CIS IIS 10 Benchmark provides prescriptive guidance for establishing a secure configuration posture for Microsoft Internet Information Services (IIS) version 10. The benchmark provides guidance for establishing a secure configuration posture for IIS version 10.
The IIS benchmark is divided into two levels of security controls: Level 1 provides a set of fundamental security measures that can be implemented with little or no impact on service availability. Level 2 provides additional security measures for environments or use cases where security is paramount.
PowerShell scripts have been developed to verify and remediate the CIS IIS Security Benchmark audit and remediation recommendations using PowerShell.
This article will explore the Recommendation Definitions, IIS Profile Levels, and PowerShell Audit procedures for each setting within the CIS Benchmark for Microsoft IIS. This information will empower you to confidently verify your system’s compliance with these recommendations.
In this article we will discuss the Center for Internet Security Benchmarks that all IIS servers adhere to:
- Overview of Recommendation Definitions
- Understanding the IIS CIS Benchmark Levels
- 7 Recommendations for IIS 10 Servers Audit using PowerShell
- CIS Benchmarks for IIS 7, IIS 8 and IIS 9
Overview of Recommendation Definitions
The most recent IIS CIS Benchmark v1.2.0 updated November 2022 defines the components that outline the different elements encompassed in a CIS recommendation, as relevant or appropriate.
Below are the components for IIS security settings as defined by IIS CIS Benchmark v1.2.0:
Title: Concise description for the recommendation’s intended configuration.
Assessment Status: assessment status indicates whether the given recommendation can be automated or requires manual steps to implement.
Automated: are recommendations for which assessment of a technical control can be fully automated and validated to a pass/fail state.
Manual: are recommendations for which assessment of a technical control cannot be fully automated and requires all or some manual steps to validate that the configured state is set as expected. The expected state can vary depending on the environment.
Profile: recommendations for securing a technology or a supporting platform. Most benchmarks include at least a Level 1 and Level 2 Profile. Level 2 extends Level 1 recommendations and is not a standalone profile. The Profile Definitions section in the benchmark provides the definitions as they pertain to the recommendations included for the technology.
Description: is detailed information pertaining to the setting with which the recommendation is concerned.
Rationale Statement: the recommendation that provides the user a clear and concise understanding on the importance of the recommendation.
Impact Statement: any security, functionality, or operational consequences that can result from following the recommendation.
Audit Procedure: systematic instructions for determining if the target system complies with the recommendation.
Remediation Procedure: systematic instructions for applying recommendations to the target system to bring it into compliance according to the recommendation.
Default Value: is the default value for the given setting in this recommendation, if known. If not known, either not configured or not defined will be applied.
References: additional documentation relative to the recommendation.
Understanding the IIS CIS Benchmark Levels
The Levels or Configuration Profiles are outlined in the IIS security benchmark as:
- Level 1 – IIS 10
Items in this profile apply to Microsoft IIS 10 running on Microsoft Windows Server 2016 and intend to:
- o be practical and prudent;
- o provide a clear security benefit; and
- o not inhibit the utility of the technology beyond acceptable means.
- Level 2 – IIS 10
This profile extends the “Level 1 – IIS 10” profile. Items in this profile apply to
Microsoft IIS 10.0 running on Microsoft Windows Server 2016 and exhibit one or
more of the following characteristics:
- are intended for environments or use cases where security is paramount;
- acts as defense in depth measure;
- may negatively inhibit the utility or performance of the technology.
7 Recommendations for IIS 10 Servers Audit using PowerShell
1. Basic Configuration Benchmark Audit using PowerShell
1.1 (L1) Ensure ‘Web content’ is on non-system partition (Manual)
| Get-Website | Format-List Name, PhysicalPath |
1.2 (L1) Ensure ‘Host headers’ are on all sites (Automated)
| Get-WebBinding -Port * | Format-List bindingInformation |
1.3 (L1) Ensure ‘Directory browsing’ is set to Disabled (Automated)
| Get-WebConfigurationProperty -Filter system.webserver/directorybrowse -PSPath iis:\ -Name Enabled | select Value |
1.4 (L1) Ensure ‘application pool identity’ is configured for all application pools (Automated)
| Get-ChildItem -Path IIS:\AppPools\ |
Select-Object name, state, <#@{e={$_.processModel.password};l=”password”}, #> @{e={$_.processModel.identityType};l=”identityType”} |
1.5 (L1) Ensure ‘unique application pools’ is set for sites (Automated)
| Get-Website | Select-Object Name, applicationPool |
1.6 (L1) Ensure ‘application pool identity’ is configured for anonymous user identity (Automated)
| Get-WebConfiguration
system.webServer/security/authentication/anonymousAuthentication -Recurse | where {$_.enabled -eq $true} | format-list location |
1.7 (L1) Ensure’ WebDav’ feature is disabled (Automated)
| Uninstall-WindowsFeature Web-DAV-Publishing |
IIS hardening: 6 configurations changes to harden IIS 10 web server
2. Configuration Authentication and Authorization Benchmark Audit using PowerShell
2.1 (L1) Ensure ‘global authorization rule’ is set to restrict access (Manual)
| Get-WebConfiguration -pspath ‘IIS:\’ -filter
‘system.webServer/security/authorization’ |
2.2 (L1) Ensure access to sensitive site features is restricted to authenticated principals only (Manual)
| Get-WebConfiguration system.webServer/security/authentication/* -Recurse |
Where-Object {$_.enabled -eq $true} | Format-Table |
2.3 (L1) Ensure ‘forms authentication’ require SSL (Manual)
| Get-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/Default Web
Site’ -filter ‘system.web/authentication/forms’ -name ‘requireSSL’ | Format- Table Name, Value |
2.4 (L2) Ensure ‘forms authentication’ is set to use cookies (Manual)
| Get-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/Default Web
Site’ -filter ‘system.web/authentication/forms’ -Recurse -name ‘cookieless’ |
2.5 (L1) Ensure ‘cookie protection mode’ is configured for forms authentication (Manual)
| Get-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/<website name>’
-filter ‘system.web/authentication/forms’ -name ‘protection’ |
2.6 (L1) Ensure transport layer security for ‘basic authentication’ is configured (Automated)
| Get-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -location
‘<website name>’ -filter ‘system.webServer/security/access’ -name ‘sslFlags’ |
2.7 (L1) Ensure ‘passwordFormat’ is not set to clear (Manual)
| Get-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/<website name>’
-filter ‘system.web/authentication/forms/credentials’ -name ‘passwordFormat’ |
2.8 (L2) Ensure ‘credentials’ are not stored in configuration files (Manual)
[Configuration details for this specific benchmark are not correct in the CIS Microsoft IIS 10 benchmark v1.2.0 -11-15-2022]]
3. ASP.NET Configuration Benchmark Audit using PowerShell
3.1 (L1) Ensure ‘deployment method retail’ is set (Manual)
[Configuration details for this specific benchmark are not available in the current CIS Microsoft IIS 10 benchmark v1.2.0 -11-15-2022]
3.2 (L2) Ensure ‘debug’ is turned off (Manual)
| Get-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/<website name>’
-filter “system.web/compilation” -name “debug” | format-list Name, Value |
3.3 (L2) Ensure custom error messages are not off (Manual)
| Get-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/<website name>’
-filter “system.web/customErrors” -name “mode” |
3.4 (L1) Ensure IIS HTTP detailed errors are hidden from displaying remotely (Manual)
| Get-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/<website name>’
-filter “system.webServer/httpErrors” -name “errorMode” |
3.5 (L2) Ensure ASP.NET stack tracing is not enabled (Manual)
| Get-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/<website name>’
-filter “system.web/trace” -name “enabled” | Format-List Name,Value |
3.6 (L2) Ensure ‘httpcookie’ mode is configured for session state (Manual)
| Get-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/<website name>’
-filter “system.web/sessionState” -name “mode” |
3.7 (L1) Ensure ‘cookies’ are set with HttpOnly attribute (Manual)
[Configuration details for this specific benchmark are not available in the current CIS Microsoft IIS 10 benchmark v1.2.0 -11-15-2022]
3.8 (L2) Ensure ‘MachineKey validation method – .Net 3.5’ is configured (Manual)
[Configuration details for this specific benchmark are not available in the current CIS Microsoft IIS 10 benchmark v1.2.0 -11-15-2022]
3.9 (L1) Ensure ‘MachineKey validation method – .Net 4.5’ is configured (Manual)
[Configuration details for this specific benchmark are not available in the current CIS Microsoft IIS 10 benchmark v1.2.0 -11-15-2022]
3.10 (L1) Ensure global .NET trust level is configured (Manual)
| Get-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT’ -filter
“system.web/trust” -name “level” |
3.11 (L2) Ensure X-Powered-By Header is removed (Manual)
[Configuration details for this specific benchmark are not available in the current CIS Microsoft IIS 10 benchmark v1.2.0 -11-15-2022]
3.12 (L2) Ensure Server Header is removed (Manual)
| Get-WebConfigurationProperty -pspath machine/webroot/apphost -filter
‘system.webserver/security/requestfiltering ‘ -name ‘removeServerHeader’ |
4. Request Filtering and other Restriction Modules Benchmark Audit using PowerShell
4.1 (L2) Ensure ‘maxAllowedContentLength’ is configured (Manual)
| Get-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter
“system.webServer/security/requestFiltering/requestLimits” -name “maxAllowedContentLength” |
4.2 (L2) Ensure ‘maxURL request filter’ is configured (Automated)
| Get-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter “system.webServer/security/requestFiltering/requestLimits” -name “maxUrl” |
4.3 (L2) Ensure ‘MaxQueryString request filter’ is configured (Automated)
| Get-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter
“system.webServer/security/requestFiltering/requestLimits” -name “maxQueryString” |
4.4 (L2) Ensure non-ASCII characters in URLs are not allowed (Automated)
| Get-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter
‘system.webServer/security/requestFiltering’ -name ‘allowHighBitCharacters’ |
4.5 (L1) Ensure Double-Encoded requests will be rejected (Automated)
| Get-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter
“system.webServer/security/requestFiltering” -name “allowDoubleEscaping” |
4.6 (L1) Ensure ‘HTTP Trace Method’ is disabled (Manual)
[Configuration details for this specific benchmark are not available in the CIS Microsoft IIS 10 benchmark v1.2.0 -11-15-2022]
4.7 (L1) Ensure Unlisted File Extensions are not allowed(Automated)
| Get-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter
“system.webServer/security/requestFiltering/fileExtensions” -name “allowUnlisted” |
4.8 (L1) Ensure Handler is not granted Write and Script/Execute (Manual)
| Get-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter
“system.webServer/handlers” -name “accessPolicy” |
4.9 (L1) Ensure ‘notListedIsapisAllowed’ is set to false (Automated)
| Get-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter
“system.webServer/security/isapiCgiRestriction” -name “notListedIsapisAllowed” |
4.10 (L1) Ensure ‘notListedCgisAllowed’ is set to false (Automated)
| Get-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter
“system.webServer/security/isapiCgiRestriction” -name “notListedCgisAllowed” |
4.11 (L1) Ensure ‘Dynamic IP Address Restrictions’ is enabled (Manual)
| Get-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter
“system.webServer/security/dynamicIpSecurity/denyByConcurrentRequests” -name “enabled” Get-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter “system.webServer/security/dynamicIpSecurity/denyByConcurrentRequests” -name “maxConcurrentRequests” |
5. IIS Logging Recommendation Benchmark Audit using PowerShell
5.1 (L1) Ensure Default IIS web log location is moved (Automated)
| Get-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter
“system.applicationHost/sites/siteDefaults/logFile” -name “directory” |
5.2 (L1) Ensure Advanced IIS logging is enabled (Automated)
[Configuration details for this specific benchmark are not available in the current CIS Microsoft IIS 10 benchmark v1.2.0 -11-15-2022]
5.3 (L1) Ensure ‘ETW Logging’ is enabled (Manual)
[Configuration details for this specific benchmark are not available in the current CIS Microsoft IIS 10 benchmark v1.2.0 -11-15-2022]
6. FTP Request Benchmark Audit using PowerShell
6.1 (L1) Ensure FTP requests are encrypted (Manual)
| Get-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter
“system.applicationHost/sites/siteDefaults/ftpServer/security/ssl” -name “controlChannelPolicy” Get-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter “system.applicationHost/sites/siteDefaults/ftpServer/security/ssl” -name “dataChannelPolicy” |
6.2 (L1) Ensure FTP Logon attempt restrictions is enabled (Manual)
| Get-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter
“system.ftpServer/security/authentication/denyByFailure” -name “enabled” |
7. Transport Encryption Benchmark Audit using PowerShell
7.1 (L2) Ensure HSTS Header is set (Manual)
[Configuration details for this specific benchmark are not available in the CIS Microsoft IIS 10 benchmark v1.2.0 -11-15-2022]
7.2 (L1) Ensure SSLv2 is Disabled (Automated)
| Get-ItemProperty -path
‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocol s\SSL 2.0\Server’ -name ‘Enabled’
Get-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocol s\SSL 2.0\Client’ -name ‘Enabled’
Get-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocol s\SSL 2.0\Server’ -name ‘DisabledByDefault’
Get-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocol s\SSL 2.0\Client’ -name ‘DisabledByDefault’ |
7.3 (L1) Ensure SSLv3 is Disabled (Automated)
| Get-ItemProperty -path
‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocol s\SSL 3.0\Server’ -name ‘Enabled’
Get-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocol s\SSL 3.0\Client’ -name ‘Enabled’
Get-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocol s\SSL 3.0\Server’ -name ‘DisabledByDefault’
Get-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocol s\SSL 3.0\Client’ -name ‘DisabledByDefault’ |
7.4 (L1) Ensure TLS 1.0 is Disabled (Automated)
| Get-ItemProperty -path
‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocol s\TLS 1.0\Server’ -name ‘Enabled’
Get-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocol s\TLS 1.0\Client’ -name ‘Enabled’
Get-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocol s\TLS 1.0\Server’ -name ‘DisabledByDefault’
Get-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocol s\TLS 1.0\Client’ -name ‘DisabledByDefault’ |
7.5 (L1) Ensure TLS 1.1 is Disabled (Automated)
| Get-ItemProperty -path
‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocol s\TLS 1.1\Server’ -name ‘Enabled’
Get-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocol s\TLS 1.1\Client’ -name ‘Enabled’
Get-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocol s\TLS 1.1\Server’ -name ‘DisabledByDefault’
Get-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocol s\TLS 1.1\Client’ -name ‘DisabledByDefault’ |
7.6 (L1) Ensure TLS 1.2 is Enabled (Automated)
| Get-ItemProperty -path
‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocol s\TLS 1.2\Server’ -name ‘Enabled’
Get-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocol s\TLS 1.2\Server’ -name ‘DisabledByDefault’ |
7.7 (L1) Ensure NULL Cipher Suites is Disabled (Automated)
| Get-ItemProperty -path
‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NU LL’ -name ‘Enabled’ |
7.8 (L1) Ensure DES Cipher Suites is Disabled (Automated)
| Get-ItemProperty -path
‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DE S 56/56’ -name ‘Enabled’ |
7.9 (L1) Ensure RC4 Cipher Suites is Disabled (Automated)
| Get-ItemProperty -path
‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC 4 40/128’ -name ‘Enabled’ Get-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC 4 56/128’ -name ‘Enabled’ Get-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC 4 64/128’ -name ‘Enabled’ Get-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC 4 128/128’ -name ‘Enabled’ |
7.10 (L1) Ensure AES 128/128 Cipher Suite is Disabled (Automated)
| Get-ItemProperty -path
‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AE S 128/128’ -name ‘Enabled’ |
7.11 (L1) Ensure AES 256/256 Cipher Suite is Enabled (Automated)
| Get-ItemProperty -path
‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AE S 256/256’ -name ‘Enabled’ |
7.12 (L2) Ensure TLS Cipher Suite ordering is Configured (Automated
| Get-ItemProperty -path
‘HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002’ – name ‘Functions’) |
CIS Benchmarks for IIS 7, IIS 8 and IIS 9
IIS 10.0 is included with Windows Server 2022 and uses a process model similar to that of IIS 8.5 and IIS 7.0. A kernel-mode web driver (http.sys) receives and routes HTTP requests, and satisfies requests from its response cache. However, IIS 10.0 has new features that are not available in IIS 7, IIS 8 or IIS 9.
CIS Hardened images refer to pre-configured and secure system images designed to minimize security risks. Using hardened images and aligning web server configurations with benchmarks like CIS IIS are proactive measures to enhance the security of web servers.
Benchmarks specifically designed for IIS 10 may not directly apply to the earlier versions and IIS 7 hardening will not be the same as IIS 8 hardening or IIS 9 hardening.
Each version of IIS introduces new features, security enhancements, and architectural changes, which may impact performance and security considerations. Therefore, it is recommended to consult a professional that can perform CIS IIS hardening and apply the specific benchmarks and version of IIS you are using to ensure accurate and relevant guidance for your particular environment.
