I went to Qualys SSL Labs recently to find out how secure my SSL certificate was and unfortunately received a C rating.  This did surprise me, because this was based on a base Windows 2012 R2 installation with all the new Windows Updates.  

So guess what, there are changes you need to make manually to achieve a better ranking.

Here was my initial result:

  • This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.
  • This server accepts RC4 cipher, but only with older protocol versions. Grade capped to B.
  • This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.

To achieve an A rating, you need to fix the vulnerabilities listed above.

I will explain how you fix this, but first, I recommend you download IIS Crypto and upload it to your server.  It doesn't require any installation.

 


 

How to fix 'This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate

SSL 3.0 can be disabled via the registry, but I recommend using IIS Crypto, to avoid any mistakes.

  1. Open IIS Crypto
  2. Uncheck SSL 3.0 under 'Protocols Enabled'
  3. Click 'Apply'
  4. Restart server

 


 

This server accepts RC4 cipher, but only with older protocol versions. Grade capped to B.'

  1. Open IIS Crypto
  2. Uncheck 'RC4 **/***' under 
  3. Click 'Apply'
  4. Restart server

 


 

How to fix 'This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.'

 

  1. Click the Windows start button, type 'Run' and open.
  2. Type 'gpedit.msc'
  3. In the left tree, open 'computer configuration/administrative templates/network/ssl configuration settings'
  4. Double click 'SSL Cipher Suite Order'
  5. Choose 'Enabled'
  6. Under 'Options', there is a text box labelled 'SSL Cipher Suites', copy and paste the text from this txt file
  7. Click 'OK'
  8. Restart Server

Just FYI, the text file contains the following, which is the recommended ordering.

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,SSL_CK_DES_192_EDE3_CBC_WITH_MD5

 

 


 

Resources

  • https://www.ssllabs.com/ssltest/
  • https://www.nartac.com/Products/IISCrypto
  • http://www.howtogeek.com/221080/how-to-update-your-windows-server-cipher-suite-for-better-security/
  • https://www.grc.com/miscfiles/SChannel_Cipher_Suites.txt