Hardening SSL/TLS configuration on IIS 8.5

Do you consider your website secure after installing an SSL certificate on it? Well, a website with an SSL certificate is definitely more secure compared to a website without one. However, SSL is just a foundation that provides an encrypted channel between the server where the website is hosted, and website visitors. There is a number of possible attack vectors, and simple SSL installation can’t mitigate an attack, that’s why additional effort to ensure security is required from a certificate administrator.
These articles contain step-by-step guides for security enhancements a certificate administrator may apply in Windows Server environment, specifically for IIS 8.5, though most of the features described are also applicable for IIS 8, IIS 7.5 and IIS 7.0

  • HTTP to HTTPS redirection
  • HTTP Strict Transport Security(HSTS)
  • HTTP Public Key Pinning (HPKP)
  • Disabling SSLv3
  • Disabling RC4
  • Disabling SHA-1
  • Cipher Suites Configuration (and forcing Perfect Forward Secrecy)
  • OCSP Stapling
0 Dislikes