My previous article gained a lot of attention as a reference point on how to score the highest A+ rating on the Qualys SSL Test.

In doing so, site admins ensure that their TLS configuration offers robust and up-to-date security. That guide focused on NginX and Ubuntu — this one is for Windows Server admins!

Setting Up on Windows

Most configuration takes place in the Windows registry, but there’s an easier way. IIS Crypto from Nartac Software provides a GUI that lets you configure TLS settings with just a few clicks instead of editing registry keys manually.

IIS Crypto Download

Protocols

Following the POODLE vulnerability, the recommended protocols are now limited to three:

  • TLSv1.0
  • TLSv1.1
  • TLSv1.2

Select these in the “Protocols Enabled” section of IIS Crypto.

Protocol Selection

Ciphers Enabled

This section narrows down cipher suites for later refinement and ordering. Recommended options:

  • Enable 3DES (Triple DES) and AES suites
  • Disable RC4, RC2, and DES
  • Do not use NULL ciphers — they offer no protection

Ciphers Enabled

Hashes Enabled

Disable MD5 because it is too weak. SHA variants are currently considered secure and acceptable.

Hashes Enabled

Key Exchanges Enabled

All key exchange options can be enabled:

  • Diffie-Hellman (DHE) and PKCS use RSA key exchange
  • ECDH (Elliptic Curve Diffie Hellman) uses ECC (Elliptic Curve Cryptography)

Key Exchange Enabled

Cipher Suite Ordering

Ordering cipher suites affects your TLS effectiveness and Perfect Forward Secrecy (PFS). Prioritize suites as follows:

  • ECDHE (TLS_ECDHE_RSA) first — supports PFS and is fast
  • DHE (TLS_DHE_RSA) next — offers PFS for older clients
  • Then include TLS_RSA for compatibility
  • Optionally keep TLS_ECDHE_ECDSA suites (for ECDSA certificates)
  • Disable TLS_RSA_WITH_RC4_128_SHA

Ciphers Part 1

Ciphers Part 2

Ciphers Part 3

Click “Apply” and restart your server for the registry changes to take effect. Then run the Qualys SSL Test to check your score.

OCSP Stapling

OCSP Stapling is enabled by default on Windows Server 2008 and later. It doesn’t affect your Qualys score directly but improves performance and reliability. No extra setup needed.

Perfect Forward Secrecy (PFS)

PFS ensures that even if your private key is compromised, past sessions remain secure. Support and prioritize ECDHE and DHE cipher suites to achieve this.

SHA1 vs. SHA256 Certificates

Google has deprecated SHA1 and warns users visiting sites that still use it. Qualys also penalizes SHA1 certificates, preventing an A+ score.

Replace any SHA1 leaf certificates and ensure intermediate certificates use SHA256. Root certificates can remain SHA1.

SHA1 Penalty

TLS_FALLBACK_SCSV

Updated 11th Jan 2015: TLS_FALLBACK_SCSV prevents protocol downgrade attacks by signaling when a connection attempt is a fallback. This protects clients from being forced to use weaker protocols like SSLv3.

Currently, Microsoft IIS does not support TLS_FALLBACK_SCSV, which caps Windows servers at an A rating. You can still achieve an A+ by supporting only TLSv1.2.

TLS_FALLBACK_SCSV

Strict Transport Security (HSTS)

To reach an A+ rating, you need to implement an HTTP Strict Transport Security (HSTS) policy. It enforces HTTPS by instructing browsers to connect securely without relying on redirects.

Steps to Enable HSTS in IIS:

  1. Open IIS Manager and select your site.
  2. Double-click HTTP Response Headers.
  3. Click Add in the Actions pane.
  4. Set the header name to strict-transport-security.
  5. In the Value field, use: max-age=31536000; includeSubdomains (1 year).

HSTS Header Example

Alternatively, you can add this directive directly to your web.config file:

IIS Web.config Example

Once done, re-run your site through the Qualys SSL Test and check your new score.