IIS Crypto 2.0 Released!

We are happy to announce that IIS Crypto 2.0 has been released! This new version is a complete rewrite and has a brand new interface. Some new features include creating custom templates, Windows Server 2016 support, add your own cipher suites, check for updates and much more. The full change log can be found on our download page. We have also updated the documentation and FAQ.

Thank-you everyone for all of your comments and feedback!

MS14-066 Updated

Microsoft has just released an update for MS14-066. All this update does is remove TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256 from the default cipher suite list for Windows 2008 R2 and Windows 2012. It does not update Windows 2012 R2. This seems like a temporary measure until Microsoft figures out what the real issue is. In the mean time, make sure that those cipher suites are unchecked in IIS Crypto.

IIS Crypto 1.6 Released with Updates for MS14-066

IIS Crypto 1.6 has been released. This version adds the 4 additional cipher suites that were updated as part of the MS14-066 (KB2992611) patch. Along with some minor fixes, the PCI template now disables SSL 3.0 and RC4. Full version history can be found here.

Microsoft released a patch named MS14-066 on November 11, 2014 to address a vulnerability in SChannel that could allow remote code execution. The patch includes 4 new cipher suites for Windows Server versions 2003 through 2012 R2. Previously only Windows Server 2012 R2 had these cipher suites. On November 16, Microsoft updated the advisory stating that they found an issue with the new cipher suites they introduced. If you have applied this patch and are running into connection issues with clients, the work around is to disable the following cipher suites: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384 and TLS_RSA_WITH_AES_128_GCM_SHA256. Using IIS Crypto simply uncheck these cipher suites, click Apply and reboot your server.

IIS Crypto 1.5 and Attack of the POODLE

A new version of IIS Crypto has been released. This updates the Best Practices template to disable SSL 3.0 because of the POODLE attack. Best Practices also has an updated cipher suite order and excludes RC4 encryption and DSA certificates. Addtional cipher suites have been added to Windows Server 2012 R2. Full version history can be found here. Check the updated FAQ for more help.

Thanks to everyone for the feedback and help with testing!