These instructions are current as at March 2020. By Default, IIS on Windows Server 2019 will achieve a B rating. To achieve an A+, older versions of TLS need to be disabled along with certain ciphers.
NOTE: Once TLS 1.0 is disabled, systems running Windows Server 2003 and older will no-longer be able to connect.
- Install the Application Request Routing Module for IIS:
https://www.microsoft.com/web/handlers/webpi.ashx?command=getinstallerredirect&appid=ARRv3_0 - In order to achieve a config that supports HSTS, add the following rewrite section to the webconfig:
NOTE: This example details a complete web.config
<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <rewrite> <rules> <rule name="HTTP to HTTPS redirect" stopProcessing="true"> <match url="(.*)" /> <conditions> <add input="{HTTPS}" pattern="off" ignoreCase="true" /> </conditions> <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" /> </rule> </rules> <outboundRules> <rule name="Add Strict-Transport-Security when HTTPS" enabled="true"> <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" /> <conditions> <add input="{HTTPS}" pattern="on" ignoreCase="true" /> </conditions> <action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" /> </rule> </outboundRules> </rewrite> </system.webServer> </configuration>
- Disable TLS 1.0 + TLS 1.1 and remove weak ciphers:
# Disable TLS 1.0 + TLS 1.1 + Weak Ciphers New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null Disable-TlsCipherSuite -name "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" Disable-TlsCipherSuite -name "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" Disable-TlsCipherSuite -name "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" Disable-TlsCipherSuite -name "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" Disable-TlsCipherSuite -name "TLS_RSA_WITH_AES_256_GCM_SHA384" Disable-TlsCipherSuite -name "TLS_RSA_WITH_AES_128_GCM_SHA256" Disable-TlsCipherSuite -name "TLS_RSA_WITH_AES_256_CBC_SHA256" Disable-TlsCipherSuite -name "TLS_RSA_WITH_AES_128_CBC_SHA256" Disable-TlsCipherSuite -name "TLS_RSA_WITH_AES_256_CBC_SHA" Disable-TlsCipherSuite -name "TLS_RSA_WITH_AES_128_CBC_SHA" Disable-TlsCipherSuite -name "TLS_RSA_WITH_3DES_EDE_CBC_SHA"