IIS Crypto

IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2003, 2008 and 2012. It also lets you reorder SSL/TLS cipher suites offered by IIS, implement best practices with a single click and test your website.

NOTE ON MS14-066

If you have applied the MS14-066 (KB2992611) patch, please make sure to uncheck the following cipher suites if you are running into connection issues: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384 and TLS_RSA_WITH_AES_128_GCM_SHA256. Check our FAQ for more information.

*Update - On November 18, 2014 Microsoft updated MS14-066 to remove the cipher suites from the default cipher suite list for Windows 2008 R2 and Windows 2012. Windows 2012 R2 does not get the update. Still make sure that the cipher suites are unchecked in IIS Crypto as well.

Features

• Single click to secure your site using best practices
• Stop BEAST and POODLE attacks
• Easily disable SSL 2.0 and SSL 3.0
• Enable TLS 1.1 and 1.2
• Disable other weak protocols and ciphers
• Enable forward secrecy
• Reorder cipher suites
• Templates for compliance with government and industry regulations - FIPS 140-2 and PCI

What Does IIS Crypto Do?

IIS Crypto updates the registry following this article from Microsoft. We have tested IIS Crypto on Windows Server 2003, 2008, 2008 R2 and 2012 and 2012 R2. Note - Windows Server 2003 does not support the reordering of SSL cipher suites offered by IIS. However, you can still disable weak protocols and ciphers. Also, Windows Server 2003 does not come with the AES cipher suite. Microsoft has a hotfix for this.

Downloads

IIS Crypto requires the .Net Framework version 2.0 or greater. If you are running Windows Server 2012, download the .Net 4.0 version.

• IIS Crypto GUI version 1.6 (.Net 2.0, 83 KB)
• IIS Crypto GUI version 1.6 (.Net 4.0, 98 KB)
• IIS Crypto Command Line version 1.6 (.Net 2.0, 64 KB)
• IIS Crypto Command Line version 1.6 (.Net 4.0, 79 KB)

Version history can be found here. Note - IIS Crypto requires administrator privileges. If you are running under a non-administrator account, the GUI version will prompt for elevated permissions. The command line version must be run from a command line that already has elevated permissions.

Support

Please take a look at our FAQ. If you have any other questions, feel free to contact us.

Testing Your Site

In order to test your site after you have applied your changes, simply enter in the URL and click the Scan button. You can also try one of these tools:

• Qualys SSL site analyzer
• SSLyze open source scanning tool
• CryptoNark Perl based PCI compliance checker

Other Links

• Cipher suites supported in Windows Server 2003
• Cipher suites supported in Windows Server 2008/2012
• SSL/TLS Best Practices
• Updated BEAST information
• POODLE information