Enabling TLS 1.2 on IIS 7.5 for 256-bit cipher strength

So strangely enough, I always thought submitting a 2048bit CSR to my CA and receiving a 256-bit SSL cert would automatically force connections to use a 256-bit cipher strength over the established SSL connection, however it turns out that most connections will stay at 128-bit unless you tell your server to utilize TLS 1.2.  In this tutorial, we will go over how to enable TLS v1.2 for IIS to increase the cipher strength to 256-bits.

Here is what a certificate’s connection info looked like before the tutorial

SSL Cert Info - 128-bit

Here is what a certificate’s connection info looks like after the tutorial

SSL Cert Info - 256-bit

  1. Execute the following commands via an elevated PowerShell command prompt to enable TLS v1.2:
    Elevated Powershell

    1. # Create keys in registry (not created by Windows out of the box)
      md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2"
      md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server"
      md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client"
      # Enable TLS 1.2 for client and server SCHANNEL communications
      new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -name "Enabled" -value 1 -PropertyType "DWord"
      new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -name "DisabledByDefault" -value 0 -PropertyType "DWord"
      new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -name "Enabled" -value 1 -PropertyType "DWord"
      new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -name "DisabledByDefault" -value 0 -PropertyType "DWord"
      PowerShell TLS 1.2 Registry Edits
    2. Registry before powershell commands
      Registry - Before TLS v1.2
    3. Registry after powershell commands
      Registry - After TLS v1.2
  2. Next, we need to edit the server to default the use of the 256-bit ciphers
    1. Click Start->gpedit.msc
      Start -> gpedit.msc
    2. Expand Computer Configuration -> Administrative Templates -> Network and select SSL Configuration Settings
      Group Policy Editor - SSL Configuration Settings
    3. Double click SSL Cipher Suite Order and check Enabled
      SSL Cipher Suite Order 128-bit
    4. Copy the text from the SSL Cipher Suites and paste it into notepad.
      SSL Cipher Suite Order
    5. Move the following to the beginning of the text document: TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA (Note: here you could remove lower strength ciphers from the order to prevent the server from accepting those connections).
      TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA Cipher Suite order
    6. Paste the Cipher Suites back into the SSL Cipher Suites box in Group Policy and click OK
      SSL Cipher Suite Order 256-bit
    7. Restart the server for the changes to take effect


Changing the order of the Cipher Strengths:

Original source I found for the quick powershell commands to enable TLS v1.2:

7 thoughts on “Enabling TLS 1.2 on IIS 7.5 for 256-bit cipher strength

  1. Personlig udvikling

    We still receives the “The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.” on ssllabs ssl test, even though we enabled TLS 1.2 and disabled the old protocols.
    We ran the IISCrypto tool and all seems to be in place. Still we see the above message.

    Could it be that we are exposing our Exchange 2010 through an ISA Server 2006 running on a 2003 server system (which doesn’t support TLS 1.2)?
    We have some apache servers behind this ISA server which have no problems using TLS 1.2 though.


    1. Jack Post author

      Hi Personlig,

      While Exchange may support the higher level encryption, if the OS it is installed on doesn’t (which I believe you are correct in that Server 2003 does not), you will need to upgrade the OS.


  2. Keith M.

    A few more notes on this. The behavior differs based on the operating system. As provided here, Windows 2008 does not support TLS 1.1 or 1.2, which is very disappointing. 2008 R2 requires the registry keys and cipher order modifications, however 2012 and 2012 are a little different. In addition, browser configurations may be required. Furthermore, RDP requires a few patches and an rdp client in order to support TLS 1.2. Windows is unable to self-sign a sha2 RDP certificate, however MS does support SHA2 TLS 1.2 if you issue an RDP cert via an issued certificate.

    SHA2 support for RDP requires https://support.microsoft.com/en-us/kb/3033929

    OS compatibility and support matrix for ciphers – https://blogs.technet.microsoft.com/askds/2015/12/08/speaking-in-ciphers-and-other-enigmatic-tonguesupdate/

    A link for a useful crypto utility https://www.nartac.com/Products/IISCrypto/


Leave a Reply

Your email address will not be published. Required fields are marked *