Update WordPress on IIS prompts for ftp credentials

After installing WordPress on IIS you get prompted for ftp server and credentials when trying to upgrade WordPress. To fix this error just do the following steps.

In IIS manager

Just give read/write permission to “Authenticated users

  1. Go to Application pools and choose the one used by your WordPress Blog.
  2. Right Click and choose Advanced Settings…
  3. Change the Identity to LocalSystem
  4. Click OK to save changes.

Then on Sites,

  1. Choose your WordPress Blog from the sites list
  2. Right Click on it and click on Edit permissions
  3. Go to security tab and click on Edit… (Group or user names)
  4. Click on add and type “Authenticated users
  5. Click on Check Names to validate the username
  6. Click OK to save changes.

WordPress should update without prompting for ftp credentials.

You may have to enter this into the wp-config.php as well to work properly.

define('FS_METHOD', 'direct');

Exchange TLS & SSL Configuration to achieve an A rating from SSLLabs

My test Exchange Server with Exchange 2013 on Windows Server 2012 R2, I was able to achieve an A rating from SSLLabs by disabling SSL 3.0, removing RC4 ciphers, and enabling AEAD encryption . This is nearly as good as one can achieve at this time.

Disable support for SSL 3.0 on the server:

Remove RC4 Ciphers:

 

Ciphers available on Windows Server 2012 R2:

The following cipher suites supports AEAD encryption on Windows Server 2012 R2:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

To enable the required encryption, download IISCrypto from Nartac software. I had to enable the following Ciphers:

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

Then move them to the top of the Ciphers list.

 

SSLLabs message: This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.

To fix it, you can increase the DHE key size to 2048 adding the registry key below:

https://docs.microsoft.com/en-us/security-updates/securityadvisories/2016/3174644

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"ServerMinKeyBitLength"=dword:00000800

Using this setting you will have a AEAD cipher that is not classified as “weak” and SSLLabs will give you an A Grade.