locked
How do you enable "secure renegotiation" in IIS on Windows 2012 R2 RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote
    User-1193722340 posted

    I see that my IIS web server does not support "secure renegotiation", and I'm wondering how I fix that.

    I don't see anywhere to toggle that setting.

    Condition on ssllabs.com for better result

    Monday, December 7, 2020 10:59 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    User690216013 posted

    https://blogs.iis.net/windowsserver/isa-2006-tmg-2010-disable-client-initiated-ssl-renegotiation-protecting-against-dos-attacks-and-malicious-data-injection 

    Monday, December 7, 2020 7:50 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User1065476709 posted

    Hi Gregory_CH,

    Gregory_CH

    I see that my IIS web server does not support "secure renegotiation", and I'm wondering how I fix that.

    About enabling secure renegotiation you need to install MS10-049:

    https://docs.microsoft.com/zh-cn/archive/blogs/jpsanders/understanding-problems-with-ms10-049-kb-980436-and-ietf-rfc5746

    Note: you need to set the DisableRenegoOnServer registry entry to 1.

    Best regards,

    Sam

    Tuesday, December 8, 2020 2:36 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User-1193722340 posted

    Thank you for your reply. I read both articles carefully.

    The article MS10-049 is not indicated for Win2012 R2 (max. for win2008).

    Without installing MS10-049, did adding the "DisableRenegoOnServer registry entry to 1" option work?
    Do you have experience with this topic?

    The AllowInsecureRenegoServers, AllowInsecureRenegoClients option looks more appropriate. There is also the UseScsvForTls option.

    Gregory_CH

    Tuesday, December 8, 2020 8:08 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User1065476709 posted

    Hi Gregory_CH,

    The article MS10-049 is not indicated for Win2012 R2 (max. for win2008).

    From this link, you can choose suitable for Windows 2012 R2, such as MS15-009.

    https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-009

    Without installing MS10-049, did adding the "DisableRenegoOnServer registry entry to 1" option work?

    It will not work.

    The AllowInsecureRenegoServers, AllowInsecureRenegoClients option looks more appropriate. There is also the UseScsvForTls option.

    For window2012 it is not working with "AllowInsecureRenegoClients" and "AllowInsecureRenegoServers" are set to 0. I’m not very familiar with renegotiation, you can test witn UseScsvForTls, After all, Windows 2012 is an older version.

    Best regards,

    Sam

    Wednesday, December 9, 2020 3:19 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User-961234232 posted

    Follow this steps to enable "secure renegotiation" in IIS on Windows

    Configuring Your Web Server for SSL
    To enable SSL in IIS, you must first obtain a certificate that is used to encrypt and decrypt the information that is transferred over the network. IIS includes its own certificate request tool that you can use to send a certificate request to a certification authority. This tool simplifies the process of obtaining a certificate. If you use Apache, you must obtain the certificate manually.

    In both IIS and Apache, you receive a certificate file from the certification authority, which you must configure on the computer. Apache reads the certificate from its source file by using the SSLCACertificateFile directive. However, in IIS, you can configure and manage certificates by using the Directory Security tab of the Web site or folder properties.

    You can migrate certificates from Apache to IIS; however, Microsoft recommends that you re-create or obtain a new certificate for IIS.


    Configure Folder or Web Site to Use SSL/HTTPS
    This procedure assumes that your site has already has a certificate assigned to it.
    Log on to the Web server computer as an administrator.
    Click Start, point to Settings, and then click Control Panel.
    Double-click Administrative Tools, and then double click Internet Services Manager.
    Select the Web site from the list of different served sites in the left pane.
    Right-click the Web site, folder, or file for which you want to configure SSL communication, and then click Properties.
    Click the Directory Security tab.
    Click Edit.
    Click Require secure-channel (SSL) if you want the Web site, folder, or file to require SSL communications.
    Click Require 128-bit encryption to configure 128-bit (instead of 40-bit) encryption support.
    To allow users to connect without supplying their own certificate, click Ignore client certificates.

    Alternatively, to allow a user to supply their own certificate, use Accept client certificates.
    To configure client mapping, click Enable client certificate mapping, and then click Edit to map client certificates to users.

    If you configure this functionality, you can map client certificates to individual users in Active Directory. You can use this functionality to automatically identify a user according to the certificate they supplied when they access the Web site. You can map users to certificates on a one-to-one basis (one certificate identifies one user) or you can map many certificates to one user 
    Click OK.

    Regards,

    Rick Bale

    Thursday, December 17, 2020 11:55 AM