Overview

IIS SSL by default leaves older versions of SSL2, SSL3, and TLS enabled for compatibility. MyWorkDrive has been engineered to support TLS 1.2. In cases where the MyWorkDrive server is directly exposed to the internet over HTTPS (not behind a security appliance or Cloudflare), we recommend disabling insecure and weak ciphers. Disabling insecure and weak ciphers is necessary to comply with security best practices, including PCI, HIPAA, FINRA, and GDPR.

While registry entries can be set manually, a free tool exists for this called IIS Crypto by Nartac Software.

To lock down your MyWorkDrive IIS SSL ciphers, download the tool and apply one of the templates – at a minimum, we suggest the Best Practices Template.

The PCI Template 3.1 provides the most complete protection; however, some software may still require TLS 1.0 or 1.1 communication (MyWorkDrive only requires TLS 1.2). One option is to apply the template settings to the server only by unchecking Set Client Side Protocols. This ensures only the “server” portions are locked down and any client software (e.g., backup software) continues to run.

After you have run the IIS Crypto tool and applied a minimum of the best practice template and restarted your server, you may wish to verify that your server responds only to the more secure IIS SSL ciphers. There is a free SSL scanning tool that’s also built into the Nartac IIS Cryptol software that gives you a rating on how secure your SSL connections are. Simply input your HTTPS web address and run the test. You should get a summary like this.