{"id":4837,"date":"2023-07-18T10:12:31","date_gmt":"2023-07-18T17:12:31","guid":{"rendered":"https:\/\/SUMMALAI.COM\/?p=4837"},"modified":"2023-07-18T10:12:33","modified_gmt":"2023-07-18T17:12:33","slug":"how-to-harden-a-iis-web-server-with-iis-crypto","status":"publish","type":"post","link":"https:\/\/SUMMALAI.COM\/?p=4837","title":{"rendered":"How to Harden a IIS Web Server with IIS Crypto"},"content":{"rendered":"\n

When setting up a web server it can be difficult to know what security measures need to be put in place.<\/p>\n\n\n\n

There are lots of things to think about such as which permissions to apply, which ports to open and which security protocols to enable.<\/p>\n\n\n\n

Luckily, if you are using IIS, there is a tool that can help you out with the configuration of the security protocols; IIS Crypto.<\/p>\n\n\n\n

In the sections that follow I am going to show you where you can get access to IIS Crypto, how to install it and how to use it.<\/p>\n\n\n\n

Download<\/h2>\n\n\n\n

IIS Crypto is a free tool developed by Nartac Software<\/a>.<\/p>\n\n\n\n

You can download IIS Crypto from the Nartac website download page<\/a>.<\/p>\n\n\n\n

\"IIS<\/a>
IIS Crypto download options<\/figcaption><\/figure>\n\n\n\n

IIS Crypto is available both as a GUI (Graphical User Interface) and in the form of a CLI (Command-Line Interface).<\/p>\n\n\n\n

If you are unfamiliar with the tool and\/or only need to administer one or two servers, I recommend starting off with the GUI version of the tool.<\/p>\n\n\n\n

Installation<\/h2>\n\n\n\n

After downloading the GUI version of IIS Crypto, double-click the EXE to launch the tool.<\/p>\n\n\n\n

The tool requires administrative privileges so you will need to click \u2018Yes\u2019 on the UAC (User Account Control) elevation prompt when it appears.<\/p>\n\n\n\n

Before the main user interface is displayed you\u2019ll also need to accept the License Agreement.<\/p>\n\n\n\n

After accepting the License Agreement, the main interface will load.<\/p>\n\n\n\n

\"IIS<\/a>
IIS Crypto GUI<\/figcaption><\/figure>\n\n\n\n

Now we can look at the basic usage of the tool and see how it can help us make our web servers more secure.<\/p>\n\n\n\n

Applying best practices<\/h2>\n\n\n\n

IIS Crypto allows many aspects of your web server security to be configured.<\/p>\n\n\n\n

The \u2018SChannel\u2019 page of the user interface is the default section that appears whenever the tool is launched. Initially, all of the checkboxes will be grey, indicating that a specific value has not been specified. Therefore, the default operating system settings will be used.<\/p>\n\n\n\n

The tool comes with a convenient \u2018Best Practices\u2019 button, which I have pressed in the previous screenshot.<\/p>\n\n\n\n

Note that setting the best practices also updates the list of ciphers that are enabled within the \u2018Cipher Suites\u2019 section of the user interface.<\/em><\/p>\n\n\n\n

After pressing the Best Practices button you will need to press the \u2018Apply\u2019 button to save the changes.<\/p>\n\n\n\n

Consider backing up the Windows Registry before proceeding, just in case you need to revert the changes.<\/strong><\/p>\n\n\n\n

Go ahead and apply the changes when you are ready and you will then receive a confirmation message.<\/p>\n\n\n\n

You can, of course, individually select the protocols and other options which you wish to enable or disable. However, the best practices are a great starting point, disabling insecure protocols such as SSL 3.0 which are subject to the POODLE attack<\/a>.<\/p>\n\n\n\n

Advanced options<\/h2>\n\n\n\n

We can take things further by exploring some of the additional settings which are exposed by the IIS Crypto user interface.<\/p>\n\n\n\n

The \u2018Advanced\u2019 section of the interface allows the DHE (Diffie-Hellman Hardening) Minimum Key Length to be set. When you set best practices the minimum length is set to 2048 bytes.<\/p>\n\n\n\n

There are some other useful options such as the \u2018Only Use FIPS Algorithms\u2019 checkbox which can help you to ensure that only Federal Information Processing Standard compliant cryptography is used.<\/p>\n\n\n\n

Additionally, there is a convenient option to back up the Registry. It is a really good idea to back up the Registry before applying any changes using IIS Crypto, as underneath the tool makes many Registry changes which you would otherwise have to make manually.<\/p>\n\n\n\n

Lastly, the \u2018Templates\u2019 section of the interface provides the ability to apply even stricter security configurations where required, at the risk of breaking existing applications.<\/p>\n\n\n\n

Note that it is essential to test any web application you are running via IIS thoroughly after making any security configuration changes with IIS Crypto.<\/em><\/p>\n\n\n\n

As an example, the \u2018PCI 3.2\u2019 and the \u2018Strict\u2019 templates apply much stricter settings, disabling the TLS 1.0 and TLS 1.1 protocols. These stricter configurations can help you meet compliance requirements, without necessarily needing to understand the nuances of every individual security setting.<\/p>\n\n\n\n

Testing the changes<\/h2>\n\n\n\n

Now that the security updates have been applied we can test how much more secure our web server configuration is.<\/p>\n\n\n\n

The \u2018Site Scanner\u2019 section of the IIS Crypto user interface provides a convenient way of generating a server security report. Simply enter the URL of your website into the \u2018Url\u2019 field and press the \u2018Scan\u2019 button to launch the SSL Labs website<\/a>.<\/p>\n\n\n\n

The SSL Labs report will grade your website according to the security protocols which are enabled.<\/p>\n\n\n\n

\"SSL<\/a>
SSL Labs report<\/figcaption><\/figure>\n\n\n\n

All being well, you should get an A<\/strong> if your web server security configuration is good.<\/p>\n\n\n\n

Additionally, you can click on the blue link\/links to get a detailed report of many different security aspects of your website along with the full test results.<\/p>\n\n\n\n

Summary<\/h2>\n\n\n\n

IIS Crypto is a great tool that allows us to get some quick wins in regards to web server security.<\/p>\n\n\n\n

The IIS Crypto user interface greatly simplifies the process of applying security best practices.<\/p>\n\n\n\n

Once you know the tool exists, you\u2019ll find that it will come in handy any time you are setting up an IIS web server.<\/p>\n\n\n\n

As the next step, I recommend that you read up on the various aspects of web server security which the IIS Crypto tool allows you to configure.<\/p>\n\n\n\n

This includes the following topics.<\/p>\n\n\n\n