Last active
August 17, 2018 07:50
-
-
Save JimWolff/f6969253fb23744ea2bfae57d8b990b1 to your computer and use it in GitHub Desktop.
IISCrypto template file, best practice with removal of newest ciphers determined weak by qualys ssl labs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="utf-16"?> | |
<iisCryptoTemplate xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" version="0"> | |
<header> | |
<name>BestPracticePlus_Pre2016Server</name> | |
<author>Jim Wolff</author> | |
<lastUpdated>2018-03-12T12:45:51.3047731Z</lastUpdated> | |
<description>Follows best practise, but also removed weak ciphers that might still be enabled.</description> | |
<builtIn>false</builtIn> | |
</header> | |
<schannel setClientProtocols="true"> | |
<clientProtocols> | |
<schannelItem name="Multi-Protocol Unified Hello" state="Disabled" /> | |
<schannelItem name="PCT 1.0" state="Disabled" /> | |
<schannelItem name="SSL 2.0" state="Disabled" /> | |
<schannelItem name="SSL 3.0" state="Disabled" /> | |
<schannelItem name="TLS 1.0" state="Enabled" /> | |
<schannelItem name="TLS 1.1" state="Enabled" minimumOSVersion="Windows2008R2" /> | |
<schannelItem name="TLS 1.2" state="Enabled" minimumOSVersion="Windows2008R2" /> | |
</clientProtocols> | |
<serverProtocols> | |
<schannelItem name="Multi-Protocol Unified Hello" state="Disabled" /> | |
<schannelItem name="PCT 1.0" state="Disabled" /> | |
<schannelItem name="SSL 2.0" state="Disabled" /> | |
<schannelItem name="SSL 3.0" state="Disabled" /> | |
<schannelItem name="TLS 1.0" state="Enabled" /> | |
<schannelItem name="TLS 1.1" state="Enabled" minimumOSVersion="Windows2008R2" /> | |
<schannelItem name="TLS 1.2" state="Enabled" minimumOSVersion="Windows2008R2" /> | |
</serverProtocols> | |
<ciphers> | |
<schannelItem name="NULL" state="Disabled" /> | |
<schannelItem name="DES 56/56" state="Disabled" /> | |
<schannelItem name="RC2 40/128" state="Disabled" /> | |
<schannelItem name="RC2 56/128" state="Disabled" /> | |
<schannelItem name="RC2 128/128" state="Disabled" /> | |
<schannelItem name="RC4 40/128" state="Disabled" /> | |
<schannelItem name="RC4 56/128" state="Disabled" /> | |
<schannelItem name="RC4 64/128" state="Disabled" /> | |
<schannelItem name="RC4 128/128" state="Disabled" /> | |
<schannelItem name="Triple DES 168" state="Enabled" /> | |
<schannelItem name="AES 128/128" state="Enabled" /> | |
<schannelItem name="AES 256/256" state="Enabled" /> | |
</ciphers> | |
<hashes> | |
<schannelItem name="MD5" state="Enabled" /> | |
<schannelItem name="SHA" state="Enabled" /> | |
<schannelItem name="SHA 256" state="Enabled" minimumOSVersion="Windows2008R2" /> | |
<schannelItem name="SHA 384" state="Enabled" minimumOSVersion="Windows2008R2" /> | |
<schannelItem name="SHA 512" state="Enabled" minimumOSVersion="Windows2008R2" /> | |
</hashes> | |
<keyExchanges> | |
<schannelItem name="Diffie-Hellman" state="Enabled" /> | |
<schannelItem name="PKCS" state="Enabled" /> | |
<schannelItem name="ECDH" state="Enabled" /> | |
</keyExchanges> | |
</schannel> | |
<cipherSuites> | |
<cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521" state="Enabled" /> | |
<cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384" state="Enabled" /> | |
<cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256" state="Enabled" /> | |
<cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521" state="Enabled" /> | |
<cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384" state="Enabled" /> | |
<cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256" state="Enabled" /> | |
<cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521" state="Enabled" /> | |
<cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384" state="Enabled" /> | |
<cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256" state="Enabled" /> | |
<cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521" state="Enabled" /> | |
<cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384" state="Enabled" /> | |
<cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256" state="Enabled" /> | |
<cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521" state="Enabled" /> | |
<cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384" state="Enabled" /> | |
<cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521" state="Enabled" /> | |
<cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384" state="Enabled" /> | |
<cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256" state="Enabled" /> | |
<cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521" state="Enabled" /> | |
<cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384" state="Enabled" /> | |
<cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521" state="Enabled" /> | |
<cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384" state="Enabled" /> | |
<cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256" state="Enabled" /> | |
<cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521" state="Enabled" /> | |
<cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384" state="Enabled" /> | |
<cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256" state="Enabled" /> | |
<cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521" state="Enabled" /> | |
<cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384" state="Enabled" /> | |
<cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256" state="Enabled" /> | |
<cipherSuiteItem name="TLS_RSA_WITH_AES_256_GCM_SHA384" state="Enabled" /> | |
<cipherSuiteItem name="TLS_RSA_WITH_AES_128_GCM_SHA256" state="Enabled" /> | |
<cipherSuiteItem name="TLS_RSA_WITH_AES_256_CBC_SHA256" state="Disabled" /> | |
<cipherSuiteItem name="TLS_RSA_WITH_AES_128_CBC_SHA256" state="Disabled" /> | |
<cipherSuiteItem name="TLS_RSA_WITH_AES_256_CBC_SHA" state="Disabled" /> | |
<cipherSuiteItem name="TLS_RSA_WITH_AES_128_CBC_SHA" state="Disabled" /> | |
<cipherSuiteItem name="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" state="Disabled" /> | |
<cipherSuiteItem name="TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" state="Disabled" /> | |
<cipherSuiteItem name="TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" state="Disabled" /> | |
<cipherSuiteItem name="TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" state="Disabled" /> | |
<cipherSuiteItem name="TLS_DHE_DSS_WITH_AES_256_CBC_SHA" state="Disabled" /> | |
<cipherSuiteItem name="TLS_DHE_DSS_WITH_AES_128_CBC_SHA" state="Disabled" /> | |
<cipherSuiteItem name="TLS_RSA_WITH_3DES_EDE_CBC_SHA" state="Disabled" /> | |
<cipherSuiteItem name="TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" state="Disabled" /> | |
<cipherSuiteItem name="TLS_RSA_WITH_RC4_128_SHA" state="Disabled" /> | |
<cipherSuiteItem name="TLS_RSA_WITH_RC4_128_MD5" state="Disabled" /> | |
<cipherSuiteItem name="TLS_RSA_WITH_NULL_SHA256" state="Disabled" /> | |
<cipherSuiteItem name="TLS_RSA_WITH_NULL_SHA" state="Disabled" /> | |
<cipherSuiteItem name="SSL_CK_RC4_128_WITH_MD5" state="Disabled" /> | |
<cipherSuiteItem name="SSL_CK_DES_192_EDE3_CBC_WITH_MD5" state="Disabled" /> | |
</cipherSuites> | |
</iisCryptoTemplate> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment