How to Require Strong Ciphers in Windows IIS 7.5 and 8

Stronger ciphers mean stronger encryption. Here's how to level up.

Windows Internet Information Service (or IIS) 7.5 and 8 can be configured to use only strong ciphers. This article will show you the steps required to do this.
NOTE: Cipher configuration will involve working with your system’s Local Group Policy Editor. Server configuration is outside of the scope of our support, and SSL.com cannot offer assistance with these steps.  We strongly recommend that you consult a professional Windows Administrator prior to making these changes. SSL.com offers this information as a service and reminds you that you use this information at your own risk.
 

View and Edit Enabled Ciphers

  1. From a command line, run gpedit.msc to start the Local Group Policy Editor,
  2. A window will pop up with the Local Group Policy Editor.  On the left pane, click Computer Configuration >> Administrative Templates >> Network >> SSL Configuration Settings.
  3. On the right pane, double click SSL Cipher Suite Order to edit the accepted ciphers.  Note that the editor will only accept up to 1023 bytes of text in the cipher string – any additional text will be disregarded without warning.
  4. Save your changes when you are finished and then restart the server to have them take effect. Don’t forget that changing your cipher suite configuration may cause older browsers to fail on your website because if are not able to use the updated stronger protocols.

Selecting Strong Cipher Suites

A list of all available cipher suites available can be found at this link in Microsoft’s support library.

SSL.com recommends the following cipher suite configuration. These have been selected for speed and security. You may use this list as a template for your configuration, but your own needs should always take precedence. Older, less secure cipher suites may be required for legacy software (such as older browsers). You may wish to add support for these legacy browsers if your clients are not updated.

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 *
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 *

*Windows 8.1 and Windows Server 2012 R2 only.

SSL.com reminds you that this is only a recommendation. We cannot offer support with this process and again suggest you consult a professional Windows Administrator prior to making any changes. Misconfiguration can cause broken or insecure connections.