• 7
name Punditsdkoslkdosdkoskdo

Is it “safe” to use IIS for HTTPS?

I am trying to setup HTTPS in IIS (Windows Server 2008 R2 and Windows Server 2012) as secure as possible. In order to mitigate attacks such as BEAST and weakness of RC4, while trying to use ECDHE where possible, I have found: http://forums.iis.net/post/2056602.aspx

So, I am just wondering whether it is safe to use IIS directly for HTTPS in enterprise systems? Or it is better to use something else as a SSL proxy?

yes. it can be safe although it's only as safe as your environment and policies allow.

I have seen IIS used as the front line in large enterprise deployments where security was/is critical and there were/are regular audits of SSL. It didn't take too much effort to tune out weak ciphers and perform other mitigations, but it does require modifying the default out-the-box settings.

Even in that scenario however the backend IIS servers were not exposed directly but were passed through IIS proxies (URL rewrite / ARR) in a DMZ zone buffered by 2 firewalls and other security devices before reaching the backend servers with severe limitations on what traffic was allowed. proxies are good.

that said, there's something to be said for having your proxy be on a different technology stack than your backend server. the less homogeneous your environment the less likely a single exploit will grant complete access to your backend.

  • 0
Reply Report

Warm tip !!!

This article is reproduced from Stack Exchange / Stack Overflow, please click

Trending Tags