Last active
April 18, 2018 09:35
-
-
Save JimWolff/4353334ee634c68753c4e61736ed0509 to your computer and use it in GitHub Desktop.
IISCrypto template for enabling http2 on windows server 2016, restricts protocol use to TLS 1.2 to achieve a grade A+ on qualsys server test when HSTS is enabled. Boarder support version local here: https://gist.github.com/JimWolff/d8ea8ee58360f75c9283c6d74165774b (this template is used in my autofix ssl script here: https://gist.github.com/JimW…
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="utf-16"?> | |
<iisCryptoTemplate xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" version="0"> | |
<header> | |
<name>Best Practise (restricted to TLS1.2), prioritize HTTP/2, FS</name> | |
<author>Jim Wolff</author> | |
<lastUpdated>2018-04-18T10:45:11.0463186Z</lastUpdated> | |
<description>Using best practises, but TLS_ECDHE_ECDSA is prioritesed because its needed for http/2 not to use blacklisted cipher suites, prioriteses suites to ensure FS, uses TLS1.2 only to achieve a grade A+ on IIS in win2k16 with HSTS enabled.</description> | |
<builtIn>false</builtIn> | |
</header> | |
<schannel setClientProtocols="true"> | |
<clientProtocols> | |
<schannelItem name="Multi-Protocol Unified Hello" state="Disabled" /> | |
<schannelItem name="PCT 1.0" state="Disabled" /> | |
<schannelItem name="SSL 2.0" state="Disabled" /> | |
<schannelItem name="SSL 3.0" state="Disabled" /> | |
<schannelItem name="TLS 1.0" state="Enabled" /> | |
<schannelItem name="TLS 1.1" state="Enabled" minimumOSVersion="Windows2008R2" /> | |
<schannelItem name="TLS 1.2" state="Enabled" minimumOSVersion="Windows2008R2" /> | |
</clientProtocols> | |
<serverProtocols> | |
<schannelItem name="Multi-Protocol Unified Hello" state="Disabled" /> | |
<schannelItem name="PCT 1.0" state="Disabled" /> | |
<schannelItem name="SSL 2.0" state="Disabled" /> | |
<schannelItem name="SSL 3.0" state="Disabled" /> | |
<schannelItem name="TLS 1.0" state="Disabled" /> | |
<schannelItem name="TLS 1.1" state="Disabled" minimumOSVersion="Windows2008R2" /> | |
<schannelItem name="TLS 1.2" state="Enabled" minimumOSVersion="Windows2008R2" /> | |
</serverProtocols> | |
<ciphers> | |
<schannelItem name="NULL" state="Disabled" /> | |
<schannelItem name="DES 56/56" state="Disabled" /> | |
<schannelItem name="RC2 40/128" state="Disabled" /> | |
<schannelItem name="RC2 56/128" state="Disabled" /> | |
<schannelItem name="RC2 128/128" state="Disabled" /> | |
<schannelItem name="RC4 40/128" state="Disabled" /> | |
<schannelItem name="RC4 56/128" state="Disabled" /> | |
<schannelItem name="RC4 64/128" state="Disabled" /> | |
<schannelItem name="RC4 128/128" state="Disabled" /> | |
<schannelItem name="Triple DES 168" state="Enabled" /> | |
<schannelItem name="AES 128/128" state="Enabled" /> | |
<schannelItem name="AES 256/256" state="Enabled" /> | |
</ciphers> | |
<hashes> | |
<schannelItem name="MD5" state="Enabled" /> | |
<schannelItem name="SHA" state="Enabled" /> | |
<schannelItem name="SHA 256" state="Enabled" minimumOSVersion="Windows2008R2" /> | |
<schannelItem name="SHA 384" state="Enabled" minimumOSVersion="Windows2008R2" /> | |
<schannelItem name="SHA 512" state="Enabled" minimumOSVersion="Windows2008R2" /> | |
</hashes> | |
<keyExchanges> | |
<schannelItem name="Diffie-Hellman" state="Enabled" /> | |
<schannelItem name="PKCS" state="Enabled" /> | |
<schannelItem name="ECDH" state="Enabled" /> | |
</keyExchanges> | |
</schannel> | |
<cipherSuites> | |
<cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" state="Enabled" /> | |
<cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" state="Enabled" /> | |
<cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" state="Enabled" /> | |
<cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" state="Enabled" /> | |
<cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" state="Enabled" /> | |
<cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" state="Enabled" /> | |
<cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" state="Enabled" /> | |
<cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" state="Enabled" /> | |
<cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" state="Enabled" /> | |
<cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" state="Enabled" /> | |
<cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" state="Enabled" /> | |
<cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" state="Enabled" /> | |
<cipherSuiteItem name="TLS_RSA_WITH_AES_256_GCM_SHA384" state="Disabled" /> | |
<cipherSuiteItem name="TLS_RSA_WITH_AES_128_GCM_SHA256" state="Disabled" /> | |
<cipherSuiteItem name="TLS_RSA_WITH_AES_256_CBC_SHA256" state="Disabled" /> | |
<cipherSuiteItem name="TLS_RSA_WITH_AES_128_CBC_SHA256" state="Disabled" /> | |
<cipherSuiteItem name="TLS_RSA_WITH_AES_256_CBC_SHA" state="Disabled" /> | |
<cipherSuiteItem name="TLS_RSA_WITH_AES_128_CBC_SHA" state="Disabled" /> | |
<cipherSuiteItem name="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" state="Disabled" /> | |
<cipherSuiteItem name="TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" state="Disabled" /> | |
<cipherSuiteItem name="TLS_DHE_RSA_WITH_AES_256_CBC_SHA" state="Disabled" /> | |
<cipherSuiteItem name="TLS_DHE_RSA_WITH_AES_128_CBC_SHA" state="Disabled" /> | |
<cipherSuiteItem name="TLS_RSA_WITH_3DES_EDE_CBC_SHA" state="Disabled" /> | |
<cipherSuiteItem name="TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" state="Disabled" /> | |
<cipherSuiteItem name="TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" state="Disabled" /> | |
<cipherSuiteItem name="TLS_DHE_DSS_WITH_AES_256_CBC_SHA" state="Disabled" /> | |
<cipherSuiteItem name="TLS_DHE_DSS_WITH_AES_128_CBC_SHA" state="Disabled" /> | |
<cipherSuiteItem name="TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" state="Disabled" /> | |
<cipherSuiteItem name="TLS_RSA_WITH_RC4_128_SHA" state="Disabled" /> | |
<cipherSuiteItem name="TLS_RSA_WITH_RC4_128_MD5" state="Disabled" /> | |
<cipherSuiteItem name="TLS_RSA_WITH_NULL_SHA256" state="Disabled" /> | |
<cipherSuiteItem name="TLS_RSA_WITH_NULL_SHA" state="Disabled" /> | |
<cipherSuiteItem name="TLS_PSK_WITH_AES_256_GCM_SHA384" state="Disabled" /> | |
<cipherSuiteItem name="TLS_PSK_WITH_AES_128_GCM_SHA256" state="Disabled" /> | |
<cipherSuiteItem name="TLS_PSK_WITH_AES_256_CBC_SHA384" state="Disabled" /> | |
<cipherSuiteItem name="TLS_PSK_WITH_AES_128_CBC_SHA256" state="Disabled" /> | |
<cipherSuiteItem name="TLS_PSK_WITH_NULL_SHA384" state="Disabled" /> | |
<cipherSuiteItem name="TLS_PSK_WITH_NULL_SHA256" state="Disabled" /> | |
</cipherSuites> | |
</iisCryptoTemplate> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment