Is it possible to force TLS 1.2 on an IIS Site

I have an IIS site where I want to force TLS 1.2. I don't want client using TLS 1 to be able to connect to the site.

I want to do this at the site level as there are other sites that should work with older version.

Thank you


Solution 1:

There isn't a way to change only a single site on a server to support only TLS 1.2. IIS is managed using SCHANNEL, as documented here. 2012r2 and below does not support per site configuration.

If you absolutely have to do something like this the easiest method is a SSL proxy that allows the lower levels inbound and can create TLS 1.2 connections outbound.. This relay can be used for your lower level sites and your secure site can be accessed directly.

Solution 2:

Option 1: For IIS on Windows Server 2019 (with the latest updates), Microsoft added the ability to disable this on a per site certificate binding basis: https://docs.microsoft.com/en-us/security/disable-legacy-tls. In the "Site Bindings" for your site within IIS, select the "Disable Legacy TLS" option.

Option 2: You can also use IIS Crypto (free), which is a handy tool for setting system-wide SCHANNEL settings with best practices. It will work on most versions of Windows Server. This will affect IIS and all other client/server services running on the machine, but you can set separate TLS version support settings for client vs server.