Here are the most common questions asked about IIS Crypto. If you have any other questions, feel free to contact us.

• When is IIS Crypto going to support TLS 1.3?

  IIS Crypto now supports TLS 1.3 and the new cipher suites on Windows Server 2022.

• What is the Windows default cipher suite order?

  Every version of Windows has a different cipher suite order. Depending on what Windows Updates the server has applied, the order can be different even with the same version of Windows. These were gath...

• Will Remote Desktop (RDP) continue to work after using IIS Crypto?

  Yes. The default security layer in RDP is set to Negotiate which supports both SSL (TLS 1.0) and the RDP Security Layer. However, if you set the security layer to SSL (TLS 1.0) and disable TLS 1.0 in ...

• What registry keys does IIS Crypto modify?

  To enable/disable protocols, ciphers and hashes, IIS Crypto modifies the registry key and child nodes here: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Un...

• What is the Best Practices cipher suite order?

  Microsoft has renamed most of cipher suites for Windows Server 2016. We list both sets below. Windows Server 2016 and higher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA25...

• Why does Best Practices still include TLS 1.0?

  Unfortunately if you disable TLS 1.0 you will break some user's connections. All versions of Internet Explorer on Windows Vista and older as well as Android versions 4.3 and lower will not be able to ...

• Why are some of the new cipher suites not included with the Best Practices?

  While TLS_RSA_WITH_AES_256_GCM_SHA384 and TLS_RSA_WITH_AES_128_GCM_SHA256 were included, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 were not. The latter were not inclu...

• How do I get an A+ from the Site Scanner?

  The Site Scanner requires the following combination of settings in order to get an A+: Only TLS 1.2 can be used At least one cipher suite must support Authenticated Encryption (AEAD) HTTP Strict Trans...

• Why are all of the check boxes grey when I run IIS Crypto?

  When IIS Crypto is first run on a server that has not be setup, the check boxes will be grey. This means that no settings has been specified and the defaults for the operating system will be used. Whe...

• How do I add HTTP Strict Transport Security (HSTS) to my website?

  If you are running Windows Server 2019, open the Internet Information Services (IIS) Manager and click on the website. Click on HSTS. Check Enable and set the Max-Age to 31536000 (1 year). Check Inclu...

• How was the Best Practices cipher suite order chosen?

  We follow SSL/TLS best practices and prefer ECHDE for the key exchange to enable forward secrecy. We then chose the highest key length followed by the highest hash length....

• What is MS14-066 (KB2992611) and what is the problem with it?

  Microsoft released a patch on November 11, 2014 to address a vulnerability in SChannel that could allow remote code execution. This patch included 4 new cipher suites for Windows Server versions 2008 ...

• Is IIS Crypto free to use?

  Yes IIS Crypto is freeware and can be used in any environment including personal, commercial, etc. The full license agreement is below: IIS Crypto Copyright (c) 2011-2019 Nartac Software Inc. www.nart...

• Why does IIS Crypto set the Protocols Enabled value to 0xffffffff

  Originally IIS Crypto set the Protocols Enabled values to 0 or 1. However, we got a lot feedback that it broke some older software. Microsoft's own documentation states using 0xffffffff is the correct...

• What is the FREAK attack and does IIS Crypto stop it?

  The FREAK attack is a vulnerability that allows HTTPS traffic to be intercepted. It does this but trying to force the server to use old cipher suites that have long been insecure. If you are running W...

• How do I restore my server to the operating system defaults?

  Click the Templates button and select the Server Defaults template from the drop down box. Click the Apply button and reboot your server....

• Why do I still get a low score using the site scanner even though I clicked on the Best Practices button?

  There are a few reasons. First, make sure that you have clicked the Apply button and rebooted your server. Second, as of February 2020, the site scanner now caps scores with a B rating if TLS 1.0 or 1...

• Do I have to reboot my server after applying a template or changing some settings?

  Yes. Most of the settings that IIS Crypto updates are system wide and unfortunately that requires a reboot....

• Does IIS Crypto update the client registry keys?

  Yes. IIS Crypto has a separate checklist box for the client registry keys....

• What is the logjam exploit?

  The logjam exploit is a man-in-the-middle attack that tries to downgrade TLS connections using the Diffie-Hellman key exchange to 512 bits. Using the Best Practices template in IIS Crypto disables all...

• Why don't my websites show up in the Site Scanner drop down box?

  The Site Scanner tries to load all of the host names that have been configured in IIS. The site must be running, have a host name and HTTPS specified in the bindings. If the binding only has an IP add...