If you’ve managed HTTPS sites for any time, you’ve probably come across Qualys SSL Labs, which allows you to check that your certificates are installed correctly, and also check that your server is configured correctly. It also has the habit to shout at you (quite rightly so), if your server is vulnerable to any common exploits, for which the fix is almost always to disable SSL2/3.
A very common issue for us on the Microsoft side of the fence is the default configuration for SSL cipher suites in Windows 2008R2/IIS 7, which basically allows anything, as long as it has at some point been a way for securing web sites, even if it never actually worked.
And the most horrid thing is, that the only way to change which protocols and cipher suites are supported by the web server is to go mucking around in the registry. And Lord forbid that you want to change the order in which protocols and cipher suites are offered, the default Microsoft approach is MBF, aka. most-broken-first, and if you don’t agree, of to the GPO editor you go!
Granted, changing a few registry settings and GPO settings isn’t that bad (especially if you push it all through a Group Policy), but all the settings aren’t something that can be easily remembered, so you’re constantly referring to documentation and hope you get it right.
Until today, when I found IIS Crypto from Nartac Software. It’s a neat, single executable that does what it says on the tin, it configures crypto settings for IIS servers. It lets you change the settings by a GUI or by command line. It has built in profiles for Best Practices, PCI etc. It even lets you create your own profiles. And did I mention it’s free!?!
I’m fairly certain that this sounds like an ad at this point, but I’m quite serious (and I’m not getting paid to say this by the way), fixing cipher settings on IIS has been one of my pet peeves for almost a decade, so I’m over the moon to finally find a tool that does all the heavy lifting for me.
So, that’s it, give it a whirl, it has worked fine for me, and don’t come crying when you break your web server!