Saturday, 17 October 2015

Securing your Windows server for secure web server publishing

I have been looking into securing our published websites for our newer builds quite recently. Found a neat site - Qualys SSL Labs which provides a SSL testing service.

I used this site to test our published HTTPS sites and found that most of them are insecure, and some scoring very badly :(. You can test your website at This will grade your site from A+ to F.

Generally with the newer versions of IIS (provided with 2012 onwards are generally okay), but it still leaves a lot to be desired. Running the test on my site provided feedback that we were supporting weak ciphers which can compromise secure communications. Currently with default settings our servers were scoring B-.

To remedy this, you should disable the following weak cipher suites on your published server:


To disable the weak ciphers, you will need to go into the local Group Policy editor, or create a new domain Group Policy, browse to 'Computer Configuration\Administrative Templates\Network\SSL Configuration Settings' and enable the 'SSL Cipher Suite Order'. This will populate the string with the default set of cipher suites. Copy this out to notepad and remove the weak cipher suites from the comma delimited string. This will enable the listed cipher suites in a preferred order.

There are a few references online for a preferred order. I'm personally using the list at (reference at bottom of post) to configure the cipher suite order. In the PowerShell script is the list of cipher suites, just copy this out and put it into the Group Policy.

Once you have enabled the policy and linked to the published server you will need to gpupdate and reboot the server. Once rebooted, you should be able to test your server at the Qualys SSL Labs server test page and score an A- grade.

To get A grading you will need to enable Perfect Forward Secrecy. This is where the great work done at comes into play. Use the script provided at (reference at bottom of post) and run it. This should disable the weak cipher suites and enable the secure ones. Coupled with the Group Policy this should get your published server to get an A rating on the server test.

One of the warning/errors you may receive is: Downgrade attack prevention No, TLS_FALLBACK_SCSV not supported, this cannot be currently resolved for IIS as TLS_FALLBACK_SCSV is not supported by IIS apparently, we will need to wait for this to be supported in the future.

Hope this helps in securing your servers! 

-HTTPS everywhere supporter.


No comments:

Post a Comment