DEV Community

Warren
Warren

Posted on

3

Securing IIS

Securing IIS

First up I recommend you head over to SSL Labs server test and enter the url of your site. Several tests will be run that check the certificate and cryptographic protocols of the site.

After a few minutes you'll be given a graded report
Alt Text

Not bad, but we can do better. If you scroll down to the configuration section you'll find a colour coded set of Protocols and Cipher suites. Any red entries have got to go.

Disabling protocols

The protocols we're going to disable are set by registry keys on the machine at HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols. The following PowerShell will disable the keys, and then after a machine restart the protocols will no longer be available.

function Disable-InsecureProtocol {
    param (
        [parameter(Mandatory=$true)]
        [ValidateNotNullOrEmpty()]
        [string]
        $name
    )
    $protocolsPath = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols"
    $path = "$protocolsPath\$name"
    Ensure-Path "$path"
    Ensure-Path "$path\Client"
    New-ItemProperty -Path "$path\Client" -Name DisabledByDefault -Value 1 -PropertyType DWORD -Force | Out-Null
    Ensure-Path "$path\Server"
    New-ItemProperty -Path "$path\Server" -Name Enabled -Value 0 -PropertyType DWORD -Force | Out-Null
    Write-Information "Disabled $name protocol"
}

function Disable-InsecureProtocols {  
    Disable-InsecureProtocol "SSL 3.0"
    Disable-InsecureProtocol "TLS 1.0"
    Disable-InsecureProtocol "TLS 1.1"
}

Disable-InsecureProtocols

Disabling Cipher Suites

These will also disable the ciphers using the registry, this time at HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers. For a complete list and more details see How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll

The following PowerShell will disable the suites that we found were giving us a poor score.

function Disable-InsecureCipher {
param (
        [parameter(Mandatory=$true)]
        [ValidateNotNullOrEmpty()]
        [string]
        $name
    )

    $ciphersPath = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers"

    $Writable = $True
    $Key = (Get-Item HKLM:\).OpenSubKey("SYSTEM", $Writable).CreateSubKey("CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\$name")
    $Key.SetValue("Enabled", "0", [Microsoft.Win32.RegistryValueKind]::DWORD)
    Write-Information "Disabled $name ciphers"
}

function Disable-InsecureCiphers {
    Disable-InsecureCipher "RC4 128/128"
    Disable-InsecureCipher "Triple DES 168"
}

Disable-InsecureCiphers

After running both of these scripts (and restarting the machine) your grade should have improved greatly.
Alt Text

AWS Security LIVE!

Join us for AWS Security LIVE!

Discover the future of cloud security. Tune in live for trends, tips, and solutions from AWS and AWS Partners.

Learn More

Top comments (0)

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more