Hardening IIS server guide

By Keren Pollack, on April 2nd, 2019

IIS server- Microsoft’s Windows web server is one of the most used web server platforms on the internet. Hardening your IIS server is basic and essential for preventing cyber-attacks and data thefts. Some of the most common and harmful breaches happen by using IIS server protocols, such as SMB and TLS/SSL. Relying on the IIS default configurations, as arrives from manufacture is not recommended. Default configurations often target functionality rather than security, thereby relying on them will leave your IIS server vulnerable and convenient and easy target for attackers.

 

The Center for Internet Security (CIS) Benchmarks are considered the gold standard when it comes to hardening guidelines. The CIS IIS 10 Benchmark conducts all of the configuration settings recommended to achieve a secured IIS server. CIS IIS 10 Benchmark is a long 140 pages file. Configuration settings are divided into 7 groups: 1. Basic configurations. 2. Authentication and Authorization configurations. 3. ASP.NET configurations recommendations. 4. Request Filtering and Other Restriction Modules. 5. IIS Logging recommendations. 6. FTP Requests. 7. Transport Encryption.

 

How to Automate IIS Hardening with PowerShell

 

The table below contains the status of the configuration required to achieve a hardened IIS server. The table contains the configuration, its security ranking, the level that needs to be configured (application / operating system), and links to guides and further information on the configuration change.

 

 ConfigurationRankingLevelGuides
Basic ConfigurationsEnsure web content is on a non-system partitionL1AppIIS7: Moving the INETPUB directory to a different drive
Ensure 'host headers' are on all sitesL1 AppConfigure a Host Header for a web site (IIS7)

SSL Host Headers in IIS7
Ensure 'directory browsing' is set to disableL1AppEnable or disable directory browsing in IIS7
Ensure 'Application pool identity' is configured for all application poolsL1AppSpecify an Identity for an Application Pool (IIS 7)

Application pool identities
Ensure 'unique application pools' is set for sitesL1AppManaging application pools in IIS7

Application pool identities
Ensure 'application pool identity' is configured for anonymous user identityL1AppApplication Pool identity as Anonymous user

Application pool identities
Ensure WebDav feature is disabledL1App
Configure Authentication and AuthorizationEnsure 'global authorization rule' is set to restrict access.L1AppUnderstanding IIS7 URL authorization
Ensure access to sensitive site features is restricted to authenticated principals onlyL1AppAuthentication

Forms authentication in ASP.NET 2.0

Configuring authentication in IIS 7
Ensure 'forms authentication' requires SSLL1AppEnable forms authentication (IIS7)
Ensure 'forms authentication' is set to use cookiesL2AppConfigure the cookie mode for forms authentication
Ensure 'cookie protection mode' is configured for forms authenticationL1AppConfigure the cookie protection mode for form authentication (IIS7)
Ensure transport layer security for 'basic authentication' is configuredL1AppIIS: Use SSL when you use basic authentication
Ensure 'passwordFormat' is not set to clearL1AppManagement authentication credentials

What’s new in .NET framework
Ensure 'credentials' are not stored in configuration filesL2AppAdd elements for credentials for authentication (IIS settings schema)

Management authentication credentials
ASP.NET Configuration RecommendationsEnsure 'deployment method retail' is setL1AppDeployment element (ASP.NET setting schema)
Ensure 'debug' is turned offL2AppEdit compilation settings (IIS7)
Ensure custom error messages are not offL2AppEdit ASP.NET error pages settings dialog box
Ensure IIS HTTP detailed errors are hidden from displaying remotelyL1AppIIS: Hide custom errors from displaying remotely
Ensure ASP.NET stack tracing is not enabledL2AppHow to: Enable tracing for an ASP.NET page

How to: Enable tracing for an ASP.NET application
Ensure 'httpcookie' mode is configured for session stateL2AppPlanning step 2: plan ASP.NET settings
Ensure 'cookies' are set with HttpOnly attributeL1AppHttpOnly

Mitigating cross- site scripting with HttpOnly cookies
Ensure 'MachineKey validation method - .Net 3.5' is configuredL2AppGenerate a machine key (IIS7)

Select a machine key encryption method (IIS7)
Ensure 'MachineKey validation method - .Net 4.5' is configuredL1AppIIS 8 ASP.NET configuration management
Ensure global .NET trust level is configuredL1AppConfiguring .NET trust levels in IIS7

TrustLevel class (IIS7 and higher)
Ensure X-Powered-By Header is removedL2AppRemove ‘Server’ and ‘X-Powered-By’ headers from your Azure mobile apps
Ensure Server Header is removedL2AppRemove ‘Server’ and ‘X-Powered-By’ headers from your Azure mobile apps
Request Filtering and other Restriction ModulesEnsure 'maxAllowedContentLength' is configuredL2AppRequest limits

Use request filtering
Ensure 'maxURL request filter' is configuredL2AppRequest limits

Use request filtering
Ensure 'MaxQueryString request filter' is configuredL2AppRequest limits

Use request filtering
Ensure non-ASCII characters in URLs are not allowedL2AppUse request filtering

UrlScan 1 reference
Ensure Double-Encoded requests will be rejectedL1AppUse request filtering
Ensure 'HTTP Trace Method' is disabledL1AppVerbs

Web servers enable HTTP TRACE method by default
Ensure Unlisted File Extensions are not allowedL1AppConfigure request filtering in IIS

Request limits
Ensure Handler is not granted Write and Script/ExecuteL1AppIIS: Grant a handler execute/script of write permissions, but not both

AccessFlags

Ensure ‘notListedIsapisAllowed’ is set to falseL1AppIIS: The configuration attribute ‘notListedIsapisAllowed’ should be false

Ensure ‘notListedCgisAllowed’ is set to falseL1AppIIS: The configuration attribute ‘notListedCgisAllowed’ should be false
Ensure ‘Dynamic IP Address Restrictions’ is enabledL1AppIIS 8.0 dynamic IP address restrictions
IIS Logging RecommendationsEnsure Default IIS weblog location is movedL1AppLogging features requirements (IIS 7)
Ensure Advanced IIS logging is enabledL1AppEnhanced logging for IIS 8.5
Ensure ‘ETW Logging’ is enabledL1AppLogging to event tracing for windows in IIS 8.5

Common questions for ETW and Windows even log
FTP RequestsEnsure FTP requests are encryptedL1AppUsing FTP over SSL in IIS 7
Ensure FTP Logon attempt restrictions is enabledL1AppIIS 8.0 FTP logon attempt restrictions
Transport EncryptionEnsure HSTS Header is setL2AppIIS 8.0 FTP logon attempt restrictions
Ensure SSLv2 is Disabled
L1OS/ APPTesting for SSL-TLS
Ensure SSLv3 is DisabledL1OS/ APPTesting for SSL-TLS
Ensure TLS 1.0 is DisabledL1OS/ APPCipher suits in TLS/SSL

Supported cipher suites and protocols in the Schannel SSP
Ensure TLS 1.0 is Disabled
L1OS/ APPCipher suits in TLS/SSL

Supported cipher suites and protocols in the Schannel SSP
Ensure TLS 1.2 is Enabled
L1OS/ APPCipher suits in TLS/SSL

Supported cipher suites and protocols in the Schannel SSP
Ensure NULL Cipher Suites is DisabledL1AppCipher suits in TLS/SSL

Supported cipher suites and protocols in the Schannel SSP
Ensure DES Cipher Suites is DisabledL1App
Ensure RC4 Cipher Suites is DisabledL1App
Ensure AES 128/128 Cipher Suite is DisabledL1App
Ensure AES 256/256 Cipher Suite is EnabledL1App
Ensure TLS Cipher Suite Ordering is ConfiguredL2App

 

 

 

 

 

IIS hardening: 6 configurations changes to harden IIS 10 web server

 

Using this table as a checklist will ensure your IIS server is hardened, but easier said than done. Dependency complexity is every IT ops nightmare. To achieve server compliance, a deep understanding of the dependencies in the system is required. Every change in one of the values in the table may lead to outages of your production environment. Lab testing required for every small change done in the system. CHS by CalCom offers a way to save you the trouble. Our server hardening automated tool will learn the dependencies and give you a full report about the consequences of every configuration change. After you’ll decide your best course of action, CHS will enforce your policy on the entire production environment, without causing outages.