Managing Windows Server Cipher Suites
Why Do You Need to Update Your Cipher Suites?
Here’s how a secure connection works. A browser initiates a secure connection to your site, hosted on your Hostway server. This can be identified by a URL starting with “HTTPS://”. Your Hostway server then replies to the browser with a list of encryption options to choose from in order of most preferred to least. The browser then reads the list until it finds an encryption option that it is compatible with, and the SSL handshake is complete.
The flaw here is that not all of the encryption options are still recommended. Some use excellent encryption algorithms (ECDH), others are decent (RSA), and some are very out of date (DES). A browser can connect to a server using any of the methods the server lists. If your site is offering ECDH options but also a less secure DES option, your browser will connect on either. The fact that these poor encryption options are offered makes your server and your users potentially vulnerable. Unfortunately, by default, IIS does not provide decent settings.
Before You Start
You may wish to test your site before configuring these suites. You can do so at:
https://www.ssllabs.com/ssltest/
Just because a site doesn’t receive an A rating doesn’t mean that the server is not secure. SSL Labs scores RC4 as a weak encryption algorithm even though there are no known attacks against it. It is less resistant to brute force attempts than other ciphers (EDCH), but it isn’t insecure. A site may offer an RC4 connection option for compatibility with certain browsers. Please use the site's rankings as a guideline, and not the be all end all of SSL security.
Updating Your Cipher Suite
To start, press "Windows Key" + "R". In the run dialogue box, type “gpedit.msc” and click “OK” to launch the Group Policy Editor.
On the left hand side, expand "Computer Configuration", "Administrative Templates", "Network", and click on "SSL Configuration Settings".
On the right hand side, click on "SSL Cipher Suite Order".
You should see the “Not Configured” button is selected. Click on the “Enabled” button to edit your Hostway server’s Cipher Suites.
The SSL Cipher Suites field will populate in short order. If you would like to see what Cipher Suites your server is currently offering, copy the text from the SSL Cipher Suites field and paste it into a text document. This text will be in one long string. Each of the encryption options is separated by a comma. Expanding this to have one cipher on each line will make the list easier to read.
You can now edit the list and add or remove any entries; the list cannot be more than 1,023 characters. Hostway recommends using the following list:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_CK_DES_192_EDE3_CBC_WITH_MD5
After making your changes, the new list needs to be formatted identically to the original; one unbroken string of characters with each cipher separated by a comma. Copy the formatted text and paste it into the SSL Cipher Suites field and click OK. Finally, you will need to reboot the server. We recommend contacting your Hostway Support Team to schedule a reboot during non-business hours.
We recommend re-testing your Hostway server against SSLLabs to confirm that the changes are working correctly.