IIS hardening can be a time-consuming and challenging process. PowerShell can help you achieve hardened IIS security settings to some extent, but it still requires hours of testing to ensure that nothing is broken. CSS by CalCom can automate the IIS hardening process with its unique ability to “Learn” your network, eliminating the need for lab testing while ensuring zero outages to your production environment. CSS will allow you to implement your policy directly on your production environment hassle-free. Interested in learning more? Get in Touch
Understanding these benchmarks is valuable, but knowledge alone is insufficient. The crucial step is the actual implementation, preceded by assessing the compliance levels. PowerShell offers a solution for this. By scripting the code to verify compliance against each benchmark, you can efficiently validate CIS benchmarks across numerous IIS servers simultaneously.
This guide will provide the 7 recommended CIS IIS Benchmarks that are recommended to remediate IIS servers using PowerShell :
- Basic Configuration Benchmark Remediation using PowerShell
- Configuration and Authorization Benchmark Remediation using PowerShell
- ASP.NET Benchmark Remediation using PowerShell
- Request Filtering and other Restriction Modules Benchmark Remediation using PowerShell
- IIS Logging Benchmark Remediation using PowerShell
- FTP Request Benchmark Remediation using PowerShell
- Transport Encryption Benchmark Remediation using PowerShell
Checking Benchmarks with PowerShell
In this article, you’re going to learn how to perform checks against each CIS benchmark with PowerShell. You’ll see many different code snippets each uniquely tailored to find each CIS benchmark-setting on an IIS 10 server.
While there may be some overlap and similarities between IIS versions, it’s important to note that benchmarks specifically designed for IIS 10 may not directly apply to the earlier versions and IIS 7 hardening will not be the same as IIS 8 or IIS 9 hardening.
1. Basic Configuration Benchmark Remediation using PowerShell (7 IIS Security Settings)
1.1 (L1) Ensure ‘Web content’ is on non-system partition (Manual)
[Configuration details for this specific benchmark are not available in the current CIS Microsoft IIS 10 benchmark v1.2.0 -11-15-2022]
1.2 (L1) Ensure ‘Host headers’ are on all sites (Automated)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter
‘system.applicationHost/sites/site[@name='<website name>’]/bindings/binding[@protocol=’http’ and @bindingInformation=’*:80:’]’ – name ‘bindingInformation’ -value ‘*:80:<host header value>’ |
1.3 (L1) Ensure ‘Directory browsing’ is set to Disabled (Automated)
| Set-WebConfigurationProperty -Filter system.webserver/directorybrowse -PSPath
iis:\ -Name Enabled -Value False |
1.4 (L1) Ensure ‘application pool identity’ is configured for all application pools (Automated)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter
‘system.applicationHost/applicationPools/add[@name='<apppool name>’]/processModel’ -name ‘identityType’ -value ‘ApplicationPoolIdentity’ |
1.5 (L1) Ensure ‘unique application pools’ is set for sites (Automated)
| Set-ItemProperty -Path ‘IIS:\Sites\<website name>’ -Name applicationPool –
Value <apppool name> |
1.6 (L1) Ensure ‘application pool identity’ is configured for anonymous user identity (Automated)
| Set-ItemProperty -Path IIS:\AppPools\<apppool name> -Name passAnonymousToken
-Value True |
1.7 (L1) Ensure’ WebDav’ feature is disabled (Automated)
| Uninstall-WindowsFeature Web-DAV-Publishing |
https://www.calcomsoftware.com/iis-10-cis-benchmark-audit-procedure-using-powershell/
2. Configuration Authentication and Authorization Benchmark Remediation using PowerShell (8 IIS Security Settings)
2.1 (L1) Ensure ‘global authorization rule’ is set to restrict access (Manual)
| Remove-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter
“system.webServer/security/authorization” -name “.” -AtElement @{users=’*’;roles=”;verbs=”} Add-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter “system.webServer/security/authorization” -name “.” -value @{accessType=’Allow’;roles=’Administrators’} |
2.2 (L1) Ensure access to sensitive site features is restricted to authenticated principals only (Manual)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -location
‘<website location>’ -filter ‘system.webServer/security/authentication/anonymousAuthentication’ -name ‘enabled’ -value ‘False’ Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -location ‘<website location>’ -filter ‘system.webServer/security/authentication/windowsAuthentication’ -name ‘enabled’ -value ‘True’ |
2.3 (L1) Ensure ‘forms authentication’ require SSL (Manual)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/Default Web
Site’ -filter ‘system.web/authentication/forms’ -name ‘requireSSL’ -value ‘True’ |
2.4 (L2) Ensure ‘forms authentication’ is set to use cookies (Manual)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/Default Web
Site’ -filter ‘system.web/authentication/forms’ -name ‘cookieless’ -value ‘UseCookies’ |
2.5 (L1) Ensure ‘cookie protection mode’ is configured for forms authentication (Manual)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/<website name>’
-filter ‘system.web/authentication/forms’ -name ‘protection’ -value ‘All’ |
2.6 (L1) Ensure transport layer security for ‘basic authentication’ is configured (Automated)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -location
‘<website name>’ -filter ‘system.webServer/security/access’ -name ‘sslFlags’ -value ‘Ssl’ |
2.7 (L1) Ensure ‘passwordFormat’ is not set to clear (Manual)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/<website name>’
-filter ‘system.web/authentication/forms/credentials’ -name ‘passwordFormat’ -value ‘SHA1’ |
2.8 (L2) Ensure ‘credentials’ are not stored in configuration files (Manual)
| Remove-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/<website
name>’ -filter ‘system.web/authentication/forms/credentials’ -name ‘.’ |
3. ASP.NET Configuration Benchmark Remediation using PowerShell (12 IIS Security Settings)
3.1 (L1) Ensure ‘deployment method retail’ is set (Manual)
[Configuration details for this specific benchmark are not available in the current CIS Microsoft IIS 10 benchmark v1.2.0 -11-15-2022]
3.2 (L2) Ensure ‘debug’ is turned off (Manual)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/<website name>’
-filter “system.web/compilation” -name “debug” -value “False” |
3.3 (L2) Ensure custom error messages are not off (Manual)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/Default Web
Site’ -filter “system.web/customErrors” -name “mode” -value “RemoteOnly” |
3.4 (L1) Ensure IIS HTTP detailed errors are hidden from displaying remotely (Manual)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/<website name>’
-filter “system.webServer/httpErrors” -name “errorMode” -value “DetailedLocalOnly” |
3.5 (L2) Ensure ASP.NET stack tracing is not enabled (Manual)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/<website name>’
-filter “system.web/trace” -name “enabled” -value “False” |
3.6 (L2) Ensure ‘httpcookie’ mode is configured for session state (Manual)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/<website name>’
-filter “system.web/sessionState” -name “mode” -value “StateServer” |
3.7 (L1) Ensure ‘cookies’ are set with HttpOnly attribute (Manual)
[Configuration details for this specific benchmark are not available in the CIS Microsoft IIS 10 benchmark v1.2.0 -11-15-2022]
3.8 (L2) Ensure ‘MachineKey validation method – .Net 3.5’ is configured (Manual)
[Configuration details for this specific benchmark are not available in the CIS Microsoft IIS 10 benchmark v1.2.0 -11-15-2022]
3.9 (L1) Ensure ‘MachineKey validation method – .Net 4.5’ is configured (Manual)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT’ -filter
“system.web/machineKey” -name “validation” -value “<validation method>” |
3.10 (L1) Ensure global .NET trust level is configured (Manual)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT’ -filter
“system.web/trust” -name “level” -value “Medium” |
3.11 (L2) Ensure X-Powered-By Header is removed (Manual)
| Remove-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter
“system.webserver/httpProtocol/customHeaders” -name “.” -AtElement @{name=’X Powered-By’} |
3.12 (L2) Ensure Server Header is removed (Manual)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/’ -filter
“system.webServer/security/requestFiltering” -name “removeServerHeader” – value “True” |
4. Request Filtering and other Restriction Modules Benchmark Remediation using PowerShell (11 IIS Security Settings)
4.1 (L2) Ensure ‘maxAllowedContentLength’ is configured (Manual)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter “system.webServer/security/requestFiltering/requestLimits” -name “maxAllowedContentLength” -value 30000000 “ |
4.2 (L2) Ensure ‘maxURL request filter’ is configured (Automated)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter
“system.webServer/security/requestFiltering/requestLimits” -name “maxUrl” – value 4096 |
4.3 (L2) Ensure ‘MaxQueryString request filter’ is configured (Automated)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter
“system.webServer/security/requestFiltering/requestLimits” -name “maxQueryString” -value 2048 |
4.4 (L2) Ensure non-ASCII characters in URLs are not allowed (Automated)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter
“system.webServer/security/requestFiltering” -name “allowHighBitCharacters” – value “False” |
4.5 (L1) Ensure Double-Encoded requests will be rejected (Automated)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter
“system.webServer/security/requestFiltering” -name “allowDoubleEscaping” – value “True” |
4.6 (L1) Ensure ‘HTTP Trace Method’ is disabled (Manual)
| Add-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter
“system.webServer/security/requestFiltering/verbs” -name “.” -value @{verb=’TRACE’;allowed=’False’} |
4.7 (L1) Ensure Unlisted File Extensions are not allowed(Automated)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter
“system.webServer/security/requestFiltering/fileExtensions” -name “allowUnlisted” -value “False” |
4.8 (L1) Ensure Handler is not granted Write and Script/Execute (Manual)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter
“system.webServer/handlers” -name “accessPolicy” -value “Read,Script” |
4.9 (L1) Ensure ‘notListedIsapisAllowed’ is set to false (Automated)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter
“system.webServer/security/isapiCgiRestriction” -name “notListedIsapisAllowed” -value “False” |
4.10 (L1) Ensure ‘notListedCgisAllowed’ is set to false (Automated)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter
“system.webServer/security/isapiCgiRestriction” -name “notListedCgisAllowed” -value “False” |
4.11 (L1) Ensure ‘Dynamic IP Address Restrictions’ is enabled (Manual)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter
“system.webServer/security/dynamicIpSecurity/denyByConcurrentRequests” -name “enabled” -value “True” Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter “system.webServer/security/dynamicIpSecurity/denyByConcurrentRequests” -name “maxConcurrentRequests” -value <number of requests> |
5. IIS Logging Benchmark Remediation using PowerShell (3 IIS Security Settings)
5.1 (L1) Ensure Default IIS web log location is moved (Automated)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter
“system.applicationHost/sites/siteDefaults/logFile” -name “directory” -value <new log location> |
5.2 (L1) Ensure Advanced IIS logging is enabled (Automated)
[Configuration details for this specific benchmark are not available in the CIS Microsoft IIS 10 benchmark v1.2.0 -11-15-2022]
5.3 (L1) Ensure ‘ETW Logging’ is enabled (Manual)
[Configuration details for this specific benchmark are not available in the CIS Microsoft IIS 10 benchmark v1.2.0 -11-15-2022]
6. FTP Request Benchmark Remediation using PowerShell (2 IIS Security Settings)
6.1 (L1) Ensure FTP requests are encrypted (Manual)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter
“system.applicationHost/sites/siteDefaults/ftpServer/security/ssl” -name “controlChannelPolicy” -value “SslRequire” Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter “system.applicationHost/sites/siteDefaults/ftpServer/security/ssl” -name “dataChannelPolicy” -value “SslRequire” |
6.2 (L1) Ensure FTP Logon attempt restrictions is enabled (Manual)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter
“system.ftpServer/security/authentication/denyByFailure” -name “enabled” – value “True” |
7. Transport Encryption Benchmark Remediation using PowerShell (12 IIS Security Settings)
7.1 (L2) Ensure HSTS Header is set (Manual)
[Configuration details for this specific benchmark are not available in the CIS Microsoft IIS 10 benchmark v1.2.0 -11-15-2022]
7.2 (L1) Ensure SSLv2 is Disabled (Automated)
| New-Item
‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ SSL 2.0\Server’ -Force | Out-Null
New-Item ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ SSL 2.0\Client’ -Force | Out-Null
New-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ SSL 2.0\Server’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null
New-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ SSL 2.0\Client’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null
New-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ SSL 2.0\Server’ -name ‘DisabledByDefault’ -value ‘1’ -PropertyType ‘DWord’ – Force | Out-Null
New-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ SSL 2.0\Client’ -name ‘DisabledByDefault’ -value ‘1’ -PropertyType ‘DWord’ – Force | Out-Null |
7.3 (L1) Ensure SSLv3 is Disabled (Automated)
| New-Item
‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ SSL 3.0\Server’ -Force | Out-Null
New-Item ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ SSL 3.0\Client’ -Force | Out-Null
New-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ SSL 3.0\Server’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null
New-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ SSL 3.0\Client’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null
New-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ SSL 3.0\Server’ -name ‘DisabledByDefault’ -value ‘1’ -PropertyType ‘DWord’ – Force | Out-Null
New-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ SSL 3.0\Client’ -name ‘DisabledByDefault’ -value ‘1’ -PropertyType ‘DWord’ – Force | Out-Null |
7.4 (L1) Ensure TLS 1.0 is Disabled (Automated)
| New-Item
‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ TLS 1.0\Server’ -Force | Out-Null
New-Item ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ TLS 1.0\Client’ -Force | Out-Null
New-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ TLS 1.0\Server’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null
New-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ TLS 1.0\Client’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null
New-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ TLS 1.0\Server’ -name ‘DisabledByDefault’ -value ‘1’ -PropertyType ‘DWord’ – Force | Out-Null
New-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ TLS 1.0\Client’ -name ‘DisabledByDefault’ -value ‘1’ -PropertyType ‘DWord’ – Force | Out-Null |
7.5 (L1) Ensure TLS 1.1 is Disabled (Automated)
| New-Item
‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ TLS 1.1\Server’ -Force | Out-Null
New-Item ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ TLS 1.1\Client’ -Force | Out-Null New-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ TLS 1.1\Server’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null
New-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ TLS 1.1\Client’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null
New-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ TLS 1.1\Server’ -name ‘DisabledByDefault’ -value ‘1’ -PropertyType ‘DWord’ – Force | Out-Null
New-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ TLS 1.1\Client’ -name ‘DisabledByDefault’ -value ‘1’ -PropertyType ‘DWord’ – Force | Out-Null |
7.6 (L1) Ensure TLS 1.2 is Enabled (Automated)
| New-Item
‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ TLS 1.2\Server’ -Force | Out-Null
New-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ TLS 1.2\Server’ -name ‘Enabled’ -value ‘1’ -PropertyType ‘DWord’ -Force | Out-Null
New-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ TLS 1.2\Server’ -name ‘DisabledByDefault’ -value ‘0’ -PropertyType ‘DWord’ – Force | Out-Null |
7.7 (L1) Ensure NULL Cipher Suites is Disabled (Automated)
| New-Item
‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NU LL’ -Force | Out-Null
New-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NU LL’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null |
7.8 (L1) Ensure DES Cipher Suites is Disabled (Automated)
| (Get-Item
‘HKLM:\’).OpenSubKey(‘SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHA NNEL\Ciphers’, $true).CreateSubKey(‘DES 56/56’)
New-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DE S 56/56’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null |
7.9 (L1) Ensure RC4 Cipher Suites is Disabled (Automated)
| (Get-Item
‘HKLM:\’).OpenSubKey(‘SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHA NNEL\Ciphers’, $true).CreateSubKey(‘RC4 40/128’)
New-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC 4 40/128’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null (Get-Item ‘HKLM:\’).OpenSubKey(‘SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHA NNEL\Ciphers’, $true).CreateSubKey(‘RC4 56/128’)
New-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC 4 56/128’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null (Get-Item ‘HKLM:\’).OpenSubKey(‘SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHA NNEL\Ciphers’, $true).CreateSubKey(‘RC4 64/128’)
New-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC 4 64/128’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null (Get-Item ‘HKLM:\’).OpenSubKey(‘SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHA NNEL\Ciphers’, $true).CreateSubKey(‘RC4 128/128’)
New-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC 4 128/128’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null |
7.10 (L1) Ensure AES 128/128 Cipher Suite is Disabled (Automated)
| (Get-Item
‘HKLM:\’).OpenSubKey(‘SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHA NNEL\Ciphers’, $true).CreateSubKey(‘AES 128/128’)
New-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AE S 128/128’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null |
7.11 (L1) Ensure AES 256/256 Cipher Suite is Enabled (Automated)
| (Get-Item
‘HKLM:\’).OpenSubKey(‘SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHA NNEL\Ciphers’, $true).CreateSubKey(‘AES 256/256’)
New-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AE S 256/256’ -name ‘Enabled’ -value ‘1’ -PropertyType ‘DWord’ -Force | Out-Null |
7.12 (L2) Ensure TLS Cipher Suite ordering is Configured (Automated
| New-Item
‘HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002’ – Force | Out-Null
New-ItemProperty -path ‘HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002’ – name ‘Functions’ -value ‘TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_G CM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_ GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256 _CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_25 6_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256’ -PropertyType ‘MultiString’ -Force | Out-Null |
Wrap Up
That’s it! You now have PowerShell code snippets for all CIS remediation recommendations for IIS servers. Creating a new PowerShell script or integrating this code into existing scripts will now allow you to easily confirm if your IIS server is properly hardened.
