Once you have installed your SSL certificate you may wish to optimise the configuration of your server.
There are five Protocols available:
| Protocol | Enabled in IIS by Default | Desirable |
| TLS 1.2 | No | Yes |
| TLS 1.1 | No | Yes |
| TLS 1.0 | Yes | Yes |
| SSL 3 | Yes | Yes* |
| SSL 2 | Yes | No |
From the above table we can see that SSL 2 needs to be disabled (it is now considered insecure),
and TLS 1.2 and 1.1 should be enabled. Finally you should enable Perfect Forward Secrets.
*SSL3 is only useful if you need to support IE6 on XP. Otherwise it should be disabled.
If you are unsure of the current status of your server you can check it here:
https://www.ssllabs.com/ssltest/analyze.html
Step 1: Disable SSL 2
On your server open the Registry and go to:
HKEY_LOCAL_MACHINE
SYSTEM
CurrentControlSet
Control
Security Providers
SCHANNEL
Protocols
SSL 2.0
Under this, add a key "Server"
Under "Server", add a REG_DWORD named "Enabled" with a value of 0
Reboot the server to make the change active.
Step 2: Enable TLS 1.2 and TLS 1.1
(TLS 1.2 and TLS 1.1 may not be available for versions of Windows before Windows 7 / Windows 2008 Server R2)
On your server open the Registry and go to:
HKEY_LOCAL_MACHINE
SYSTEM
CurrentControlSet
Control
Security Providers
SCHANNEL
Protocols
Under this, add a key "TLS 1.1", and a key "TLS 1.2"
Under each of these two, add two keys:
Under each of these four, add:
- a REG_DWORD named "DisabledByDefault" with a value of 0
- a REG_DWORD named "Enabled" with a value of 1
Reboot the server to make the change active.
Step 3: Enable Perfect Forward Secrets
At the Command Line, run:
gpedit.msc
Open the tree:
Computer Configuration
Administrative Templates
Network
Click "SSL Configuration Settings"
In the right pane, double-click "SSL Cipher Suite Order"
Set the "SSL Cipher Suite Order" to Enabled
In the "SSL Cipher Suites" value, replace the existing value with the following (must be on one line):
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_NULL_SHA256,TLS_RSA_WITH_NULL_SHA
Click OK
Reboot the server to make the change active.
