Skip to main content

Review and Apply HTTP/TLS Recommendations

Secure Cookies Configuration

  1. Go to the installation directory, which is by default in C:\Program Files\OpeniT\Analysis Server.

  2. Open the Web.config file.

  3. Update the following line:

    From

    Web.config
    <!--<httpCookies httpOnlyCookies="true" requireSSL="true" />-->

    To

    Web.config
    <httpCookies httpOnlyCookies="true" requireSSL="true" />

  4. Save the changes.

  5. In the IIS Manager, restart the Analysis Server website.

Enforce HTTPS Redirection

Make sure that all HTTP requests are redirected to HTTPS. You can achieve this in one of the following ways:

  1. Configure IIS so that only the HTTPS site is available and the HTTP site is disabled.
  2. Configure an HTTP-to-HTTPS redirect using IIS URL Rewrite. For instructions, see the IIS URL Rewrite guide.

Remove Weak Cipher Suites (3DES)

Disable the legacy 3DES cipher at the Windows SCHANNEL level to prevent IIS from negotiating weak encryption during TLS handshakes.

  1. Open the registry editor (regedit). If a User Account Control popup appears, click Yes.

  2. Navigate to the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168.

  3. Under Ciphers, check if a key named Triple DES 168 exists.

  4. If Triple DES 168 does not exist, right-click Ciphers, select New > Key, and name it Triple DES 168.

  5. Select Triple DES 168.

  6. In the right pane, right-click, select New > DWORD (32-bit) Value, and name it Enabled.

  7. Double-click Enabled, set its Value data to 0, leave Hexadecimal selected, then click OK.

  8. Restart the server to allow SCHANNEL to reload the cipher configuration.

  9. After reboot, verify that TLS_RSA_WITH_3DES_EDE_CBC_SHA is no longer offered using SSL Labs or IIS Crypto.

  10. If 3DES is still offered, ensure TLS 1.0 and TLS 1.1 are disabled as described in Disable TLS 1.0 and TLS 1.1 at the OS Level section.

Disable TLS 1.0 and TLS 1.1 at the OS Level

Disable TLS 1.0 and TLS 1.1 at the OS level by updating SCHANNEL protocol registry settings to allow only modern TLS versions.

  1. Open the registry editor (regedit). If a User Account Control popup appears, click Yes.

  2. Navigate to the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols.

  3. Under Protocols, check if these keys exist: TLS 1.0 and TLS 1.1.

  4. If TLS 1.0 or TLS 1.1 does not exist, right-click Protocols, select New > Key, and name it TLS 1.0 or TLS 1.1.

  5. Under TLS 1.0, create keys named Client and Server (if they don’t exist).

  6. Under TLS 1.1, create keys named Client and Server (if they don’t exist).

  7. . Select ...\TLS 1.0\Server, create (or update) DWORD (32-bit) values Enabled = 0 and DisabledByDefault = 1.

  8. Select ...\TLS 1.0\Client, create (or update) DWORD (32-bit) values Enabled = 0 and DisabledByDefault = 1.

  9. Select ...\TLS 1.1\Server, create (or update) DWORD (32-bit) values Enabled = 0 and DisabledByDefault = 1.

  10. Select ...\TLS 1.1\Client, create (or update) DWORD (32-bit) values Enabled = 0 and DisabledByDefault = 1.

  11. Restart the server to allow SCHANNEL to reload the TLS protocol settings.

  12. After reboot, verify that TLS 1.0 and TLS 1.1 are disabled using IIS Crypto, Qualys SSL Labs or Get-TlsCipherSuite on modern servers.