Hardening IIS server guide

By Keren Pollack, on April 2nd, 2019

IIS server- Microsoft’s Windows web server is one of the most used web server platforms on the internet. Hardening your IIS server is basic and essential for preventing cyber-attacks and data thefts. Some of the most common and harmful breaches happen by using IIS server protocols, such as SMB and TLS/SSL. Relying on the IIS default configurations, as arrives from manufacture is not recommended. Default configurations often target functionality rather than security, thereby relying on them will leave your IIS server vulnerable and convenient and easy target for attackers.

The Center for Internet Security (CIS) Benchmarks are considered the gold standard when it comes to hardening guidelines. The CIS IIS 10 Benchmark conducts all of the configuration settings recommended to achieve a secured IIS server. CIS IIS 10 Benchmark is a long 140 pages file. Configuration settings are divided into 7 groups: 1. Basic configurations. 2. Authentication and Authorization configurations. 3. ASP.NET configurations recommendations. 4. Request Filtering and Other Restriction Modules. 5. IIS Logging recommendations. 6. FTP Requests. 7. Transport Encryption.

How to Automate IIS Hardening with PowerShell

The table below contains the status of the configuration required to achieve a hardened IIS server. The table contains the configuration, its security ranking, the level that needs to be configured (application / operating system), and links to guides and further information on the configuration change.

	Configuration	Ranking	Level	Guides
Basic Configurations	Ensure web content is on a non-system partition	L1	App	IIS7: Moving the INETPUB directory to a different drive
	Ensure ‘host headers’ are on all sites	L1	App	Configure a Host Header for a web site (IIS7) SSL Host Headers in IIS7
	Ensure ‘directory browsing’ is set to disable	L1	App	Enable or disable directory browsing in IIS7
	Ensure ‘Application pool identity’ is configured for all application pools	L1	App	Specify an Identity for an Application Pool (IIS 7) Application pool identities
	Ensure ‘unique application pools’ is set for sites	L1	App	Managing application pools in IIS7 Application pool identities
	Ensure ‘application pool identity’ is configured for anonymous user identity	L1	App	Application Pool identity as Anonymous user Application pool identities
	Ensure WebDav feature is disabled	L1	App
Configure Authentication and Authorization	Ensure ‘global authorization rule’ is set to restrict access.	L1	App	Understanding IIS7 URL authorization
	Ensure access to sensitive site features is restricted to authenticated principals only	L1	App	Authentication Forms authentication in ASP.NET 2.0 Configuring authentication in IIS 7
	Ensure ‘forms authentication’ requires SSL	L1	App	Enable forms authentication (IIS7)
	Ensure ‘forms authentication’ is set to use cookies	L2	App	Configure the cookie mode for forms authentication
	Ensure ‘cookie protection mode’ is configured for forms authentication	L1	App	Configure the cookie protection mode for form authentication (IIS7)
	Ensure transport layer security for ‘basic authentication’ is configured	L1	App	IIS: Use SSL when you use basic authentication
	Ensure ‘passwordFormat’ is not set to clear	L1	App	Management authentication credentials <credentials> What’s new in .NET framework
	Ensure ‘credentials’ are not stored in configuration files	L2	App	Add elements for credentials for authentication (IIS settings schema) Management authentication credentials
ASP.NET Configuration Recommendations	Ensure ‘deployment method retail’ is set	L1	App	Deployment element (ASP.NET setting schema)
	Ensure ‘debug’ is turned off	L2	App	Edit compilation settings (IIS7)
	Ensure custom error messages are not off	L2	App	Edit ASP.NET error pages settings dialog box
	Ensure IIS HTTP detailed errors are hidden from displaying remotely	L1	App	IIS: Hide custom errors from displaying remotely
	Ensure ASP.NET stack tracing is not enabled	L2	App	How to: Enable tracing for an ASP.NET page How to: Enable tracing for an ASP.NET application
	Ensure ‘httpcookie’ mode is configured for session state	L2	App	Planning step 2: plan ASP.NET settings
	Ensure ‘cookies’ are set with HttpOnly attribute	L1	App	HttpOnly Mitigating cross- site scripting with HttpOnly cookies
	Ensure ‘MachineKey validation method – .Net 3.5’ is configured	L2	App	Generate a machine key (IIS7) Select a machine key encryption method (IIS7)
	Ensure ‘MachineKey validation method – .Net 4.5’ is configured	L1	App	IIS 8 ASP.NET configuration management
	Ensure global .NET trust level is configured	L1	App	Configuring .NET trust levels in IIS7 TrustLevel class (IIS7 and higher)
	Ensure X-Powered-By Header is removed	L2	App	Remove ‘Server’ and ‘X-Powered-By’ headers from your Azure mobile apps
	Ensure Server Header is removed	L2	App	Remove ‘Server’ and ‘X-Powered-By’ headers from your Azure mobile apps
Request Filtering and other Restriction Modules	Ensure ‘maxAllowedContentLength’ is configured	L2	App	Request limits Use request filtering
	Ensure ‘maxURL request filter’ is configured	L2	App	Request limits Use request filtering
	Ensure ‘MaxQueryString request filter’ is configured	L2	App	Request limits Use request filtering
	Ensure non-ASCII characters in URLs are not allowed	L2	App	Use request filtering UrlScan 1 reference
	Ensure Double-Encoded requests will be rejected	L1	App	Request limits Use request filtering
	Ensure ‘HTTP Trace Method’ is disabled	L1	App	Verbs <verbs> Web servers enable HTTP TRACE method by default
	Ensure Unlisted File Extensions are not allowed	L1	App	Configure request filtering in IIS Request limits
	Ensure Handler is not granted Write and Script/Execute	L1	App	IIS: Grant a handler execute/script of write permissions, but not both AccessFlags
	Ensure ‘notListedIsapisAllowed’ is set to false	L1	App	IIS: The configuration attribute ‘notListedIsapisAllowed’ should be false
	Ensure ‘notListedCgisAllowed’ is set to false	L1	App	IIS: The configuration attribute ‘notListedCgisAllowed’ should be false
	Ensure ‘Dynamic IP Address Restrictions’ is enabled	L1	App	IIS 8.0 dynamic IP address restrictions
IIS Logging Recommendations	Ensure Default IIS weblog location is moved	L1	App	Logging features requirements (IIS 7)
	Ensure Advanced IIS logging is enabled	L1	App	Enhanced logging for IIS 8.5
	Ensure ‘ETW Logging’ is enabled	L1	App	Logging to event tracing for windows in IIS 8.5 Common questions for ETW and Windows even log
FTP Requests	Ensure FTP requests are encrypted	L1	App	Using FTP over SSL in IIS 7
	Ensure FTP Logon attempt restrictions is enabled	L1	App	IIS 8.0 FTP logon attempt restrictions
Transport Encryption	Ensure HSTS Header is set	L2	App	IIS 8.0 FTP logon attempt restrictions
	Ensure SSLv2 is Disabled	L1	OS/ App	Testing for SSL-TLS
	Ensure SSLv3 is Disabled	L1	OS/ App	Testing for SSL-TLS
	Ensure TLS 1.0 is Disabled	L1	OS/ App	Cipher suits in TLS/SSL Supported cipher suites and protocols in the Schannel SSP
	Ensure TLS 1.1 is Disabled	L1	OS/ App	Cipher suits in TLS/SSL Supported cipher suites and protocols in the Schannel SSP
	Ensure TLS 1.2 is Enabled	L1	OS/ APP	Cipher suits in TLS/SSL Supported cipher suites and protocols in the Schannel SSP
	Ensure NULL Cipher Suites is Disabled	L1	App	Cipher suits in TLS/SSL Supported cipher suites and protocols in the Schannel SSP
	Ensure DES Cipher Suites is Disabled	L1	App
	Ensure RC4 Cipher Suites is Disabled	L1	App
	Ensure AES 128/128 Cipher Suite is Disabled	L1	App
	Ensure AES 256/256 Cipher Suite is Enabled	L1	App
	Ensure TLS Cipher Suite Ordering is Configured	L2	App

IIS hardening: 6 configurations changes to harden IIS 10 web server

Using this table as a checklist will ensure your IIS server is hardened, but easier said than done. Dependency complexity is every IT ops nightmare. To achieve server compliance, a deep understanding of the dependencies in the system is required. Every change in one of the values in the table may lead to outages of your production environment. Lab testing required for every small change done in the system. CHS by CalCom offers a way to save you the trouble. Our server hardening automated tool will learn the dependencies and give you a full report about the consequences of every configuration change. After you’ll decide your best course of action, CHS will enforce your policy on the entire production environment, without causing outages.

Facebook

Twitter

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.

Cookie	Duration	Description
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
__stidv	1 year	This cookie is used by ShareThis. This cookie is used for sharing the content from the website to social networks.

Cookie	Duration	Description
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
__stid	1 year	The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Request Demo

Basic Configurations

Configure Authentication and Authorization

ASP.NET Configuration Recommendations

Request Filtering and other Restriction Modules

IIS Logging Recommendations

FTP Requests

Transport Encryption

HQ

US OFFICE

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	No description
CONSENT	16 years 8 months 26 days 14 hours	No description
drift_campaign_refresh	30 minutes	No description
fpestid	1 year	No description
st_samesite	session	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.

Learn how our tools can help you with hardening