but I wondered just how good an application is it?
Well, after some testing, it's pretty damn good.
I had some free credit at Azure so I decided to spin up an IIS VM and run a the QualSys SSL testing against it to see how it fairs out of the box.
The test I ran was a very simple test, I spun a Windows 2012 R2 box up at Azure, installed IIS and connected to it over it's IP address to do basic validation. I then set up a DNS pointer to it and grabbed an SSL cert from StartCom and once all configured, the default IIS page was available over SSL.
So, out of the box, with SSL enabled, how does IIS fare according to Qualsys?
Actually, not too badly:
It rated a "C" with the server being vulnerable to Poodle.
Running the IIS Crypto tool and selecting "Best Practices" removed a whole list of ciphers and protocols. A reboot was required which was slightly annoying but as this changes the registry it's understandable.
A quick test on Qualsys again and we get a nice 'A' rating:
An 'A' is good but it's not an 'A+' which I'd have liked to have seen, unfortunately, I didn't have the time to do any further testing but a quick google and I did see an article from Scott Helme about adding in the "strict transport security" header into IIS which I'd liked to have tried but wasn't able to. I suspect that Scott is spot on here and this will get a coveted A+ from Qualsys.
This is all very straight forward and simple for a single IIS site but if you have multiple sites on the same server then you're going to need to test each and every site as multiple sites are a key requirement to make a server vulnerable to drown, add in allowing SSL 2 or 3, RC4 as a cipher and still using SHA-1 certs and you get........
Avoid the 'F' grading! Look after your protocols no matter where the web server is hosted.