IIS server- Microsoft’s Windows web server is one of the most used web server platforms on the internet. Hardening your IIS server is basic and essential for preventing cyber-attacks and data thefts. Some of the most common and harmful breaches happen by using IIS server protocols, such as SMB and TLS/SSL. Relying on the IIS default configurations, as arrives from manufacture is not recommended. Default configurations often target functionality rather than security, thereby relying on them will leave your IIS server vulnerable and convenient and easy target for attackers.
The Center for Internet Security (CIS) Benchmarks are considered the gold standard when it comes to hardening guidelines. The CIS IIS 10 Benchmark conducts all of the configuration settings recommended to achieve a secured IIS server. CIS IIS 10 Benchmark is a long 140 pages file. Configuration settings are divided into 7 groups: 1. Basic configurations. 2. Authentication and Authorization configurations. 3. ASP.NET configurations recommendations. 4. Request Filtering and Other Restriction Modules. 5. IIS Logging recommendations. 6. FTP Requests. 7. Transport Encryption.
The table below contains the status of the configuration required to achieve a hardened IIS server. The table contains the configuration, its security ranking, the level that needs to be configured (application / operating system), and links to guides and further information on the configuration change.
Configuration
|
Ranking
|
Level
|
Guides
|
|
Basic Configurations |
Ensure web content is on a non-system partition | L1 | App | IIS7: Moving the INETPUB directory to a different drive |
Ensure ‘host headers’ are on all sites
|
L1 | App | Configure a Host Header for a web site (IIS7)
|
|
Ensure ‘directory browsing’ is set to disable | L1 | App | Enable or disable directory browsing in IIS7
|
|
Ensure ‘Application pool identity’ is configured for all application pools | L1 | App | Specify an Identity for an Application Pool (IIS 7)
|
|
Ensure ‘unique application pools’ is set for sites | L1 | App | Managing application pools in IIS7
|
|
Ensure ‘application pool identity’ is configured for anonymous user identity | L1 | App | Application Pool identity as Anonymous user | |
Ensure WebDav feature is disabled
|
L1 | App | ||
Configure Authentication and Authorization |
Ensure ‘global authorization rule’ is set to restrict access. | L1 | App | Understanding IIS7 URL authorization |
Ensure access to sensitive site features is restricted to authenticated principals only | L1 | App | Authentication
Forms authentication in ASP.NET 2.0
|
|
Ensure ‘forms authentication’ requires SSL
|
L1 | App | Enable forms authentication (IIS7) | |
Ensure ‘forms authentication’ is set to use cookies
|
L2 | App | Configure the cookie mode for forms authentication | |
Ensure ‘cookie protection mode’ is configured for forms authentication
|
L1 | App | Configure the cookie protection mode for form authentication (IIS7) | |
Ensure transport layer security for ‘basic authentication’ is configured
|
L1 | App | IIS: Use SSL when you use basic authentication | |
Ensure ‘passwordFormat’ is not set to clear | L1 | App | Management authentication credentials <credentials>
|
|
Ensure ‘credentials’ are not stored in configuration files | L2 | App | Add elements for credentials for authentication (IIS settings schema) | |
ASP.NET Configuration Recommendations |
Ensure ‘deployment method retail’ is set | L1 | App | Deployment element (ASP.NET setting schema) |
Ensure ‘debug’ is turned off | L2 | App | Edit compilation settings (IIS7) | |
Ensure custom error messages are not off
|
L2 |
App |
||
Ensure IIS HTTP detailed errors are hidden from displaying remotely
|
L1 |
App |
||
Ensure ASP.NET stack tracing is not enabled | L2 | App | How to: Enable tracing for an ASP.NET page
|
|
Ensure ‘httpcookie’ mode is configured for session state
|
L2 | App | Planning step 2: plan ASP.NET settings | |
Ensure ‘cookies’ are set with HttpOnly attribute | L1 | App | HttpOnly
|
|
Ensure ‘MachineKey validation method – .Net 3.5’ is configured | L2 | App | Generate a machine key (IIS7)
|
|
Ensure ‘MachineKey validation method – .Net 4.5’ is configured
|
L1 | App | IIS 8 ASP.NET configuration management | |
Ensure global .NET trust level is configured | L1 | App | Configuring .NET trust levels in IIS7
|
|
Ensure X-Powered-By Header is removed | L2 | App | Remove ‘Server’ and ‘X-Powered-By’ headers from your Azure mobile apps | |
Ensure Server Header is removed
|
L2 | App | Remove ‘Server’ and ‘X-Powered-By’ headers from your Azure mobile apps | |
Request Filtering and other Restriction Modules |
Ensure ‘maxAllowedContentLength’ is configured | L2 | App | Request limits
|
Ensure ‘maxURL request filter’ is configured | L2 | App | Request limits
|
|
Ensure ‘MaxQueryString request filter’ is configured | L2 | App | Request limits
|
|
Ensure non-ASCII characters in URLs are not allowed
|
L2 | App | Use request filtering
|
|
Ensure Double-Encoded requests will be rejected | L1 | App | Request limits
|
|
Ensure ‘HTTP Trace Method’ is disabled | L1 | App | Verbs <verbs>
|
|
Ensure Unlisted File Extensions are not allowed | L1 | App | Configure request filtering in IIS
|
|
Ensure Handler is not granted Write and Script/Execute | L1 | App | IIS: Grant a handler execute/script of write permissions, but not both
|
|
Ensure ‘notListedIsapisAllowed’ is set to false
|
L1 | App | IIS: The configuration attribute ‘notListedIsapisAllowed’ should be false | |
Ensure ‘notListedCgisAllowed’ is set to false
|
L1 | App | IIS: The configuration attribute ‘notListedCgisAllowed’ should be false | |
Ensure ‘Dynamic IP Address Restrictions’ is enabled
|
L1 | App | IIS 8.0 dynamic IP address restrictions | |
IIS Logging Recommendations |
Ensure Default IIS weblog location is moved
|
L1 | App | Logging features requirements (IIS 7) |
Ensure Advanced IIS logging is enabled | L1 | App | Enhanced logging for IIS 8.5 | |
Ensure ‘ETW Logging’ is enabled | L1 | App | Logging to event tracing for windows in IIS 8.5
|
|
FTP Requests |
Ensure FTP requests are encrypted
|
L1 | App | Using FTP over SSL in IIS 7 |
Ensure FTP Logon attempt restrictions is enabled
|
L1 | App | IIS 8.0 FTP logon attempt restrictions | |
Transport Encryption |
Ensure HSTS Header is set
|
L2 | App | IIS 8.0 FTP logon attempt restrictions |
Ensure SSLv2 is Disabled
|
L1 | OS/ App | Testing for SSL-TLS | |
Ensure SSLv3 is Disabled
|
L1 | OS/ App | Testing for SSL-TLS | |
Ensure TLS 1.0 is Disabled | L1 | OS/ App | Cipher suits in TLS/SSL
|
|
Ensure TLS 1.1 is Disabled | L1 | OS/ App | Cipher suits in TLS/SSL
|
|
Ensure TLS 1.2 is Enabled | L1 | OS/ APP | Cipher suits in TLS/SSL
|
|
Ensure NULL Cipher Suites is Disabled | L1 | App | Cipher suits in TLS/SSL
|
|
Ensure DES Cipher Suites is Disabled
|
L1 | App | ||
Ensure RC4 Cipher Suites is Disabled
|
L1 | App | ||
Ensure AES 128/128 Cipher Suite is Disabled
|
L1 | App | ||
Ensure AES 256/256 Cipher Suite is Enabled
|
L1 | App | ||
Ensure TLS Cipher Suite Ordering is Configured
|
L2 | App |
IIS hardening: 6 configurations changes to harden IIS 10 web server
Using this table as a checklist will ensure your IIS server is hardened, but easier said than done. Dependency complexity is every IT ops nightmare. To achieve server compliance, a deep understanding of the dependencies in the system is required. Every change in one of the values in the table may lead to outages of your production environment. Lab testing required for every small change done in the system. CHS by CalCom offers a way to save you the trouble. Our server hardening automated tool will learn the dependencies and give you a full report about the consequences of every configuration change. After you’ll decide your best course of action, CHS will enforce your policy on the entire production environment, without causing outages.

All you need. Under one roof.
Learn if CHS is the right solution for you.