Chat Beta

3/08/2016

Setup IIS web server with HTTPS and enable/disable TLS


For Testing web applications over https and TLS , a tester might need to setup his web server (IIS) to support the above security protocols.

Following is a set of instructions that you can follow to achieve this.

You can secure your web server/application either by purchasing a security certificate from a vendor or by creating a self-signed certificate that is generated by the web server (for testing purposes).

1. Generate a self-signed certificate in IIS by going to 'Server Certificates'



2. Select the site in IIS that you need to secure (ex: "Default web site"). Then select ‘Bindings’, add https entry and choose the certificate that you created above.


3. You might need to enable/disable specific TLS versions in the server and it can be done like following

Enable TLS 1.1 and TLS 1.2
=======================
Open registry on your server by running ‘regedit‘ in run window and navigate to below location.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
Add the TLS 1.1 and TLS 1.2 keys under Protocols. It will looks like directories.


Now create two keys Client and Server under both TLS keys.

Now create the DWORD Values under Server and Client key as following

DisabledByDefault [Value = 0]
Enabled [Value = 1

Disable SSLv3 and Older Version
=================================
Open registry on your server by running ‘regedit’ in run window and navigate to below location.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

Now change DWORD Values under Server and Client under SSLv3 and Older SSL version keys.

DisabledByDefault [Value = 0]
Enabled  [Value = 0]



After making all above setting reboot your server.

4. You can now verify that the web server TLS protocols are disabled and https works by using TestSSLServer executable from http://www.bolet.org/TestSSLServer/

TestSSLServer.exe SERVERNAME  443





5. Finally to make the certificate work, you will need to imported certificate to client machine 'Trusted root certificate authorities' using MMC.




No comments:

Post a Comment