Disabling weak cryptography in IIS to prevent attacks such as POODLE and FREAK
By default Internet Information Services (IIS) in Windows server 2003, 2008, and 2012 has vulnerable protocols, ciphers, and hashes enabled. You can disable these on all EmpowerID servers using a free utility from Nartac Software called IISCrypto. IISCrypto updates the registry and or local policy on the server it is being ran from.
There are many guides on the Internet on how to use this utility to get an A or A+ on the Qualys SSL Server Test. Currently you cannot get an A+ using IIS and enabling support for multiple versions of TLS, but you can easily obtain an A score. To do this download IISCrypto on each EmpowerID server and run it.
Upon opening IISCrypto it will show you the current settings of the server. Below is a screenshot running IISCrypto on IIS 8.5.
There are a few predefined templates you can use. If you are not sure which to use stick with Best Practices. Clicking on that button will make the following changes:
Disabling both SSL version 2.0 and 3.0 along with the DES and RC ciphers is a vast improvement. However to get an A rating on the Qualys Test you also need to un-check the MD5 hash:
Click the Apply button. You will see a popup telling you that you will need to reboot the server for all these settings to be applied. Click OK to this and reboot the server.
After the server has been rebooted you can then run the Qualys Test on this server. This test is not performed locally so you will need to give an external DNS name to perform the test.
Running this test against all servers is not needed provided you follow the same steps for all servers. If you have multiple front end servers behind a proxy or load balancer you can enable each EmpowerID server one at a time to ensure you are testing against each server.
Please feel free to contact us by e-mail at support@empowerid.com or by phone at (877) 996-4276 (Option 2) if you have any questions or concerns regarding this guide.