Last updated: 2026-02-11

IIS TLS/SSL Configuration Guide

This guide provides recommended TLS/SSL settings for Microsoft Internet Information Services (IIS). Windows Server uses the Schannel security provider for TLS, so these settings are configured through the Windows registry and Group Policy rather than IIS configuration files directly.

Prerequisites

• Windows Server 2016 or later (2022+ recommended for TLS 1.3)
• IIS 10 or later
• Administrator access
• A valid SSL/TLS certificate installed in the server's certificate store

Disable Legacy Protocols

Disable SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 through the Windows registry. Run the following PowerShell commands as Administrator:

Disable SSL 2.0

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Name 'Enabled' -Value 0 -PropertyType 'DWord'
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Name 'DisabledByDefault' -Value 1 -PropertyType 'DWord'

Disable SSL 3.0

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Name 'Enabled' -Value 0 -PropertyType 'DWord'
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Name 'DisabledByDefault' -Value 1 -PropertyType 'DWord'

Disable TLS 1.0

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Name 'Enabled' -Value 0 -PropertyType 'DWord'
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Name 'DisabledByDefault' -Value 1 -PropertyType 'DWord'

Disable TLS 1.1

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Name 'Enabled' -Value 0 -PropertyType 'DWord'
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Name 'DisabledByDefault' -Value 1 -PropertyType 'DWord'

Enable TLS 1.2

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'Enabled' -Value 1 -PropertyType 'DWord'
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'DisabledByDefault' -Value 0 -PropertyType 'DWord'

Enable TLS 1.3

TLS 1.3 is supported on Windows Server 2022 and later:

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -Name 'Enabled' -Value 1 -PropertyType 'DWord'
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -Name 'DisabledByDefault' -Value 0 -PropertyType 'DWord'

Cipher Suite Configuration

On Windows Server 2016 and later, use the Enable-TlsCipherSuite and Disable-TlsCipherSuite PowerShell cmdlets to manage cipher suites.

Recommended Cipher Suites

Enable only strong AEAD cipher suites with ECDHE key exchange:

# Disable all existing cipher suites
Get-TlsCipherSuite | ForEach-Object { Disable-TlsCipherSuite -Name $_.Name }

# Enable recommended cipher suites in preferred order
Enable-TlsCipherSuite -Name 'TLS_AES_256_GCM_SHA384' -Position 0
Enable-TlsCipherSuite -Name 'TLS_AES_128_GCM_SHA256' -Position 1
Enable-TlsCipherSuite -Name 'TLS_CHACHA20_POLY1305_SHA256' -Position 2
Enable-TlsCipherSuite -Name 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384' -Position 3
Enable-TlsCipherSuite -Name 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256' -Position 4
Enable-TlsCipherSuite -Name 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384' -Position 5
Enable-TlsCipherSuite -Name 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256' -Position 6

The first three entries are TLS 1.3 cipher suites (available on Windows Server 2022+). The remaining entries are TLS 1.2 cipher suites. Windows Schannel does not support ChaCha20-Poly1305 for TLS 1.2; it is only available as a TLS 1.3 suite.

HTTP Strict Transport Security (HSTS)

Using web.config

Add the HSTS header in your site's web.config:

<configuration>
  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <add name="Strict-Transport-Security"
             value="max-age=63072000; includeSubDomains; preload" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>
</configuration>

Using IIS Native HSTS (IIS 10 version 1709+)

On newer versions of IIS, HSTS can be configured natively:

Import-Module IISAdministration
$siteName = "Default Web Site"

$manager = Get-IISServerManager
$site = $manager.Sites[$siteName]
$site.HSTS.Enabled = $true
$site.HSTS.MaxAge = 63072000
$site.HSTS.IncludeSubDomains = $true
$site.HSTS.Preload = $true
$site.HSTS.RedirectHttpToHttps = $true
$manager.CommitChanges()

HTTPS Redirect

Force HTTP to HTTPS redirection using the URL Rewrite module in web.config:

<configuration>
  <system.webServer>
    <rewrite>
      <rules>
        <rule name="HTTPS Redirect" stopProcessing="true">
          <match url="(.*)" />
          <conditions>
            <add input="{HTTPS}" pattern="off" />
          </conditions>
          <action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
                  redirectType="Permanent" />
        </rule>
      </rules>
    </rewrite>
  </system.webServer>
</configuration>

Using IIS Crypto (Recommended Tool)

For a simpler approach, Nartac Software's IIS Crypto is a free tool that provides a GUI for configuring Schannel protocols, cipher suites, hashes, and key exchanges. Select the "Best Practices" template for a recommended configuration, or customize settings manually.

Verification

After making registry changes, restart the server for them to take effect:

Restart-Computer

Verify the active cipher suites:

Get-TlsCipherSuite | Format-Table Name, Protocols

Test your configuration externally using Qualys SSL Labs at https://www.ssllabs.com/ssltest/.