I have been tasked with configuring an IIS7 server to accept TLS 1.0 HTTPS connections only.
I have come up with the following list of cipher suites which I have deduced are TLS 1.0.
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
I have put that list in the box in the following policy: Computer Configuration | Administrative Templates | Network | SSL Configuration Settings | SSL Cipher Suite Order
Is that sufficient? Are any of the suites in my list not TLS 1.0? Are there any other TLS 1.0 suites supported by IIS7 that aren't in the list?
The server, by the way, is Windows Server 2008 R2.
Thanks
You will follow a similar procedure to http://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html except you will disable more than just SSL 2.0
http://support.microsoft.com/kb/187498 also has info
A company called Nartac software makes a free IIS Crypto configuration tool that can be used to enable/disable protocols and cipher suites in IIS on Windows 2003, 2008 and 2012. It also comes with templates for configuring IIS to be FIPS 140.2 compliant, integrates with the Qualys SSL site analyzer for testing public urls, and has a list of other validation tools that can be used to validate internal sites.
Limiting the ciphersuites is not the right method, as they could be negotiated by SSLv3 client as well, which will result in SSLv3. The best way is to follow the article Robert pointed to (http://support.microsoft.com/kb/187498) and set the proper registry keys. Anything other than that is prone to errors.
Check this out Restrict the website for a particular Crypto Protocol. The same works fine for IIS 7 / 7.5.
List of all supported cipers in win2008. It could be a good start.