Skip to content

Instantly share code, notes, and snippets.

@JimWolff

JimWolff/bbp_http2fs_tls1.2only_win2k16-2018-04-18.ictpl

Last active April 18, 2018 09:35
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save JimWolff/4353334ee634c68753c4e61736ed0509 to your computer and use it in GitHub Desktop.
Save JimWolff/4353334ee634c68753c4e61736ed0509 to your computer and use it in GitHub Desktop.
Download ZIP
IISCrypto template for enabling http2 on windows server 2016, restricts protocol use to TLS 1.2 to achieve a grade A+ on qualsys server test when HSTS is enabled. Boarder support version local here: https://gist.github.com/JimWolff/d8ea8ee58360f75c9283c6d74165774b (this template is used in my autofix ssl script here: https://gist.github.com/JimW…
Raw
bbp_http2fs_tls1.2only_win2k16-2018-04-18.ictpl
<?xml version="1.0" encoding="utf-16"?>
<iisCryptoTemplate xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" version="0">
<header>
<name>Best Practise (restricted to TLS1.2), prioritize HTTP/2, FS</name>
<author>Jim Wolff</author>
<lastUpdated>2018-04-18T10:45:11.0463186Z</lastUpdated>
<description>Using best practises, but TLS_ECDHE_ECDSA is prioritesed because its needed for http/2 not to use blacklisted cipher suites, prioriteses suites to ensure FS, uses TLS1.2 only to achieve a grade A+ on IIS in win2k16 with HSTS enabled.</description>
<builtIn>false</builtIn>
</header>
<schannel setClientProtocols="true">
<clientProtocols>
<schannelItem name="Multi-Protocol Unified Hello" state="Disabled" />
<schannelItem name="PCT 1.0" state="Disabled" />
<schannelItem name="SSL 2.0" state="Disabled" />
<schannelItem name="SSL 3.0" state="Disabled" />
<schannelItem name="TLS 1.0" state="Enabled" />
<schannelItem name="TLS 1.1" state="Enabled" minimumOSVersion="Windows2008R2" />
<schannelItem name="TLS 1.2" state="Enabled" minimumOSVersion="Windows2008R2" />
</clientProtocols>
<serverProtocols>
<schannelItem name="Multi-Protocol Unified Hello" state="Disabled" />
<schannelItem name="PCT 1.0" state="Disabled" />
<schannelItem name="SSL 2.0" state="Disabled" />
<schannelItem name="SSL 3.0" state="Disabled" />
<schannelItem name="TLS 1.0" state="Disabled" />
<schannelItem name="TLS 1.1" state="Disabled" minimumOSVersion="Windows2008R2" />
<schannelItem name="TLS 1.2" state="Enabled" minimumOSVersion="Windows2008R2" />
</serverProtocols>
<ciphers>
<schannelItem name="NULL" state="Disabled" />
<schannelItem name="DES 56/56" state="Disabled" />
<schannelItem name="RC2 40/128" state="Disabled" />
<schannelItem name="RC2 56/128" state="Disabled" />
<schannelItem name="RC2 128/128" state="Disabled" />
<schannelItem name="RC4 40/128" state="Disabled" />
<schannelItem name="RC4 56/128" state="Disabled" />
<schannelItem name="RC4 64/128" state="Disabled" />
<schannelItem name="RC4 128/128" state="Disabled" />
<schannelItem name="Triple DES 168" state="Enabled" />
<schannelItem name="AES 128/128" state="Enabled" />
<schannelItem name="AES 256/256" state="Enabled" />
</ciphers>
<hashes>
<schannelItem name="MD5" state="Enabled" />
<schannelItem name="SHA" state="Enabled" />
<schannelItem name="SHA 256" state="Enabled" minimumOSVersion="Windows2008R2" />
<schannelItem name="SHA 384" state="Enabled" minimumOSVersion="Windows2008R2" />
<schannelItem name="SHA 512" state="Enabled" minimumOSVersion="Windows2008R2" />
</hashes>
<keyExchanges>
<schannelItem name="Diffie-Hellman" state="Enabled" />
<schannelItem name="PKCS" state="Enabled" />
<schannelItem name="ECDH" state="Enabled" />
</keyExchanges>
</schannel>
<cipherSuites>
<cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" state="Enabled" />
<cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" state="Enabled" />
<cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" state="Enabled" />
<cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" state="Enabled" />
<cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" state="Enabled" />
<cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" state="Enabled" />
<cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" state="Enabled" />
<cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" state="Enabled" />
<cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" state="Enabled" />
<cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" state="Enabled" />
<cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" state="Enabled" />
<cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" state="Enabled" />
<cipherSuiteItem name="TLS_RSA_WITH_AES_256_GCM_SHA384" state="Disabled" />
<cipherSuiteItem name="TLS_RSA_WITH_AES_128_GCM_SHA256" state="Disabled" />
<cipherSuiteItem name="TLS_RSA_WITH_AES_256_CBC_SHA256" state="Disabled" />
<cipherSuiteItem name="TLS_RSA_WITH_AES_128_CBC_SHA256" state="Disabled" />
<cipherSuiteItem name="TLS_RSA_WITH_AES_256_CBC_SHA" state="Disabled" />
<cipherSuiteItem name="TLS_RSA_WITH_AES_128_CBC_SHA" state="Disabled" />
<cipherSuiteItem name="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" state="Disabled" />
<cipherSuiteItem name="TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" state="Disabled" />
<cipherSuiteItem name="TLS_DHE_RSA_WITH_AES_256_CBC_SHA" state="Disabled" />
<cipherSuiteItem name="TLS_DHE_RSA_WITH_AES_128_CBC_SHA" state="Disabled" />
<cipherSuiteItem name="TLS_RSA_WITH_3DES_EDE_CBC_SHA" state="Disabled" />
<cipherSuiteItem name="TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" state="Disabled" />
<cipherSuiteItem name="TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" state="Disabled" />
<cipherSuiteItem name="TLS_DHE_DSS_WITH_AES_256_CBC_SHA" state="Disabled" />
<cipherSuiteItem name="TLS_DHE_DSS_WITH_AES_128_CBC_SHA" state="Disabled" />
<cipherSuiteItem name="TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" state="Disabled" />
<cipherSuiteItem name="TLS_RSA_WITH_RC4_128_SHA" state="Disabled" />
<cipherSuiteItem name="TLS_RSA_WITH_RC4_128_MD5" state="Disabled" />
<cipherSuiteItem name="TLS_RSA_WITH_NULL_SHA256" state="Disabled" />
<cipherSuiteItem name="TLS_RSA_WITH_NULL_SHA" state="Disabled" />
<cipherSuiteItem name="TLS_PSK_WITH_AES_256_GCM_SHA384" state="Disabled" />
<cipherSuiteItem name="TLS_PSK_WITH_AES_128_GCM_SHA256" state="Disabled" />
<cipherSuiteItem name="TLS_PSK_WITH_AES_256_CBC_SHA384" state="Disabled" />
<cipherSuiteItem name="TLS_PSK_WITH_AES_128_CBC_SHA256" state="Disabled" />
<cipherSuiteItem name="TLS_PSK_WITH_NULL_SHA384" state="Disabled" />
<cipherSuiteItem name="TLS_PSK_WITH_NULL_SHA256" state="Disabled" />
</cipherSuites>
</iisCryptoTemplate>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment