IIS Configurations

These are the minimum configurations to hardening Windows Server and IIS Web Server.

Table of Contents

• Configure MachineKey
• Disable SSL and TLS protocols
  • PowerShell Script Process
  • Using IISCrypto Tool Process
  • Manual Process

Configure MachineKey

1. Click on the Windows Start Menu button.
2. Scroll down and click on Windows Administration Tools to expand.
   1. Scroll down, then click on Internet Information Services (IIS) Manager.
3. Click on the Server's name.
4. In the displayed Features View, under the ASP.NET section, double-click on Machine Key.
5. Under Validation method, Select HMACSHA256
6. In the right menu, under Actions, click on Apply.
7. Restart server

Disable SSL and TLS protocols

PowerShell Script Process

1. Download a copy of the WindowsServerHTTPSecurity.ps1 PowerShell script from the below link.
   • https://gist.github.com/jamesperrin/828bb07781bf11c2a4095353e62b7efb
2. Click on the Windows Start Menu button.
3. Scroll down, then Select and Open the IIS Manager.
4. Scroll down and click on Windows PowerShell to expand.
   1. Scroll down, then right click on Windows PowerShell.
   2. Select Run as Administrator.
   3. In the opened Administrator: Windows PowerShell command-line window.
      1. Navigate to the folder location where you saved the WindowsServerHTTPSecurity.ps1 PowerShell script.
   4. Type ./WindowsServerHTTPSecurity in the command-line window.
   5. Then, press the Enter key to execute the command.
   6. Close the PowerShell command-line window.
   7. Restart the server.

Using IISCrypto Tool Process

1. Download a copy of the IISCrypto Tool.
   • https://www.nartac.com/Products/IISCrypto/
2. Navigate to the folder location where you saved the IISCrypto Tool.
3. Right click on IISCrypto.exe, then select Run as Administrator.
4. The License Agreement dialogue will be displayed.
   1. Click Accept
5. The IIS Crypto program be opened.
   • WARNING: Don't click on the Best Practices button.
6. You should be in the Schannel options.
   1. Under Server Protocols.
      1. Unchecked the checkboxes next to:
         1. SSL 2.0
         2. SSL 3.0
         3. TLS 1.0
   2. Under Client Protocols.
      1. Unchecked the checkboxes next to:
         1. SSL 2.0
         2. SSL 3.0
         3. TLS 1.0
   3. Click Apply
7. Close the IIS Crypto program.
8. Restart the server.

Manual Process

1. Click on the Windows Start Menu button.
2. Scroll down and click on Windows System to expand.
3. Scroll down and click on Run
4. The Run dialog will be displayed.
   1. In the Open field, type regedit.
   2. Click OK
5. The Registry Editor dialog will be displayed.
   • You can now make whatever changes you need to make to the registry, which probably shouldn't be done unless you are versed in how to safely add, change, or delete registry keys and values. Make sure, whatever you do, that you only affect the narrow registry areas that you intend to.
6. Navigate to the following registry branch
   • /HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL
7. Create backup of selected registry branch
   1. Click on the key /HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL
   2. On menu, click File.
   3. Click Export
      1. Navigate to the data drive.
      2. Create a new folder named regs.
      3. Navigate to the new folder named regs.
      4. For File name recommended to use reg_SCHANNEL_YYYYMMDD.reg.
      5. Then, click Save
8. Navigate to the following registry branch
   1. /HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols
9. Right click on the key Protocols.
   1. Select New, then Key.
      1. Set the Name to SSL 3.0.
      2. Right click on the key SSL 3.0.
         1. Select New, then Key.
         2. Set the Name to Client.
            1. Right Click on the key Client.
               1. Select New, then DWORD (32-bit) Value.
               2. Set the Name to DisabledByDefault.
                  1. Press the Enter key.
               3. Double-click on the REG_DWORD DisabledByDefault.
               4. Set the Value data to 1.
               5. Click OK.
            2. Right Click on key Client
               1. Select New, then DWORD (32-bit) Value.
               2. Set the Name to Enabled.
                  1. Press the Enter key.
               3. Double-click on the REG_DWORD Enabled.
               4. Ensure Set the Value data to 0.
               5. Click OK.
      3. Right click on the key SSL 3.0
         1. Select New, then Key.
         2. Set the Name to Server.
            1. Right Click on the key Server.
               1. Select New, then DWORD (32-bit) Value.
               2. Set the Name to DisabledByDefault.
                  1. Press the Enter key.
               3. Double-click on the REG_DWORD DisabledByDefault.
               4. Set the Value data to 1.
               5. Click OK.
            2. Right Click on key Server
               1. Select New, then DWORD (32-bit) Value.
               2. Set the Name to Enabled.
                  1. Press the Enter key.
               3. Double-click on the REG_DWORD Enabled.
               4. Ensure Set the Value data to 0.
               5. Click OK.
10. Right click on the key Protocols.
    1. Select New, then Key.
       1. Set the Name to TLS 1.0.
       2. Right click on the key TLS 1.0.
          1. Select New, then Key.
          2. Set the Name to Client.
             1. Right Click on the key Client.
                1. Select New, then DWORD (32-bit) Value.
                2. Set the Name to DisabledByDefault.
                   1. Press the Enter key.
                3. Double-click on the REG_DWORD DisabledByDefault.
                4. Set the Value data to 1.
                5. Click OK.
             2. Right Click on key Client
                1. Select New, then DWORD (32-bit) Value.
                2. Set the Name to Enabled.
                   1. Press the Enter key.
                3. Double-click on the REG_DWORD Enabled.
                4. Ensure Set the Value data to 0.
                5. Click OK.
       3. Right click on the key TLS 1.0
          1. Select New, then Key.
          2. Set the Name to Server.
             1. Right Click on the key Server.
                1. Select New, then DWORD (32-bit) Value.
                2. Set the Name to DisabledByDefault.
                   1. Press the Enter key.
                3. Double-click on the REG_DWORD DisabledByDefault.
                4. Set the Value data to 1.
                5. Click OK.
             2. Right Click on key Server
                1. Select New, then DWORD (32-bit) Value.
                2. Set the Name to Enabled.
                   1. Press the Enter key.
                3. Double-click on the REG_DWORD Enabled.
                4. Ensure Set the Value data to 0.
                5. Click OK.
11. Restart Server