Securing Your IIS Server With Forward Secrecy

Security is a big deal nowadays. Let's be honest, it should have always been a big deal. With the plethora of data breaches in the news, people are starting to take notice and secure things properly.

The first step in making sure your website is secured properly is securing the web server it's hosted on. Here are steps to do that if your running your own IIS web server and are planning to use an SSL cert. This should work for IIS 7.5/8.0/8.5.

Testing Your Server

  1. Run your server through this awesome [SSL Server Test] (https://www.ssllabs.com/ssltest/) provided by Qualys. You can enter a URL of a site on the server, or an IP address. Make sure to check the "do not show results" box if you don't want the world to see your results (I recommend this, at least on the first attempt so you don't expose yourself as vulnerable).
    SSL Server Test

  2. Review your results.
    SSL Server Test Results

    The goal is to to get an A or higher. Don't worry if you don't hit that on the first attempt. The SSL test will provide plenty of feedback on what needs to be fixed.

Securing Your Server

If your test results didn't come back as favorable as you'd hoped, here are a few options on how to fix those issues.

Caution: All of these options could potentially cause problems if done incorrectly. Proceed at your own risk!

  1. Google the issues that come up and manually edit the registry (not recommmended). That doesn't sound like much fun...let's have a look at some other options.
  2. Download and run IIS Crypto. This free tool allows you to enable/disable security settings with a few clicks using a GUI.
  3. Use this powershell script by Alexander Hass to set the security settings to the current best practices.

IIS 8 - Redirect HTTP to HTTPS

I came across the need to redirect users who typed in http://site to the secured version https://site. Below are the steps on how to accomplish this.

  1. Make sure you've got the URL rewrite module installed in IIS. If you aren't sure if you do or not, you'll find out quickly when you can't find "URL Rewrite" in the steps below. Here are downloads for the 32bit version or the 64bit version.
  2. Select your website in IIS and then click on the "URL Rewrite" option in the features pane
  3. Once URL Rewrite screen is open, click the "Add Rules..." link in the right hand pane and enter the details as shown below.

  4. Select Blank Rule from the inbound rules section.

  5. Give it a descriptive name
  6. Match URL section:
    • Set Requested URL to Matches the Pattern.
    • Set Using to Regular Expression
    • Set Pattern to (.*)
  7. Conditions section. Click Add
    • Set Condition Input to {HTTPS}
    • Set Check if Input String to Matches the Pattern
    • Set Pattern to ^OFF$
    • Click OK
  8. Actions section

Now all request to that site should be 301 redirected to the https version of the site.