IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2003, 2008 and 2012. It also lets you reorder SSL/TLS cipher suites offered by IIS, implement best practices with a single click and test your website.


  • Single click to secure your site using best practices
  • Stop logjam, FREAK, POODLE and BEAST attacks
  • Easily disable SSL 2.0 and SSL 3.0
  • Enable TLS 1.1 and 1.2
  • Disable other weak protocols and ciphers
  • Enable forward secrecy
  • Reorder cipher suites
  • FIPS 140-2 and PCI templates
IIS Crypto Screen Shot

What Does IIS Crypto Do?

IIS Crypto updates the registry from this article by Microsoft. It also updates the cipher suite order in the same way that the Group Policy Editor (gpedit.msc) does. IIS Crypto has been tested on Windows Server 2003, 2008, 2008 R2 and 2012 and 2012 R2.

Windows Server 2003 does not support the reordering of SSL cipher suites offered by IIS. However, you can still disable weak protocols and ciphers. Also, Windows Server 2003 does not come with the AES cipher suite. Microsoft has a hotfix for this.
IIS Crypto requires administrator privileges. If you are running under a non-administrator account, the GUI version will prompt for elevated permissions. The command line version must be run from a command line that already has elevated permissions.


IIS Crypto is offered in both a GUI and a command line version. It runs on .Net 2.0 or 4.0. Click here to choose your version.

Test Your Site

In order to test your site after you have applied your changes, simply enter in the URL and click the Scan button. You can also scan online from here:


Please take a look at our FAQ. If you have any other questions, feel free to contact us.