After many hours of digging around the Windows registry and experimenting with various keys to enable TLS 1.2 on Windows Server 2008 R2 and Windows 7 (see my blog post here), I found this free tool that gives you one click access to configuring your Windows Cipher Suites. The Harden SSL/TLS tool is in beta, but worked great for me.
The tool lets you enable/disable protocols, hashes, key exchanges, and prioritize the cipher suites. One click exporting to registry files, and PCI DSS compliance. The author also has a few other tools and whitepaper as well.
The SSL hardening tool seems to make system changes in real time. My suggestion is to use a VM, take a snapshot, run the tool, export the registry settings, and then look at the registry file. Compare the registry file to the clean snapshot then decide what registry changes you want to push to production servers.
The tool is still in beta, and I had it lock up on me a few times. So using it to see what registry key changes you need to make manually is a pretty safe bet. Don’t run it on production systems!
I also found a web site that would let you query SSL enabled site, score them on security, and show the cipher suites they support. Great for checking out your bank or other secure sites you need to trust. My bank scored an 81, which was pretty good. Check out Qualsy SSL Labs.
