Automate IIS Hardening Script

 

IIS hardening can be a time-consuming and challenging process. PowerShell can help you achieve hardened IIS security settings to some extent, but it still requires hours of testing to ensure that nothing is broken. CSS by CalCom can automate the IIS hardening process with its unique ability to “Learn” your network, eliminating the need for lab testing while ensuring zero outages to your production environment. CSS will allow you to implement your policy directly on your production environment hassle-free. Interested in learning more? Get in Touch

 

Checking Benchmarks with PowerShell

 

In this article, you’re going to learn how to perform checks against each CIS benchmark with PowerShell. You’ll see many different code snippets each uniquely tailored to find each CIS benchmark-setting on an IIS 10 server.

 

While there may be some overlap and similarities between IIS versions, it’s important to note that benchmarks specifically designed for IIS 10 may not directly apply to the earlier versions and IIS 7 hardening will not be the same as IIS 8 or IIS 9 hardening.

1. Basic Configuration Benchmark Remediation using PowerShell (7 IIS Security Settings)

 

1.1 (L1) Ensure ‘Web content’ is on non-system partition (Manual)

 

[Configuration details for this specific benchmark are not available in the current CIS Microsoft IIS 10 benchmark v1.2.0 -11-15-2022]

 

1.2 (L1) Ensure ‘Host headers’ are on all sites (Automated)

Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter

‘system.applicationHost/sites/site[@name='<website

name>’]/bindings/binding[@protocol=’http’ and @bindingInformation=’*:80:’]’ –

name ‘bindingInformation’ -value ‘*:80:<host header value>’

 

1.3 (L1) Ensure ‘Directory browsing’ is set to Disabled (Automated)

Set-WebConfigurationProperty -Filter system.webserver/directorybrowse -PSPath

iis:\ -Name Enabled -Value False

1.4 (L1) Ensure ‘application pool identity’ is configured for all application pools (Automated)

Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter

‘system.applicationHost/applicationPools/add[@name='<apppool

name>’]/processModel’ -name ‘identityType’ -value ‘ApplicationPoolIdentity’

 

1.5 (L1) Ensure ‘unique application pools’ is set for sites (Automated)

 

Set-ItemProperty -Path ‘IIS:\Sites\<website name>’ -Name applicationPool –

Value <apppool name>

 

1.6 (L1) Ensure ‘application pool identity’ is configured for anonymous user identity (Automated)

Set-ItemProperty -Path IIS:\AppPools\<apppool name> -Name passAnonymousToken

-Value True

1.7 (L1) Ensure’ WebDav’ feature is disabled (Automated)

Uninstall-WindowsFeature Web-DAV-Publishing

 

https://www.calcomsoftware.com/iis-10-cis-benchmark-audit-procedure-using-powershell/

 

2. Configuration Authentication and Authorization Benchmark Remediation using PowerShell (8 IIS Security Settings)

2.1 (L1) Ensure ‘global authorization rule’ is set to restrict access (Manual)

 

Remove-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter

“system.webServer/security/authorization” -name “.” -AtElement

@{users=’*’;roles=”;verbs=”}

Add-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter

“system.webServer/security/authorization” -name “.” -value

@{accessType=’Allow’;roles=’Administrators’}

 

2.2 (L1) Ensure access to sensitive site features is restricted to authenticated principals only (Manual)

 

Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -location

‘<website location>’ -filter

‘system.webServer/security/authentication/anonymousAuthentication’ -name

‘enabled’ -value ‘False’

Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -location

‘<website location>’ -filter

‘system.webServer/security/authentication/windowsAuthentication’ -name

‘enabled’ -value ‘True’

 

2.3 (L1) Ensure ‘forms authentication’ require SSL (Manual)

 

Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/Default Web

Site’ -filter ‘system.web/authentication/forms’ -name ‘requireSSL’ -value

‘True’

 

 

2.4 (L2) Ensure ‘forms authentication’ is set to use cookies (Manual)

 

Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/Default Web

Site’ -filter ‘system.web/authentication/forms’ -name ‘cookieless’ -value

‘UseCookies’

 

2.5 (L1) Ensure ‘cookie protection mode’ is configured for forms authentication (Manual)

Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/<website name>’

-filter ‘system.web/authentication/forms’ -name ‘protection’ -value ‘All’

 

2.6 (L1) Ensure transport layer security for ‘basic authentication’ is configured (Automated)

Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -location

‘<website name>’ -filter ‘system.webServer/security/access’ -name ‘sslFlags’

-value ‘Ssl’

 

2.7 (L1) Ensure ‘passwordFormat’ is not set to clear (Manual)

 

Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/<website name>’

-filter ‘system.web/authentication/forms/credentials’ -name ‘passwordFormat’

-value ‘SHA1’

  

2.8 (L2) Ensure ‘credentials’ are not stored in configuration files (Manual)

 

Remove-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/<website

name>’ -filter ‘system.web/authentication/forms/credentials’ -name ‘.’

 

3. ASP.NET Configuration Benchmark Remediation using PowerShell (12 IIS Security Settings)

3.1 (L1) Ensure ‘deployment method retail’ is set (Manual)

[Configuration details for this specific benchmark are not available in the current CIS Microsoft IIS 10 benchmark v1.2.0 -11-15-2022]

 

3.2 (L2) Ensure ‘debug’ is turned off (Manual)

 

Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/<website name>’

-filter “system.web/compilation” -name “debug” -value “False”

 

3.3 (L2) Ensure custom error messages are not off (Manual)

 

Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/Default Web

Site’ -filter “system.web/customErrors” -name “mode” -value “RemoteOnly”

 

3.4 (L1) Ensure IIS HTTP detailed errors are hidden from displaying remotely (Manual)

 

Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/<website name>’

-filter “system.webServer/httpErrors” -name “errorMode” -value

“DetailedLocalOnly”

 

 

3.5 (L2) Ensure ASP.NET stack tracing is not enabled (Manual)

 

Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/<website name>’

-filter “system.web/trace” -name “enabled” -value “False”

 

3.6 (L2) Ensure ‘httpcookie’ mode is configured for session state (Manual)

Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/<website name>’

-filter “system.web/sessionState” -name “mode” -value “StateServer”

 

3.7 (L1) Ensure ‘cookies’ are set with HttpOnly attribute (Manual)

[Configuration details for this specific benchmark are not available in the CIS Microsoft IIS 10 benchmark v1.2.0 -11-15-2022]

 

3.8 (L2) Ensure ‘MachineKey validation method – .Net 3.5’ is configured (Manual)

[Configuration details for this specific benchmark are not available in the CIS Microsoft IIS 10 benchmark v1.2.0 -11-15-2022]

 

3.9 (L1) Ensure ‘MachineKey validation method – .Net 4.5’ is configured (Manual)

Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT’ -filter

“system.web/machineKey” -name “validation” -value “<validation method>”

 

3.10 (L1) Ensure global .NET trust level is configured (Manual)

Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT’ -filter

“system.web/trust” -name “level” -value “Medium”

 

3.11 (L2) Ensure X-Powered-By Header is removed (Manual)

Remove-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter

“system.webserver/httpProtocol/customHeaders” -name “.” -AtElement @{name=’X

Powered-By’}

 

3.12 (L2) Ensure Server Header is removed (Manual)

Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/’ -filter

“system.webServer/security/requestFiltering” -name “removeServerHeader” –

value “True”

 

4. Request Filtering and other Restriction Modules Benchmark Remediation using PowerShell (11 IIS Security Settings)

4.1 (L2) Ensure ‘maxAllowedContentLength’ is configured (Manual)

Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter “system.webServer/security/requestFiltering/requestLimits” -name “maxAllowedContentLength” -value 30000000 “

 

4.2 (L2) Ensure ‘maxURL request filter’ is configured (Automated)

 

Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter

“system.webServer/security/requestFiltering/requestLimits” -name “maxUrl” –

value 4096

 

4.3 (L2) Ensure ‘MaxQueryString request filter’ is configured (Automated)

Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter

“system.webServer/security/requestFiltering/requestLimits” -name

“maxQueryString” -value 2048

 

4.4 (L2) Ensure non-ASCII characters in URLs are not allowed (Automated)

Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter

“system.webServer/security/requestFiltering” -name “allowHighBitCharacters” –

value “False”

 

 

4.5 (L1) Ensure Double-Encoded requests will be rejected (Automated)

 

Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter

“system.webServer/security/requestFiltering” -name “allowDoubleEscaping” –

value “True”

 

 

4.6 (L1) Ensure ‘HTTP Trace Method’ is disabled (Manual)

 

Add-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter

“system.webServer/security/requestFiltering/verbs” -name “.” -value

@{verb=’TRACE’;allowed=’False’}

 

4.7 (L1) Ensure Unlisted File Extensions are not allowed(Automated)

 

Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter

“system.webServer/security/requestFiltering/fileExtensions” -name

“allowUnlisted” -value “False”

 

 

4.8 (L1) Ensure Handler is not granted Write and Script/Execute (Manual)

 

Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter

“system.webServer/handlers” -name “accessPolicy” -value “Read,Script”

 

4.9 (L1) Ensure ‘notListedIsapisAllowed’ is set to false (Automated)

 

Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter

“system.webServer/security/isapiCgiRestriction” -name

“notListedIsapisAllowed” -value “False”

 

 

4.10 (L1) Ensure ‘notListedCgisAllowed’ is set to false (Automated)

 

Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter

“system.webServer/security/isapiCgiRestriction” -name “notListedCgisAllowed”

-value “False”

 

 

4.11 (L1) Ensure ‘Dynamic IP Address Restrictions’ is enabled (Manual)

 

Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter

“system.webServer/security/dynamicIpSecurity/denyByConcurrentRequests” -name

“enabled” -value “True”

Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter

“system.webServer/security/dynamicIpSecurity/denyByConcurrentRequests” -name

“maxConcurrentRequests” -value <number of requests>

 

5. IIS Logging Benchmark Remediation using PowerShell (3 IIS Security Settings)

5.1 (L1) Ensure Default IIS web log location is moved (Automated)

 

 

Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter

“system.applicationHost/sites/siteDefaults/logFile” -name “directory” -value

<new log location>

 

5.2 (L1) Ensure Advanced IIS logging is enabled (Automated)

[Configuration details for this specific benchmark are not available in the CIS Microsoft IIS 10 benchmark v1.2.0 -11-15-2022]

 

5.3 (L1) Ensure ‘ETW Logging’ is enabled (Manual)

[Configuration details for this specific benchmark are not available in the CIS Microsoft IIS 10 benchmark v1.2.0 -11-15-2022]

 

6. FTP Request Benchmark Remediation using PowerShell (2 IIS Security Settings)

6.1 (L1) Ensure FTP requests are encrypted (Manual)

 

Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter

“system.applicationHost/sites/siteDefaults/ftpServer/security/ssl” -name

“controlChannelPolicy” -value “SslRequire”

Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter

“system.applicationHost/sites/siteDefaults/ftpServer/security/ssl” -name

“dataChannelPolicy” -value “SslRequire”

 

6.2 (L1) Ensure FTP Logon attempt restrictions is enabled (Manual)

 

Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter

“system.ftpServer/security/authentication/denyByFailure” -name “enabled” –

value “True”

 

7. Transport Encryption Benchmark Remediation using PowerShell (12 IIS Security Settings)

 

7.1 (L2) Ensure HSTS Header is set (Manual)

[Configuration details for this specific benchmark are not available in the CIS Microsoft IIS 10 benchmark v1.2.0 -11-15-2022]

 

7.2 (L1) Ensure SSLv2 is Disabled (Automated)

New-Item

‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

SSL 2.0\Server’ -Force | Out-Null

 

New-Item

‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

SSL 2.0\Client’ -Force | Out-Null

 

New-ItemProperty -path

‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

SSL 2.0\Server’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force |

Out-Null

 

New-ItemProperty -path

‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

SSL 2.0\Client’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force |

Out-Null

 

New-ItemProperty -path

‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

SSL 2.0\Server’ -name ‘DisabledByDefault’ -value ‘1’ -PropertyType ‘DWord’ –

Force | Out-Null

 

New-ItemProperty -path

‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

SSL 2.0\Client’ -name ‘DisabledByDefault’ -value ‘1’ -PropertyType ‘DWord’ –

Force | Out-Null

7.3 (L1) Ensure SSLv3 is Disabled (Automated)

New-Item

‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

SSL 3.0\Server’ -Force | Out-Null

 

New-Item

‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

SSL 3.0\Client’ -Force | Out-Null

 

New-ItemProperty -path

‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

SSL 3.0\Server’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force |

Out-Null

 

New-ItemProperty -path

‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

SSL 3.0\Client’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force |

Out-Null

 

New-ItemProperty -path

‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

SSL 3.0\Server’ -name ‘DisabledByDefault’ -value ‘1’ -PropertyType ‘DWord’ –

Force | Out-Null

 

New-ItemProperty -path

‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

SSL 3.0\Client’ -name ‘DisabledByDefault’ -value ‘1’ -PropertyType ‘DWord’ –

Force | Out-Null

7.4 (L1) Ensure TLS 1.0 is Disabled (Automated)

New-Item

‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

TLS 1.0\Server’ -Force | Out-Null

 

New-Item

‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

TLS 1.0\Client’ -Force | Out-Null

 

New-ItemProperty -path

‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

TLS 1.0\Server’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force |

Out-Null

 

New-ItemProperty -path

‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

TLS 1.0\Client’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force |

Out-Null

 

New-ItemProperty -path

‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

TLS 1.0\Server’ -name ‘DisabledByDefault’ -value ‘1’ -PropertyType ‘DWord’ –

Force | Out-Null

 

New-ItemProperty -path

‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

TLS 1.0\Client’ -name ‘DisabledByDefault’ -value ‘1’ -PropertyType ‘DWord’ –

Force | Out-Null

7.5 (L1) Ensure TLS 1.1 is Disabled (Automated)

New-Item

‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

TLS 1.1\Server’ -Force | Out-Null

 

New-Item

‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

TLS 1.1\Client’ -Force | Out-Null

New-ItemProperty -path

‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

TLS 1.1\Server’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force |

Out-Null

 

New-ItemProperty -path

‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

TLS 1.1\Client’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force |

Out-Null

 

New-ItemProperty -path

‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

TLS 1.1\Server’ -name ‘DisabledByDefault’ -value ‘1’ -PropertyType ‘DWord’ –

Force | Out-Null

 

New-ItemProperty -path

‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

TLS 1.1\Client’ -name ‘DisabledByDefault’ -value ‘1’ -PropertyType ‘DWord’ –

Force | Out-Null

7.6 (L1) Ensure TLS 1.2 is Enabled (Automated)

New-Item

‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

TLS 1.2\Server’ -Force | Out-Null

 

New-ItemProperty -path

‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

TLS 1.2\Server’ -name ‘Enabled’ -value ‘1’ -PropertyType ‘DWord’ -Force |

Out-Null

 

New-ItemProperty -path

‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

TLS 1.2\Server’ -name ‘DisabledByDefault’ -value ‘0’ -PropertyType ‘DWord’ –

Force | Out-Null

7.7 (L1) Ensure NULL Cipher Suites is Disabled (Automated)

New-Item

‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NU

LL’ -Force | Out-Null

 

New-ItemProperty -path

‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NU

LL’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null

7.8 (L1) Ensure DES Cipher Suites is Disabled (Automated)

(Get-Item

‘HKLM:\’).OpenSubKey(‘SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHA

NNEL\Ciphers’, $true).CreateSubKey(‘DES 56/56’)

 

New-ItemProperty -path

‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DE

S 56/56’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null

7.9 (L1) Ensure RC4 Cipher Suites is Disabled (Automated)

(Get-Item

‘HKLM:\’).OpenSubKey(‘SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHA

NNEL\Ciphers’, $true).CreateSubKey(‘RC4 40/128’)

 

New-ItemProperty -path

‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC

4 40/128’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null

(Get-Item

‘HKLM:\’).OpenSubKey(‘SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHA

NNEL\Ciphers’, $true).CreateSubKey(‘RC4 56/128’)

 

New-ItemProperty -path

‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC

4 56/128’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null

(Get-Item

‘HKLM:\’).OpenSubKey(‘SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHA

NNEL\Ciphers’, $true).CreateSubKey(‘RC4 64/128’)

 

New-ItemProperty -path

‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC

4 64/128’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null

(Get-Item

‘HKLM:\’).OpenSubKey(‘SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHA

NNEL\Ciphers’, $true).CreateSubKey(‘RC4 128/128’)

 

New-ItemProperty -path

‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC

4 128/128’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null

7.10 (L1) Ensure AES 128/128 Cipher Suite is Disabled (Automated)

(Get-Item

‘HKLM:\’).OpenSubKey(‘SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHA

NNEL\Ciphers’, $true).CreateSubKey(‘AES 128/128’)

 

New-ItemProperty -path

‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AE

S 128/128’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null

7.11 (L1) Ensure AES 256/256 Cipher Suite is Enabled (Automated)

(Get-Item

‘HKLM:\’).OpenSubKey(‘SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHA

NNEL\Ciphers’, $true).CreateSubKey(‘AES 256/256’)

 

New-ItemProperty -path

‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AE

S 256/256’ -name ‘Enabled’ -value ‘1’ -PropertyType ‘DWord’ -Force | Out-Null

7.12 (L2) Ensure TLS Cipher Suite ordering is Configured (Automated

New-Item

‘HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002’ –

Force | Out-Null

 

New-ItemProperty -path

‘HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002’ –

name ‘Functions’ -value

‘TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_G

CM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_

GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256

_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_25

6_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256’ -PropertyType

‘MultiString’ -Force | Out-Null

 

 

Wrap Up

 

That’s it! You now have PowerShell code snippets for all CIS remediation recommendations for IIS servers. Creating a new PowerShell script or integrating this code into existing scripts will now allow you to easily confirm if your IIS server is properly hardened.

 

You might be interested