IIS 7.5 Hardening – A rating on SSL Labs

A Basic Reg file is all you need.
This was tested on a Server 2008R2 with all the latest patches

This Disables all old protocols (Only TLS1.0, 1.1, and 1.2 are enabled)
Be Careful, as this will Disable SSL3.0 which is used by the previous Standard SMTP:587 and you will need to migrate everyone to use TLS SMTP, which can be set to any port as you wish, but exchange likes port 25 for TLS.

Its probably best to do this one step at a time, and reboot after each step to see what you may have broke. (backup software, all webpages, sql server, smtp, webmail, etc, etc

First you need to Configure all your Protocols
Continue reading “IIS 7.5 Hardening – A rating on SSL Labs”

SSL Host Headers in IIS 7

Source: http://www.sslshopper.com/article-ssl-host-headers-in-iis-7.html

SSL Host Headers in IIS 7 allow you to use one SSL certificate for multiple IIS websites on the same IP address. Through the IIS Manager interface, IIS only allows you to bind one site on each IP address to port 443 using an SSL certificate. If you try to bind a second site on the IP address to the same certificate, IIS 7 will give you an error when starting the site up stating that there is a port conflict. In order to assign a certificate to be used by multiple IIS sites on the same IP address, you will need to set up SSL Host Headers by following the instructions below.

What Type of SSL Certificate Do You Need?

Because you can only use one certificate, that certificate needs to work with all the hostnames of the websites that you use it with (otherwise you will receive a name mismatch error). For example, if each of your IIS 7 websites uses a subdomain of a single common domain name (like in the example below), you can get a Wildcard Certificate for *.mydomain.com and it will secure site1.mydomain.com, site2.mydomain.com, etc.

If, on the other hand, your IIS 7 sites all use different domain names (mail.mydomain1.com, mail.mydomain2.com, etc.), you will need to get a Unified Communications Certificate (also called a SAN certificate).

Continue reading “SSL Host Headers in IIS 7”

Configuring SSL Host Headers in IIS 6

source: http://www.digicert.com/ssl-support/configure-iis-host-headers.htm

Host Headers, Secure Site Bindings, and SSL

Background

For IIS 7, see this page on configuring SSL host headers in IIS 7.

Host headers can be used to host multiple secure websites on one IP address. With this method the same SSL Certificate must be used for every site that is secured. If multiple SSL Certificates are used, the server usually has a problem with providing the correct SSL Certificate when an HTTPS connection is established, causing a certificate name error. However, this means that if you use host headers in combination with certificates that can cover more than one website (wildcard or UC certificates) you can secure multiple sites with SSL on only one IP.

A wildcard certificate will secure any subdomain of the domain that it was issued to. For example, a DigiCert® Wildcard Plus™ Certificate that is issued to *.domain.com will cover something.domain.com, anything.domain.com, and whatever.domain.com. Because the *.domain.com certificate would be valid on any of these domains, the server cannot supply an incorrect SSL Certificate.

Similarly, a single DigiCert Unified Communications Certificate can secure multiple fully-qualified domain names. And, contrary to popular belief, they are not exclusively for use with Microsoft Exchange servers. In fact, UC certificates are compatible with almost all major server types. The difference between UC certificates and wildcard certificates is that while wildcards work on multiple websites because of the * character in the domain name, UC certificates include a Subject Alternative Name (SAN) field that allows the certificate to include multiple names. For example, a UC certificate can be issued to include the names www.domain.com, www.domain2.com, www.domain3.com, and mail.domain3.com. The certificate could then be installed to all four sites. When connecting to any of those sites, a browser will check the name that it is connecting to against the list of SAN names in the certificate. As long as a valid match is found, no error message is displayed.

Follow the instructions below to set up host headers and secure site bindings in IIS 6.

Continue reading “Configuring SSL Host Headers in IIS 6”