After revamping my Firefox cipher suite list (about:config, search for tls and then search for ssl) and adding Calomel SSL Validation, HTTPS Everywhere (from eff.org), CipherFox and HTTP Nowhere, I was fairly surprised to see the following.
The list is in order of importance:
This web server instance is not and never was vulnerable to Heartbleed, since it runs IIS 7 (and 7.5 and 8.0 aren't vulnerable and never were either). Good result!
I'd suggest disabling SSLv2 entirely.Qualys SSL Labs
reports SSLv2 is available:
"This server supports SSL 2, which is obsolete and insecure. Grade set to F.
TLS 1.2 No
TLS 1.1 No
TLS 1.0 Yes
SSL 3 Yes
SSL 2 INSECURE Yes"
Qualys SSL Labs (link above) also reports a cipher suite list that seems pretty odd:
"The server does not support Forward Secrecy with the reference browsers."
Note that in the cipher suite list does have two Forward Secrecy cipher suites, but they're in the middle; they do work properly if the clients has TLS_RSA_WITH_AES_128_CBC_SHA and TLS_RSA_WITH_AES_256_CBC_SHA disabled, though, so simply moving them to the top would be nice.
At least the TLS_RSA_WITH_RC4_128_MD5 cipher suite should be removed - MD5 is broken. I'd remove all RC4 cipher suites at this time.
I would suggest having HTTPS coverage extended across the entire site, instead of just the login page.
See HTTPS Mixed Content: Still the Easiest Way to Break SSL
At the same time, you could then enable HSTS (even on IIS 7.0
I might also suggest upgrading IIS versions to 7.5, 8.0, or 8.5 and enabling TLS 1.2 cipher suites.