How to quickly fix most of what's wrong with your default IIS implementation of SSL/TLS.
Background:
Today after announcing some planned downtime for a couple of servers at a client site, another engineer sent me a link to the Qualys SSL Labs – SSL Server Test tool output for one of the clients servers that I would be working on during the downtime. In essence, he was saying: “Hey – while you are at it…can you fix this too?”
Here is the top of the report he sent at first. Note the “F” grade. While this server did have a functioning SSL certificate, the server was not optimally configured to support the best and most secure use of that certificate.
So, I started to work on fixing these issues one by one. While fixing these issues one by one, using manual registry entries from a couple of Microsoft KB articles (listed below), I found a great tool called IIS Crypto from Nartac Software that automates making these changes.
- Security Advisory 2868725: Recommendation to disable RC4
- How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services
How I fixed this quickly (and you can too):
As always, I’d suggest that you test on non-productions systems first, and make backups so that if you break things, you can fix them quickly. I believe your biggest risk is breaking connectivity with old clients that don’t support newer cipher suites (think: those pesky Windows XP boxes still running IE 6 that should be in a recycling pile somewhere anyway). If you care about connectivity from those boxes, you will want to stop at this point and work through this in a more methodical manner. In order to maintain connectivity with those ancient boxes you would need to leave some non-best practices settings in place.
I downloaded a tool called IIS Crypto from Nartac Software. Naturally, I scanned the tool with VirusTotal. It came back clean, so I proceeded. Before running the tool, I went and read the FAQ. The FAQ indicates that the tool only automates adjustments to registry settings in the following registry locations.
- HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
- HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL0010002
When it comes to software, I have trust issues. If you are a good I.T. person – you probably do too! So, I fired up regedit, and made a quick export of those keys. These exports provide a reference / baseline as well as a quick way to revert if things go wrong.
After doing this, I ran the IISCrypto.exe file, clicked ok on the license, and was then presented with the following screen.
I chose the “Best Practices” button which loads a great group of settings. I then clicked “Apply” and rebooted manually. Yes – a reboot is necessary in order for some of these changes to happen, so plan your maintenance window accordingly. The tool also offers buttons that would configure settings to attempt to satisfy PCI, FIPS 140-2, or allow you to choose settings manually.
Post reboot I ran the Qualys SSL Labs – SSL Server Test again, and got a much better score. There are still a couple of things that I might tweak later but overall, this represents a huge improvement.
Obviously, the ultimate goal is not a better score but ultimately a better, more secure SSL / TLS implementation. In this case the better score represents a more secure implementation thanks to the following changes that it facilitated.
- SSL2 – disabled
- SSL3 – disabled
- TLS 1.2 – enabled
- RC4 cipher (old / weak) – disabled
- Optimization of cipher suite preferred order to enable forward secrecy
Huge thanks to the folks at NARTAC Software who created this tool, and the fine folks at Qualys who created the best SSL / TLS test tool I know of. Both of these will be in my toolbox for a long time to come!