presentations

TLS Baseline Policy

Version: 1.0
Maintainer: Web Admin Team (in consultation with Security)
Last Updated: 2025-09-10
Applies To: All IIS servers hosting ColdFusion and .NET applications
Scope: Inbound (Server) and Outbound (Client) TLS settings via Schannel

Objective

Define a clear, enforceable baseline for TLS protocols, cipher suites, and related cryptographic settings using IIS Crypto or equivalent tooling. Aligns with CIS Benchmarks and NIST 800-52r2.

Server Protocols

Enabled

Disabled

Note: Only TLS 1.2 and 1.3 should be enabled. All legacy protocols must be disabled.

Client Protocols

Enabled

Disabled

Note: TLS 1.0/1.1 may be temporarily enabled for outbound connections to legacy third-party services. Must be documented in .

Ciphers

Enabled

Disabled

Hashes

Enabled

Disabled

Key Exchanges

Enabled

Disabled

Sunset Dates

Component Target Date
TLS 1.0 / 1.1 (client-side only) 2025-12-31
CBC-mode ciphers 2025-10-31
RC4 / 3DES Disabled immediately

Discovery & Monitoring

Exceptions

All exceptions must be documented and approved by DISO / Security.

Enforcement

References