Do you consider your website secure after installing an SSL certificate on it? Well, a website with an SSL certificate is definitely more secure compared to a website without one. However, SSL is just a foundation that provides an encrypted channel between the server where the website is hosted, and website visitors. There is a number of possible attack vectors, and simple SSL installation can’t mitigate an attack, that’s why additional effort to ensure security is required from a certificate administrator.
These articles contain step-by-step guides for security enhancements a certificate administrator may apply in Windows Server environment, specifically for IIS 8.5, though most of the features described are also applicable for IIS 8, IIS 7.5 and IIS 7.0
- HTTP to HTTPS redirection
- HTTP Strict Transport Security(HSTS)
- HTTP Public Key Pinning (HPKP)
- Disabling SSLv3
- Disabling RC4
- Disabling SHA-1
- Cipher Suites Configuration (and forcing Perfect Forward Secrecy)
- OCSP Stapling