Microsoft IIS does not Dictate TLS Cipher Suites – That’s the OS’s Job

When setting up SSL/TLS encryption for an IIS web server, you might ask: Does IIS determine the supported cipher suites? Who is responsible for the protocols and ciphers during secure HTTPS connections initiated by IIS?

The answer lies in the relationship between IIS and the Windows operating system. IIS does not define the cipher suites. Rather, it depends on the Windows OS. Specifically, Windows has a built-in component named SCHANNEL (Secure Channel). This component, integral to the OS, implements SSL/TLS protocols and manages the ciphers.

Any Windows application, including IIS, that requires a secure network connection uses SCHANNEL for the TLS handshake. The available TLS protocols and cipher suites are determined at the OS level, configured via registry keys. Therefore, when you establish HTTPS on IIS, it references the cipher suites activated in Windows through SCHANNEL. IIS itself doesn’t decide on these cryptographic settings.

Having the OS manage TLS support instead of individual applications ensures uniformity. This approach guarantees that all applications on Windows have a consistent TLS implementation. Cipher strengths are set at the OS level, eliminating the need for individual configurations for each application. Hence, the cryptographic algorithms set in SCHANNEL are reflected in every HTTPS connection made by IIS. In essence, the web server adopts the TLS settings of the Windows OS.

To sum it up, IIS uses the SCHANNEL component in Windows for TLS connections. The cipher suite configurations are rooted in the OS, not IIS. As such, when you’re looking to configure secure protocols and ciphers for IIS, focus on the settings of the Windows operating system.