Require 128-Bit Secure Sockets Layer (IIS 7)

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

You must first configure a Server Certificate and create an HTTPS binding to enable any SSL Settings. Require 128-bit Secure Sockets Layer (SSL) encryption when confidential or personal data is transmitted between a client and your server. Content encrypted by using 128-bit SSL encryption is more difficult to decrypt than content encrypted by using the minimum 40-bit encryption level, so that data transfers are better protected. Although greater encryption key strengths offer more security, they also require more server resources to implement.


If you require 128-bit encryption, clients must use Web browsers that support 128-bit encryption.


For information about the levels at which you can perform this procedure, and the modules, handlers, and permissions that are required to perform this procedure, see Secure Sockets Layer Feature Requirements (IIS 7).

Exceptions to Feature Requirements

  • None

To require 128-bit SSL

You can perform this procedure by using the user interface (UI), by running Appcmd.exe commands in a command-line window, by editing configuration files directly, or by writing WMI scripts.

User Interface

To use the UI

  1. Open IIS Manager and navigate to the level you want to manage. For information about opening IIS Manager, see Open IIS Manager (IIS 7). For information about navigating to locations in the UI, see Navigation in IIS Manager (IIS 7).

  2. In Features View, double-click SSL Settings.

    Make sure that you are at the site, application, or directory level; SSL Settings are not available at the Server level. To configure 128-bit SSL at the file level, navigate to the file in Content View and then click Switch to Features View in the Actions pane.

  3. On the SSL Settings page, select Require SSL and then select Require 128-bit SSL.

  4. In the Actions pane, click Apply.

Command Line

To require 128-bit SSL, use the following syntax:

appcmd set config "site | URL"/section:access /sslFlags:Ssl,Ssl128 /commit:APPHOST

The variable site | URL is the site, application, virtual directory, or file where you want IIS to require 128-bit SSL. You can specify one or more of the values for the sslFlags attribute. If you want more than one value, separate each value with a comma (,). For example, to require 128-bit SSL on the Default Web Site, type the following at the command prompt, and then press ENTER:

appcmd set config "Default Web Site"/section:access /sslFlags:Ssl,Ssl128 /commit:APPHOST

To require 128-bit SSL for the file iisstart.htm on the Default Web Site, type the following at the command prompt, and then press ENTER:

appcmd set config "http://localhost/iisstart.htm"/section:access /sslFlags:Ssl,Ssl128 /commit:APPHOST


When you use Appcmd.exe to configure the access element at the site, application, virtual directory, or file level in IIS 7, you must specify /commit:APPHOST in the command so that configuration changes are made to ApplicationHost.config with an appropriate location tag.

For more information about Appcmd.exe, see Appcmd.exe (IIS 7).


The procedure in this topic affects the following configuration elements:

<access> under <security> under <system.webServer>

For more information about IIS 7 configuration, see IIS 7.0: IIS Settings Schema on MSDN.


Use the following WMI classes, methods, or properties to perform this procedure:

  • AccessSection.SSLFlags property (Ssl128 flag)

For more information about WMI and IIS, see Windows Management Instrumentation (WMI) in IIS 7. For more information about the classes, methods, or properties associated with this procedure, see the IIS WMI Provider Reference on the MSDN site.

See Also


Configuring Secure Sockets Layer in IIS 7
Configuring Server Certificates in IIS 7