https://www.ssllabs.com/ssltest/ Is a great tool for testing how secure your IIS server is. Self-hosting any resource that gives your customers access to a database can be a risk to data protection and with recent The EU General Data Protection Regulation (GDPR), security is essential. People expect to see a green lock icon next to the URL and they expect their information to be secure.
The list:
- SSL Certificate
- Disable TLS 1.0 / SSL – guide here
- URL Rewrite Tool
- .htaccess file (converted for IIS) – Converting Apache .htaccess rules to IIS web.config:
Step 1. In the connections pane, select your site
Step 2. Double-click on URL Rewrite
Step 3. On the right, select “Import Rules”
Step 4. Copy-paste your .htaccess file or select it under “Configuration file”<rewrite>
<rules>
<rule name="Redirect domain.com to www" patternSyntax="Wildcard" stopProcessing="true">
<match url="*" />
<conditions>
<add input="{HTTP_HOST}" pattern="domain.com" />
</conditions>
<action type="Redirect" url="https://www.domain.com/{R:0}" />
</rule>
</rules>
</rewrite> - SSL enforced
- Disabled weak hashes / ciphers changedIn addition to disabling SSL 2.0, you can disable some weak ciphers by editing the registry in the same way. To speed
up the process, you can paste the following into a text file and name it disableWeakCiphers.reg, then double-click it.[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT1.0\Server]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL2.0\Server]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL3.0\Server]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL3.0\Client]
“DisabledByDefault”=dword:00000001 - Ciphers
- From a command line, run gpedit.msc to start the Local Group Policy Editor,
- A window will pop up with the Local Group Policy Editor. On the left pane, click Computer Configuration >> Administrative Templates >> Network >> SSL Configuration Settings.
- On the right pane, double-click SSL Cipher Suite Order to edit the accepted ciphers. Note that the editor will only accept up to 1023 bytes of text in the cipher string – any additional text will be disregarded without warning.
- Save your changes when you are finished and then restart the server to have them take effect. Don’t forget that changing your cipher suite configuration may cause older browsers to fail on your website because if are not able to use the updated stronger protocols.
Ciphers used:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Side note:
CAA (Certification Authority Authorization) is not supported by 123 reg so this isn’t something I could do. It may be worth the effort to transfer the domain at some stage.
STILL EDITING THIS POST!