q: What is the easiest way to review the security of our server and disable older, less secure technologies?
a: Here are a few steps:
- We recommend SSL Labs to run an audit of your public facing server and see what vulnerabilities exist. https://www.ssllabs.com/ssltest (Note: You'll probably want to mark the checkbox to keep the results private.)
- Historically we purchased Foundeo to disable weak ciphers. https://foundeo.com/products/iis-weak-ssl-ciphers/ That product was fine for our 2003 servers 3 years ago but it seems dated for 2014 vulnerabilities.
- Now we recommend Nartac's IIS Crypto utility. https://www.nartac.com/Products/IISCrypto/Default.aspx This tool does a great job at showing you various Protocols & Ciphers. It has quick click buttons to let you quickly secure your server to various levels.
- Our only warning is to be careful if you still have Windows XP machines in the mix. Their best security is still lower than the lowest security of a FIPS 2012 Windows Server. In English, a FIPS 140-2 secure server won't have anyway to talk with a Windows XP machine using Internet Explorer for example.