How to Achieve an A+ Qualys Evaluation IIS on Windows Server 2019

0
10920

These instructions are current as at March 2020. By Default, IIS on Windows Server 2019 will achieve a B rating. To achieve an A+, older versions of TLS need to be disabled along with certain ciphers.

NOTE: Once TLS 1.0 is disabled, systems running Windows Server 2003 and older will no-longer be able to connect.

  1. Install the Application Request Routing Module for IIS:
    https://www.microsoft.com/web/handlers/webpi.ashx?command=getinstallerredirect&appid=ARRv3_0
  2. In order to achieve a config that supports HSTS, add the following rewrite section to the webconfig:
    NOTE: This example details a complete web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
                <rewrite>
          <rules>
            <rule name="HTTP to HTTPS redirect" stopProcessing="true">
              <match url="(.*)" />
              <conditions>
                <add input="{HTTPS}" pattern="off" ignoreCase="true" />
              </conditions>
              <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
             </rule>
           </rules>
           <outboundRules>
             <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
               <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
               <conditions>
                 <add input="{HTTPS}" pattern="on" ignoreCase="true" />
               </conditions>
               <action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
             </rule>
           </outboundRules>
         </rewrite>
    </system.webServer>
</configuration>

  1. Disable TLS 1.0 + TLS 1.1 and remove weak ciphers:
# Disable TLS 1.0 + TLS 1.1 + Weak Ciphers
 
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null    
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Force | Out-Null   
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null    
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
 
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force | Out-Null    
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null   
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force | Out-Null    
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null    
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
 
Disable-TlsCipherSuite -name "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
Disable-TlsCipherSuite -name "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
Disable-TlsCipherSuite -name "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
Disable-TlsCipherSuite -name "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
Disable-TlsCipherSuite -name "TLS_RSA_WITH_AES_256_GCM_SHA384"
Disable-TlsCipherSuite -name "TLS_RSA_WITH_AES_128_GCM_SHA256"
Disable-TlsCipherSuite -name "TLS_RSA_WITH_AES_256_CBC_SHA256"
Disable-TlsCipherSuite -name "TLS_RSA_WITH_AES_128_CBC_SHA256"
Disable-TlsCipherSuite -name "TLS_RSA_WITH_AES_256_CBC_SHA"
Disable-TlsCipherSuite -name "TLS_RSA_WITH_AES_128_CBC_SHA"
Disable-TlsCipherSuite -name "TLS_RSA_WITH_3DES_EDE_CBC_SHA"


LEAVE A REPLY

Please enter your comment!
Please enter your name here