How to Secure IIS on Windows Server 2019 — Or: The Epic Quest for the Green Padlock
It was a Tuesday. The kind of Tuesday where everything seems fine until your client calls and whispers those fateful words: "The website shows 'Not Secure' in Chrome."
In that moment, you're not just a sysadmin anymore. You're Frodo, and the SSL certificate is your ring. Mount Doom? That's the IIS Manager. And Sauron? That's the SSL Labs test, watching your every cipher suite with its fiery eye of judgment.
But fear not, fellow traveler of the digital realm. I've walked this path before — barefoot, uphill, both ways, through a blizzard of deprecated TLS protocols. And today, I shall be your Gandalf.
What we're conquering today:
- Installing and binding an SSL certificate (without losing your sanity)
- HTTP to HTTPS redirect (because 2015 called and wants its unencrypted traffic back)
- Achieving that glorious A+ on SSL Labs (flex on your DevOps friends)
Grab your coffee. This is going to be fun.
Chapter 1: The Certificate Binding Saga
Prerequisites (The Boring But Necessary Part)
Before we embark on this adventure, make sure you have:
- Windows Server 2019 with IIS (obviously)
- Your SSL certificate as a
.pfxfile with password - Admin rights (with great power comes great PowerShell)
- Your domain actually pointing to the server (DNS propagation is not a myth, it just feels like one)
The Ritual of Certificate Import
Open IIS Manager. You can press Win + R, type inetmgr, and hit Enter like you're casting a spell. Because essentially, you are.
Click on your server name in the left panel — the one at the very top, looking all important. In the center panel, you'll see Server Certificates. Double-click it like it owes you money.
Now click Import in the Actions pane on the right. A dialog appears. This is where the magic happens:
| Field | What You Do |
|---|---|
| Certificate file | Browse to your .pfx file |
| Password | The one you definitely wrote down somewhere |
| Certificate Store | Select "Web Hosting" |
Click OK. If nothing explodes, congratulations — your certificate now lives on the server.
Binding: Where Certificate Meets Website
This is essentially the wedding ceremony between your certificate and your website. Romantic, I know.
- Expand Sites in the left panel
- Right-click your website → Edit Bindings...
- Click Add (we're adding HTTPS, not chaos)
- Configure as follows:
| Setting | Value | Why |
|---|---|---|
| Type | https | Because we're civilized |
| IP address | All Unassigned | Unless you're fancy |
| Port | 443 | The sacred port of SSL |
| Host name | yourdomain.com | Your actual domain, not literally this |
| SSL certificate | Pick yours from dropdown | The one we just imported |
| Require SNI | ✓ Check this | Multiple sites, one IP, no drama |
Click OK. Repeat for www.yourdomain.com if you're that kind of person.
At this point, https://yourdomain.com should load. No padlock yet? Clear your browser cache. Still nothing? We'll troubleshoot later. Moving on.
Chapter 2: The Great HTTP Redirect
Here's the thing: if someone types http://yourdomain.com, they should be teleported — instantly, magically, with a 301 permanent redirect — to https://.
Not doing this is like leaving your front door open and hoping burglars respect your privacy. They don't, and neither does Google's ranking algorithm.
Step 1: Install URL Rewrite Module
Microsoft, in their infinite wisdom, did not include this by default. Download it from:
👉 https://www.iis.net/downloads/microsoft/url-rewrite
Install it. Restart IIS. Sacrifice a coffee to the IT gods. Standard procedure.
Step 2: Create the Redirect Rule
Back in IIS Manager, select your website. Double-click URL Rewrite (it appeared after installation, like a feature unlocked in a video game).
Click Add Rule(s)... → Choose Blank rule → Hit OK.
Now configure this bad boy:
| Field | Value |
|---|---|
| Name | HTTP to HTTPS Redirect |
| Match URL - Pattern | (.*) |
| Conditions - Input | {HTTPS} |
| Conditions - Pattern | ^OFF$ |
| Action - Type | Redirect |
| Action - URL | https://{HTTP_HOST}/{R:1} |
| Redirect type | Permanent (301) |
Click Apply.
The Lazy Developer's Alternative
Don't want to click? Fine. Open your site's web.config and slap this inside <system.webServer>:
<rewrite>
<rules>
<rule name="HTTP to HTTPS Redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
Save. Done. You're basically a wizard now.
Test it: Navigate to http://yourdomain.com. If you end up at https://, you've won this battle.
Chapter 3: The SSL Labs Gauntlet
This is the final boss. The moment of truth. The "are you really as secure as you think you are?" test.
Go to: https://www.ssllabs.com/ssltest/
Enter your domain. Wait 2-3 minutes while it judges your entire existence.
Target: Grade A (minimum) or A+ (for bragging rights)
Common Failures and Their Fixes
| What SSL Labs Says | What It Means | How to Fix It |
|---|---|---|
| Grade B: Legacy protocols | You're still supporting TLS 1.0/1.1 | Disable them (see below) |
| Grade B: Weak ciphers | Your cipher suite is basically a wet paper bag | Update cipher order |
| Chain issues | Missing intermediate certificates | Import the full chain |
| No HSTS | Browsers can still be tricked into HTTP | Add HSTS header |
Disabling TLS 1.0 and 1.1 (The Purge)
TLS 1.0 and 1.1 are deprecated. They're the Windows XP of encryption protocols. Time to let go.
PowerShell (as Admin):
# Disable TLS 1.0
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Name 'Enabled' -Value 0 -PropertyType 'DWord' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Name 'DisabledByDefault' -Value 1 -PropertyType 'DWord' -Force
# Disable TLS 1.1
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Name 'Enabled' -Value 0 -PropertyType 'DWord' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Name 'DisabledByDefault' -Value 1 -PropertyType 'DWord' -Force
Reboot the server. Yes, really. The registry changes require it.
Enabling HSTS (The A+ Flex)
HSTS tells browsers: "Never, ever, under any circumstances, connect to me via HTTP." It's the restraining order of web security.
Add this to your web.config inside <system.webServer>:
<httpProtocol>
<customHeaders>
<add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains" />
</customHeaders>
</httpProtocol>
The "I Don't Want to Touch the Registry" Option
Download IIS Crypto from Nartac: https://www.nartac.com/Products/IISCrypto
- Run it
- Click Best Practices
- Click Apply
- Reboot
It's like a spa day for your server's security settings.
The Victory Lap: Final Checklist
After all that, verify:
- [ ]
https://yourdomain.comloads without warnings - [ ]
http://yourdomain.comredirects to HTTPS - [ ] SSL Labs shows Grade A or A+
- [ ] Tested in Chrome, Firefox, Edge, Safari (yes, all of them)
Troubleshooting: When Things Go Wrong
Because they will. They always do.
| Problem | Solution |
|---|---|
| Certificate not in dropdown | Re-import the .pfx, check certificate store |
| Infinite redirect loop | Conflicting rules in web.config |
| SSL Labs: Chain incomplete | Import intermediate CA certificates |
| Mixed content warnings | Update hardcoded http:// links in your code |
Epilogue
You did it. You secured your IIS server. The padlock is green. SSL Labs shows an A+. Your client is happy. Your DevOps colleagues are impressed (or at least less condescending).
Was it easy? No. Was it worth it? Absolutely.
Remember: in a world of data breaches and GDPR fines, proper SSL configuration isn't just best practice — it's survival.
Now go forth and encrypt all the things.
Viele Informationen und vielen Dank für die Aufmerksamkeit.
- cyberbrain.online\HASCii
P.S. — If this guide saved your Tuesday, consider buying me a coffee. My caffeine levels directly correlate with my willingness to write more guides.
Tags: #IIS #SSL #WindowsServer #HTTPS #Security #SysAdmin #Tutorial