IIS Crypto - still the way to go?
Posted by dirmhirn@reddit | sysadmin | View on Reddit | 28 comments
Hi, is IIS Crypto (https://www.nartac.com/Products/IISCrypto) still the best tool to secure SSL/TLS on Windows Servers?
We used a "self collected" PowerShell script in the past, but eventlog shows a lot of Schannel errors. Reading the web, they get fixed by using this tool.
Or is there an equivalent PowerShell script, we can use as startup script on all servers (except a few legacy servers) just setting TLS to the best practice for internal Domain use. No external websites.
Low-Branch1423@reddit
Really should be group policy registry settings, which you can get from the iis crypto logs.
Had issues with server 2025 using tls 1.2 by default and iis crypto found the missing keys but ill be damned if I am running that by hand on 100s of servers.
sryan2k1@reddit
So script and run the cli?
Xzenor@reddit
there's a cli version. You can use the gui to create a template, spread the template with GPO and run it with the cli command on a schedule through the task scheduler.. also deployed through a gpo of course.
XInsomniacX06@reddit
Take a backup of the registry, run the tool and compare the registry to identify the changes, pop this into a GPO and your good to go, there are differences between OS but you can target it using GPP for those specific nuances.
Low-Branch1423@reddit
The logs give you the keys, and if you run it on each os it'll adjust on its own. But honestly a good tech should take the time to understand tls 1.3 and tls 1.2 supporting OSs in a world moving to sub 50 day certificates.
XInsomniacX06@reddit
For sure, there’s a lot more to it than just tls protocols, and I’m sure the logs are accurate but I’m more prone to knowing exactly what is being changed. I know differencingthe registry before and after the changes the app makes to the registry itself will tell me for sure, it’s still a third party application prone to bugs.
At this point most places should be running 2016 and up which makes it a lot easier to manage without issues.
But windows is just one layer, you still have to consider network devices, other OS like Linux, Applications that use their own suites for TLS.
All it takes is rushing it and being overly confident and end breaking a bunch of apps in Prod and all of a sudden the whole org will make you jump through a thousand hoops with meetings and testing and validation every time you want to deprecate or add a cipher.
I’ve worked at places where it turned into a year long fiasco to remove a single deprecated cipher doing a crazy long testing and phased deployment.
Low-Branch1423@reddit
In that case you should recommend procmon, not a reg backup of a test machine because your missing execution amd file changes.
or just read the tech docs that details of the changes required.
The biggest issue is people skipping tls cipher suit order. Which is what you mean when considering Linux issues as many Linux bistros dont support suite b crypto. Tls 1.3 fixes most of that with the exception of chachacha for Apple..
Any environment that isn't looking at its traffic at Endpoint or server side with regular network caps, be it syslog or NAC related is just paying technical debt for poor implementation.
dirmhirn@reddit (OP)
I admit, due to lot of other topics, just running a tool sounded nice. but I will have a look on the logfiles. thanks.
Low-Branch1423@reddit
Group policy, intone, or a powershell package won't take long once you know your details.
Then if you have issues use wire shark to capture a bad connection and review tls client hello and cipher suites vs your new config.
Win 11 and Server 2022+ tls 1.3 win 10 and older servers, tls 1.2
dirmhirn@reddit (OP)
wasn't aware about the accurate log iis crypto shows. Just created a GPO and will test. Thanks
XInsomniacX06@reddit
It’s all registry changes via IISCrypto, but sure there’s more than one way to capture changes to an OS.
And you’d be surprised at how many bad implementations are out there for managing TLS or having any insight to if the applications or none windows servers are utilizing other ciphers. I’ve seen places just enable TLS auditing on DCs and if nothing weak is found they just roll it out to all windows servers, then wonder why their CI/CD pipelines and well many other random things stop working. Which is crazy business.
Evil-Bosse@reddit
Never heard of the tool, was it ever the way to go? Or is this an ad campaign that says it was the way to go and therefore might still be the way to go?
fnordhole@reddit
It's useful freeware GUI tool for confusing registry configurations.
BlackV@reddit
It's very very very old (and free) so if this is an ad campaign they're late to the party
plump-lamp@reddit
No it's one of the top free tools ever for a system/sec admin for hardening systems
iammiscreant@reddit
it’s been around for years, and was absolutely the go-to. Coincidentally I used it today :)
dirmhirn@reddit (OP)
no Ad. at least when we got the first vulnerability scanner 4 years ago, it was often mentioned. In the last year the topic was a little bit forgotten, but it's coming up again, so I try to renew our TLS configuration setup.
Unfair-Plastic-4290@reddit
there's not much better out there unless you want to spend hours fucking around in the registry by hand. Make sure you take a backup before you do use it, tho.
fnordhole@reddit
Been ignoring most schannel errors for decades.
Frothyleet@reddit
All IIS Crypto does is provide a UI for setting the registry keys that Windows uses to determine supported encryption methods. You can achieve the same thing with regedit, powershell, cmd, or group policy.
All that is to say, it may or may not solve your actual underlying problem.
BlackV@reddit
It's an old tool, but powershell exists and rmm systems exist and gpo exists and more built-in stuff to fix this, I've not needed it in many years
poizone68@reddit
Ideally it should be done by group policy. However, I've used this tool many times to troubleshoot and verify that settings either were or were not applied correctly. In that sense, it's always in my backpocket :)
plump-lamp@reddit
When not all systems can disable certain tls versions, we went this way. Didn't want to make onesie twosie exceptions in GPO to manage so it saved our butts and time
poizone68@reddit
Fully understandable. The strength and weakness of AD and GPOs is the hierarchy it imposes.
skydiveguy@reddit
I've used this at my last 3 jobs and its been a huge time saver.
Latter-Ad7199@reddit
Yup. Use it extensively
Outside-After@reddit
Yes it’s still a really good start
Signal_Till_933@reddit
That’s what I would use fo sho