Security is a big deal nowadays. Let's be honest, it should have always been a big deal. With the plethora of data breaches in the news, people are starting to take notice and secure things properly.
The first step in making sure your website is secured properly is securing the web server it's hosted on. Here are steps to do that if your running your own IIS web server and are planning to use an SSL cert. This should work for IIS 7.5/8.0/8.5.
Testing Your Server##
Run your server through this awesome [SSL Server Test] (https://www.ssllabs.com/ssltest/) provided by Qualys. You can enter a URL of a site on the server, or an IP address. Make sure to check the "do not show results" box if you don't want the world to see your results (I recommend this, at least on the first attempt so you don't expose yourself as vulnerable).
Review your results.
The goal is to to get an A or higher. Don't worry if you don't hit that on the first attempt. The SSL test will provide plenty of feedback on what needs to be fixed.
Securing Your Server##
If your test results didn't come back as favorable as you'd hoped, here are a few options on how to fix those issues.
Caution: All of these options could potentially cause problems if done incorrectly. Proceed at your own risk!
- Google the issues that come up and manually edit the registry (not recommmended). That doesn't sound like much fun...let's have a look at some other options.
- Download and run IIS Crypto. This free tool allows you to enable/disable security settings with a few clicks using a GUI.
- Use this powershell script by Alexander Hass to set the security settings to the current best practices.