Tag Archives: cipher suites

How to control your Windows Server’s cipher suites with IIS Crypto

When you are in charge of fixing vulnerabilities or troubleshooting software encrypted communication issues, you often have to deal with upgrading or fixing cipher suites. It’s often complex depending on the vendor, to access, customize or even know which cipher suites are available.

For Windows Server, a company called Nartac provides a free tool called IIS Crypto, that will help you configure your servers security in a snap!

Using IIS Crypto with a GUI

Nartac offers two versions of its tool, the one which come the GUI and the CLI version. I would recommand to install the GUI version to get familiar with it, you will see which suites and schannel are available on your system, understand how the product works, and finally you will be able to create custom templates to use with the GUI or, even better, with the CLI.

IIS Crypto GUI

IIS Crypto CLI

Once you’re comfortable with IIS Crypto, and especially if you have many servers to manage, I would highly recommend going with the CLI version.

You can deploy IIS Crypto through chocolatey and then apply a pre-existing template, or a custom one depending on your needs:

Here, I apply an embedded template (Strict) while asking for a reboot for this template to be applied immediately

Dealing with cipher suites

A part of my daily job is to improve application security, at large. Doing so, I often have to deal with cipher suites hardening.

This task is not complex at all, yet you have to manage different libraries that are using different naming conventions (RFC, GnuTLS, OpenSSL, etc.). You can always count on the documentation or your favorite search engine, nonetheless, depending on their quality, that will make you waste a lot of time.

Fortunately, I found a very handy website, created by Hans Christian Rudolph and Nils Grundmann, which gives you much information about those libraries, cipher suites, protocols, etc. It also offers an API, yet that still a work in progress. Long story short, anytime you need to deal with cipher suite, you should take a look at it:

https://ciphersuite.info/

Analyzing your website encryption strength

During a recent audit, I had to harden the cipher suites used to secure a worldwide insurance application. The most important part of this task was to help adjust our customers, ensuring their infrastructure to be compatible with our future settings. During the whole project, I used different methods to double-check the settings applied to our differents tests and staging environments (packet analyzes, vulnerability scanner, etc.). I found out that Qualys, one of our security providers, has a free website that can scan a website and provide an interesting report:

https://www.ssllabs.com/ssltest/

There are a lot of similar services ( https://www.immuniweb.com/ssl/ for instance), with more or less the same functionality, but that one was particularly convenient to use.