
}

Disable-InsecureProtocols

Disabling Cipher Suites

These will also disable the ciphers using the registry, this time at HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers. For a complete list and more details see How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll

The following PowerShell will disable the suites that we found were giving us a poor score.

function Disable-InsecureCipher {
param (
        [parameter(Mandatory=$true)]
        [ValidateNotNullOrEmpty()]
        [string]
        $name
    )

    $ciphersPath = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers"

    $Writable = $True
    $Key = (Get-Item HKLM:\).OpenSubKey("SYSTEM", $Writable).CreateSubKey("CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\$name")
    $Key.SetValue("Enabled", "0", [Microsoft.Win32.RegistryValueKind]::DWORD)
    Write-Information "Disabled $name ciphers"
}

function Disable-InsecureCiphers {
    Disable-InsecureCipher "RC4 128/128"
    Disable-InsecureCipher "Triple DES 168"
}

Disable-InsecureCiphers

After running both of these scripts (and restarting the machine) your grade should have improved greatly.
Alt Text

Top comments (0)