IT Nota

How to Setup HTTP Strict Transport Security (HSTS) on IIS

HTTP Strict-Transport-Security (HSTS) response header is used to tell browsers that the particular website should only be accessed solely over HTTPS. This is a powerful feature that is easy to implement to mitigate the risks for the communication to be intercepted by hackers and keep your website visitors safe.

Enabling HTTP Strict Transport Security on IIS

See the steps below to enable HSTS on IIS:

  1. Launch IIS Manager.
  2. On the left pane of the window, click on the website you want to add the HTTP header and double-click on HTTP Response Headers.IIS HTTP Response Headers Setting
  3. In HTTP Response Headers window, click on Add… on the right pane and type in Strict-Transport-Security for Name and max-age=63072000; includeSubDomains; preload for Value and click OK.The max-age value 63072000 is the number of seconds for the duration of two years. You need to enter a value of at least one year.IIS HTTP Response Headers Strict Transport Security Setting

Now you can verify if the header is delivered correctly by running a curl command.

curl -I https://www.itnota.com

You should see that very header listed among other entries:

Strict-Transport-Security: max-age=63072000; includeSubdomains; preload

That’s all there is to utilize HSTS on IIS.

Buy me a coffee?

Buy me a coffee If you find this post helpful and would like to buy me a coffee to support the work here, you’ll have our big thanks!
Support IT Nota: Buy me a Coffee

Further Reading

Strict-Transport-Security
How to Use cURL HTTP/2 on macOS
How to Enable Secure HttpOnly Cookies in IIS

How to Enable TLS 1.2 as the Default Security Protocol on Windows Servers

Transport Layer Security (TLS) are cryptographic protocols designed to provide communications security over a computer network, typically between a website and a browser.

TLS 1.0 and its deprecated predecessor, SSL are vulnerable to some well-known security issues such as POODLE and BEAST attacks. According to NIST, these vulnerabilities cannot be fixed or patched, therefore all companies, especially banks and other financial institutions who are notoriously slow in upgrading theirs systems, need to upgrade to a secure alternative as soon as possible, and disable any fallback to both SSL and the older TLS 1.0.

As of 30 June 2018, SSL and TLS 1.0 should be disabled and more secure encryption protocol such as TLS 1.2 (or at the minimum TLS 1.1) is required to meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data.

The next question then how on do we enable TLS 1.2 on Windows Servers? Especially on older servers such as Windows Server 2008 as many companies are not on the latest and greatest operating systems?

This post will address what to look for and how to enable TLS 1.2 as the default protocol for Windows Server 2012 R2 or older.

IMPORTANT: As always and it’s worth repeating, you need to backup your current registry settings before attempting any of these changes on your servers.

Enable TLS 1.2 on Windows Servers 2008 SP2 or later

The blanket statement to enable your TLS 1.2 on your server from Windows Server 2008 SP2 or later. Microsoft provided an update to add support for TLS 1.1 and TLS 1.2 for Windows Server 2008, but it requires Windows Server 2008 SP2 installed.

So just to state the obvious, TLS 1.1 and TLS 1.2 are not supported for 32-bit Windows Server 2008 SP1.

  1. Launch regedit.exe.

  2. In registry, go to:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

  3. Create a new DWORD entry with a name TLS 1.2 and create another subkey Client and Server.

  4. Under the subkey Server, create another DWORD Enabled with a value of 1.

  5. Still under the subkey Server, create a DWORD DisabledByDefault with a value of 0.

  6. You must create a subkey DisabledByDefault entry in the appropriate subkey (Client, Server) and set the DWORD value to 0 since this entry is set to 1 by default.

    Windows 2008 Standard enabling TLS 1.2

  7. Reboot the server and test.

Enable TLS 1.2 on .NET Framework 3.5 (including 2.0)

.NET Framework 3.5 or earlier did not originally provide support of applications to use TLS System Default Versions as a cryptographic protocol. However, for Windows Server 2012 R2, check if KB3154520 is installed (or KB3154519 for Windows Server 2012; KB3154518 for Windows Server 2008 R2; KB3154517 for Windows Server 2008 SP2).

How to check the KB updates

  1. Right-click on the Windows button and select Programs and Features.

    Windows Server 2012 R2 Programs and Features

  2. On Programs and Features window, click onthe View installed updates on the left pane.

    Windows Server 2012 R2 View installed updates

  3. You will see a list of the updates that you can narrow down or do a very specific search by using the Search Installed Updates box. You can type in the KB number (i.e., “KB3154520”).

    Windows Server 2012 R2 KB3154520 update

  4. If the corresponding KB is already installed, we just need to enable it via registry change. Otherwise, you need to install the patch from either of the links for Windows Server 2012 R2 (or use the same corresponding links above for earlier versions of Windows Server).

Registry Change

  1. Launch regedit.exe.

  2. Go to:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727

  3. Create a new entry SystemDefaultTlsVersions with a DWORD value set to 1.

  4. Create a new entry SchUseStrongCrypto with a DWORD value set to 1.

  5. Go to:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319

  6. Create a new entry SystemDefaultTlsVersions with a DWORD value set to 1.

  7. Create a new entry SchUseStrongCrypto with a DWORD value set to 1.

  8. For 64-bit OS, the same changes also needed for the following locations:

      HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727

  9. Create a new entry SystemDefaultTlsVersions with a DWORD value set to 1.

  10. Create a new entry SchUseStrongCrypto with a DWORD value set to 1.

  11. Go to:

      HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319

  12. Create a new entry SystemDefaultTlsVersions with a DWORD value set to 1.

  13. Create a new entry SchUseStrongCrypto with a DWORD value set to 1.

  14. Test.

Windows Server 2012 R2 TLS default

Enable TLS 1.2 as default for WinHTTP

This may be applicable for any Classic ASP or VB6 applications that use WinHTTP. Prior to Windows 10 and Windows Server 2016, TLS 1.1 or 1.2 is not enabled by default for client-server communications through WinHTTP.

To set TLS 1.2 by default, do the following:

  1. Create a registry entry DefaultSecureProtocols on the following location:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

  2. Set the DWORD value to 800 for TLS 1.2.

  3. For 64-bit OS, repeat step 1 and 2 on the following location:

      HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

  4. Reboot the server and test.

Windows Server 2012 R2 DefaultSecureProtocols registry entry

Windows 10 and Windows Server 2016/2019 support TLS 1.2 for client-server communications by using WinHTTP.

Further Reading

Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows
TLS/SSL Settings
How to enable TLS 1.2 for Configuration Manager
Transport Layer Security (TLS) best practices with the .NET Framework
Support for TLS System Default Versions included in the .NET Framework 2.0 SP2 on Windows Vista SP2 and Server 2008 SP2
Support for TLS System Default Versions included in the .NET Framework 3.5.1 on Windows 7 SP1 and Server 2008 R2 SP1
Support for TLS System Default Versions included in the .NET Framework 3.5 on Windows Server 2012
Support for TLS System Default Versions included in the .NET Framework 3.5 on Windows 8.1 and Windows Server 2012 R2
How to enable TLS 1.2 on the site servers and remote site systems
Use Case Scenario: Known issues connecting SSRS Server 2016 (new) to SQL Server 2008 (old) with TLS

Download

Solving the TLS 1.0 Problem (MS Word document)

How to Fix SMTP 550 5.7.1 Unable to Relay Error on Windows Server 2012 R2

Here is one way of fixing an SMTP error on Windows Server 2012 when you see an error message similar to the one below:

Error Message

System.Exception: SMTP error sending: Client Service Setup Error on SERVERNAME ---> System.Web.HttpException: The server rejected one or more recipient addresses. The server response was: 550 5.7.1 Unable to relay for [email protected]    ---> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Runtime.InteropServices.COMException: The server rejected one or more recipient addresses. The server response was: 550 5.7.1 Unable to  relay for [email protected]       --- End of inner exception stack trace ---     at System.RuntimeType.InvokeDispMethod(String name, BindingFlags invokeAttr, Object target, Object[] args, Boolean[] byrefModifiers, Int32 culture, String[] namedParameters)      at System.RuntimeType.InvokeMember(String name, BindingFlags bindingFlags, Binder binder, Object target, Object[] providedArgs, ParameterModifier[] modifiers, CultureInfo culture, String[] namedParams)     at System.Web.Mail.SmtpMail.LateBoundAccessHelper.CallMethod(Object  obj, String methodName, Object[] args)     --- End of inner exception stack trace ---     at System.Web.Mail.SmtpMail.LateBoundAccessHelper.CallMethod(Object obj, String methodName, Object[] args)     at System.Web.Mail.SmtpMail.CdoSysHelper.Send(MailMessage  message)     at System.Web.Mail.SmtpMail.Send(MailMessage message)     at ClientServiceSetup.CommonFunctions.SendMail(MailMessage objMail)     --- End of inner exception stack trace ---

Steps to Add Localhost to the SMTP Relay

  1. Launch IIS 6.0 Manager.

    IIS 6 Manager on Windows Server 2012 R2

  2. Right-click on the STMP Server (on this example it’s named default, but it could be named something else) and select Properties.

    IIS 6 Manager SMTP Properties on Windows Server 2012 R2

  3. Click on the Access tab and at the very bottom under Relay restrictions, click on Relay button.

    IIS 6 Manager SMTP Properties Access Relay Windows Server 2012 R2

  4. Select Only the list below, click on Add… button and under Single computer and IP Address, type in 127.0.0.1 and click OK.

  5. Check Allow all computers which successfully authenticate to relay, regardless of the list above. and click OK, and OK one more time to get out the Properties window.

    IIS 6 Manager SMTP Grant Access Relay on Windows Server 2012 R2

  6. Re-test and that should be it.

Further Reading

IIS SMTP – The server response was: 5.7.1 Unable to relay for outgoing address, Still not working
How to Install SMTP Server on Windows Server 2012 R2

How to Troubleshoot Response Buffer Limit Exceeded Error in Classic ASP

How do you troubleshoot a classic ASP website when it crashes with the following error message?

Response object error 'ASP 0251 : 80004005'
 
Response Buffer Limit Exceeded
 
/itnota/test.asp, line 0
 
Execution of the ASP page caused the Response Buffer to exceed its configured limit.

Turn Off Page Buffering

By default, page buffering in ASP is set to On so one way to do it is just to turn off the page buffering.

At the top of your ASP page, add the following line after the VBScript declaration (Line 2 – highlighted):

<% @Language="VBScript" %>
<% Response.Buffer = False %>

In general though, you do want to pose a limit so your data stream does not clog up your resources especially if you’re sharing the web server with other applications. That’s why the next solution would be a better one especially for production environment.

Modify Response Buffering Limit in IIS

Another way to solve this issue is explained below, demonstrated using IIS 10 but should work the same way with IIS 7 or later as well. This would be the best solution but you need access to your IIS.

  1. Launch your IIS Manager and select your site on the Connections box on the left. Then double-click on the ASP on the right pane, which is under IIS section.

    IIS Manager ASP Configuration Settings

  2. Once the ASP window is opened, look for Limit Properties and expand on it and go to Response Buffering Limit.

    If the value was never modified, you would see 4194304 which translates to roughly 4 MB.

    IIS Manager ASP Response Buffering Limit Property (default value)

  3. This is the value, we want to modify so go ahead and change it to a larger number. In this example, we put in 64000000 (~64 MB, not quite but you get the point), basically adjust according to your need.

    IIS Manager ASP Response Buffering Limit (click Apply)

  4. Once you entered the value, just click on the Apply link button to save all settings.

The effect should be immediate without requiring a restart of IIS or Application Pool. That’s all there is to it.

Further Reading

IIS 6.0: “Response buffer limit exceeded”
Response Buffer Limit Exceeded

How to Cache Specific Static Files and Directories on IIS

As part of IIS performance tuning to improve a web page load speed, in general you want to enable browser caching by double-clicking on HTTP Response Headers in IIS Manager, click on Set Common Headers and check the Expire Web content:, then set the After: with an x number of days.

IIS HTTP Response Headers to Cache Static Files

Often times though, you may want to be more granular in IIS static content caching for different type of files or all static files under certain folders. In the same way that you can disable browser caching for specific files on IIS, you can also configure the web.config to setup browser caching for specific files or directories with different lengths of time.

<configuration>
...
  <location path="favicon.ico">
    <system.webServer>
      <staticContent>
        <clientCache cacheControlCustom="public" cacheControlMode="UseMaxAge" cacheControlMaxAge="365.00:00:00" />
      </staticContent>
    </system.webServer>
  </location>
  <location path="js">
    <system.webServer>
      <staticContent>
        <clientCache cacheControlCustom="public" cacheControlMode="UseMaxAge" cacheControlMaxAge="60.00:00:00" />
      </staticContent>
    </system.webServer>
  </location>
  <location path="images">
    <system.webServer>
      <staticContent>
        <clientCache cacheControlCustom="public" cacheControlMode="UseMaxAge" cacheControlMaxAge="30.00:00:00" />
      </staticContent>
    </system.webServer>
  </location>
</configuration>

In this example we can see the caching for a specific file favicon.ico is set to 1 year (365 days) and two folders js and images are set to 60 and 30 days respectively (In a format of days.hours:minutes:seconds). This means, all static files under js folder will be cached for 60 days, similarly for images folder, although for less duration since the contents change more frequently.

By caching as many static files as possible on the browser, you can tremendously improve IIS performance, which translates to better users experience in loading your site faster on their subsequent visits.

Further Reading

Disable Browser Caching for Specific Files on IIS

Recent Posts

Tags

.NET .NET Core AdSense ASP.NET Cdonts Dll Classic ASP Code Editor ETL FSharp Genesis Framework Git Google HP Asset Manager HTML5 Hugo IIS Information Security Internet Internet Information Services iOS JAMStack Linux macOS Microsoft Microsoft SQL Server MVC PHP PowerShell Python Simple Mail Transfer Protocol Smtp Server SQL SQL Server SSIS SSMS SSRS Sublime Text Visual Studio Visual Studio Code VPN Windows Windows 8 Windows 10 Windows 2012 Windows Server