Enable TLS encryption in IIS

This article explains how to set or improve the encryption between the web client and the Internet Information Server (IIS).

In the default settings, depending on the underlying operating system, the Internet Information Server still uses the older SSL method for encryption, which is still classified as insecure according to current knowledge.

Procedure

To optimize these settings and enable TLS as a protocol, please add the following registry keys on IIS:

• KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client\DisabledByDefault = [REG_DWORD] = 0
• KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client\Enabled = [REG_DWORD] = 1
• KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\DisabledByDefault = [REG_DWORD] = 0
• KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\Enabled = [REG_DWORD] = 1
• KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\DisabledByDefault = [REG_DWORD] = 0
• KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\Enabled = [REG_DWORD] = 1
• KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\DisabledByDefault = [REG_DWORD] = 0
• KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\Enabled = [REG_DWORD] = 1

These settings are effective for Windows Server 2008R2 and IIS 7.5 and higher.

After setting these registry values, the server must be restarted for the settings to become active.

In this context, please also note the following notice from Microsoft:

• http://support.microsoft.com/kb/245030

To test the encryption method, Microsoft's Internet Explorer can be used, for example, by adjusting the following system settings:

• Internet Options -> Advanced -> Security -> disable 'Use SSL ...' and enable 'Use TLS 1.2'.
• This should only allow a page to be opened if TLS 1.2 is supported on the server.