CSR/SSL:

Tools to apply best security practices for SSL and TLS:

https://www.nartac.com/Products/IISCrypto/Download

  • Download and then click the “Best Practice” button. Uncheck TLS1.0 under Protocols, MD5 under hashes, Diffe-Hellman under Key exchange. Apply and reboot.

Disable SSLv3 and RC4 for IIS: https://samrueby.com/2015/06/08/how-to-disable-sslv3-and-rc4-ciphers-in-iis/

Disable SSLv3 : https://www.digicert.com/ssl-support/iis-disabling-ssl-v3.htm

Disable RC4, CRIME attack, etc. http://www.dotnetnoob.com/2013/10/hardening-windows-server-20082012-and.html.  In particular look at the GitHub project: https://github.com/NWebsec/NWebsec.AzureStartupTasks/releases

Disable weak ciphers in IIS7: https://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html

Disable weak ciphers in Apache: https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2.0-in-apache.html Ripe standard settings:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

SSLCipherSuite “EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS”