Last updated: 2026-06-25
IIS TLS/SSL Configuration Guide
This guide provides recommended TLS/SSL settings for Microsoft Internet Information Services (IIS). Windows Server uses the Schannel security provider for TLS, so these settings are configured through the Windows registry and Group Policy rather than IIS configuration files directly.
Prerequisites
- Windows Server 2016 or later (2022 or 2025 recommended for TLS 1.3)
- IIS 10 or later
- Administrator access
- A valid SSL/TLS certificate installed in the server's certificate store
Disable Legacy Protocols
Disable SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 through the Windows registry. Run the following PowerShell commands as Administrator:
Disable SSL 2.0
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Name 'Enabled' -Value 0 -PropertyType 'DWord'
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Name 'DisabledByDefault' -Value 1 -PropertyType 'DWord'
Disable SSL 3.0
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Name 'Enabled' -Value 0 -PropertyType 'DWord'
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Name 'DisabledByDefault' -Value 1 -PropertyType 'DWord'
Disable TLS 1.0
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Name 'Enabled' -Value 0 -PropertyType 'DWord'
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Name 'DisabledByDefault' -Value 1 -PropertyType 'DWord'
Disable TLS 1.1
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Name 'Enabled' -Value 0 -PropertyType 'DWord'
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Name 'DisabledByDefault' -Value 1 -PropertyType 'DWord'
Enable TLS 1.2
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'Enabled' -Value 1 -PropertyType 'DWord'
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'DisabledByDefault' -Value 0 -PropertyType 'DWord'
Enable TLS 1.3
TLS 1.3 is supported on Windows Server 2022 and later:
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -Name 'Enabled' -Value 1 -PropertyType 'DWord'
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -Name 'DisabledByDefault' -Value 0 -PropertyType 'DWord'
Cipher Suite Configuration
On Windows Server 2016 and later, use the Enable-TlsCipherSuite and Disable-TlsCipherSuite PowerShell cmdlets to manage cipher suites.
Recommended Cipher Suites
Enable only strong AEAD cipher suites with ECDHE key exchange:
# Disable all existing cipher suites
Get-TlsCipherSuite | ForEach-Object { Disable-TlsCipherSuite -Name $_.Name }
# Enable recommended cipher suites in preferred order
Enable-TlsCipherSuite -Name 'TLS_AES_256_GCM_SHA384' -Position 0
Enable-TlsCipherSuite -Name 'TLS_AES_128_GCM_SHA256' -Position 1
Enable-TlsCipherSuite -Name 'TLS_CHACHA20_POLY1305_SHA256' -Position 2
Enable-TlsCipherSuite -Name 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384' -Position 3
Enable-TlsCipherSuite -Name 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256' -Position 4
Enable-TlsCipherSuite -Name 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384' -Position 5
Enable-TlsCipherSuite -Name 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256' -Position 6
The first three entries are TLS 1.3 cipher suites (available on Windows Server 2022+). The remaining entries are TLS 1.2 cipher suites. Windows Schannel does not support ChaCha20-Poly1305 for TLS 1.2; it is only available as a TLS 1.3 suite.
HTTP Strict Transport Security (HSTS)
Using web.config
Add the HSTS header in your site's web.config:
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Strict-Transport-Security"
value="max-age=63072000; includeSubDomains; preload" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
Using IIS Native HSTS (IIS 10 version 1709+)
On newer versions of IIS, HSTS can be configured natively:
Import-Module IISAdministration
$siteName = "Default Web Site"
$manager = Get-IISServerManager
$site = $manager.Sites[$siteName]
$site.HSTS.Enabled = $true
$site.HSTS.MaxAge = 63072000
$site.HSTS.IncludeSubDomains = $true
$site.HSTS.Preload = $true
$site.HSTS.RedirectHttpToHttps = $true
$manager.CommitChanges()
HTTPS Redirect
Force HTTP to HTTPS redirection using the URL Rewrite module in web.config:
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="HTTPS Redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
redirectType="Permanent" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
Mutual TLS (mTLS)
Standard TLS authenticates only the server. Mutual TLS adds client authentication, requiring the connecting client to also present a certificate. This is an optional hardening step, not required for standard web deployments. It is most useful for internal APIs and admin interfaces where you control all connecting clients.
Install the Client CA Certificate
Import the CA certificate that signed the client certificates into the server's Trusted Root Certification Authorities store:
Import-Certificate -FilePath "C:\ssl\client-ca.crt" `
-CertStoreLocation "Cert:\LocalMachine\Root"
Require Client Certificates in IIS
Configure the SSL settings for a site to require client certificates using PowerShell:
Import-Module WebAdministration
Set-WebConfigurationProperty `
-Filter 'system.webServer/security/access' `
-Name 'sslFlags' `
-PSPath 'IIS:\Sites\Default Web Site' `
-Value 'Ssl, SslNegotiateCert, SslRequireCert'
Or in web.config:
<configuration>
<system.webServer>
<security>
<access sslFlags="Ssl, SslNegotiateCert, SslRequireCert" />
</security>
</system.webServer>
</configuration>
- SslNegotiateCert - Request a client certificate during the TLS handshake.
- SslRequireCert - Reject connections that do not present a client certificate.
To require client certificates on a specific path only, wrap the
<security>block in a<location path="api">element targeting that path.
The client certificate is available to ASP.NET applications via HttpRequest.ClientCertificate, and to IIS modules via the X-ARR-ClientCert request header when Application Request Routing is in use.
See RFC 8446 ยง4.3.2 for the TLS Certificate Request specification, and Wikipedia: Mutual authentication for a general overview.
Using IIS Crypto (Recommended Tool)
For a simpler approach, Nartac Software's IIS Crypto is a free tool that provides a GUI for configuring Schannel protocols, cipher suites, hashes, and key exchanges. Select the "Best Practices" template for a recommended configuration, or customize settings manually.
Security Notes
IIS uses Windows Schannel as its TLS implementation. Vulnerability fixes are delivered through Windows Update rather than by upgrading a separate library:
- POODLE (CVE-2014-3566, 2014): SSL 3.0 disabled via registry; addressed by Microsoft security advisory KB3009008 (October 2014).
- BEAST (CVE-2011-3389, 2011): Mitigated by disabling TLS 1.0 in the recommended configuration; AEAD-only ciphers eliminate the CBC padding oracle.
- FREAK (CVE-2015-0204, 2015): EXPORT-grade ciphers excluded; addressed by MS15-031 (March 2015).
- LOGJAM (CVE-2015-4000, 2015): Short-key DHE excluded; only ECDHE key exchange is recommended.
- Sweet32 (CVE-2016-2183, 2016): 3DES excluded from the recommended cipher list; addressed by Microsoft advisory 3185330 (October 2016).
- ROBOT (2017): Static RSA key exchange excluded; only ECDHE is recommended.
- Downgrade attacks: TLS_FALLBACK_SCSV is supported in Schannel on Windows 8.1 / Server 2012 R2 and later.
- Renegotiation injection (CVE-2009-3555, 2009): Secure renegotiation is enforced in Schannel on Windows 7 / Server 2008 R2 and later; TLS 1.3 removes renegotiation entirely.
The following are not addressable through TLS configuration alone:
- Heartbleed (CVE-2014-0160, 2014): Not applicable. Windows Schannel is an independent TLS implementation not based on OpenSSL and was never affected by Heartbleed.
- BREACH (CVE-2013-3587, 2013): Exploits HTTP-level response compression (gzip/deflate on responses). Mitigated at the application layer by disabling HTTP compression in IIS or using BREACH countermeasures; TLS configuration cannot prevent it.
- DROWN (CVE-2016-0800, 2016): Not applicable. Schannel on supported Windows versions does not support SSLv2.
Verification
After making registry changes, restart the server for them to take effect:
Restart-Computer
Verify the active cipher suites:
Get-TlsCipherSuite | Format-Table Name, Protocols
Test your configuration externally with the Mr.DNS SSL/TLS Certificate Check.