Automate IIS Hardening Script
Automating IIS hardening with PowerShell allows administrators to apply secure configurations consistently across servers. By scripting security controls, teams can reduce manual effort, prevent configuration drift, and ensure IIS environments remain aligned with security best practices.
IIS hardening can be a time-consuming and challenging process. PowerShell can help you achieve hardened IIS security settings to some extent, but it still requires hours of testing to ensure that nothing is broken. CSS by CalCom can automate the IIS hardening process with its unique ability to “Learn” your network, eliminating the need for lab testing while ensuring zero outages to your production environment. CSS will allow you to implement your policy directly on your production environment hassle-free. Interested in learning more? Get in Touch
Checking Benchmarks with PowerShell
In this article, you’re going to learn how to perform checks against each CIS benchmark with PowerShell. You’ll see many different code snippets each uniquely tailored to find each CIS benchmark-setting on an IIS 10 server.
While there may be some overlap and similarities between IIS versions, benchmarks specifically designed for IIS 10 may not directly apply to earlier versions — IIS 7, 8, and 9 hardening each differ.
CIS Benchmarks are the technical foundation behind many regulatory frameworks. See how CIS Compliance turns these configuration requirements into enforceable, audit-ready baselines.
1. Basic Configuration Benchmark Remediation using PowerShell (7 IIS Security Settings)
1.1 (L1) Ensure ‘Web content’ is on non-system partition (Manual)
[Configuration details for this specific benchmark are not available in the current CIS Microsoft IIS 10 benchmark v1.2.0 -11-15-2022]
1.2 (L1) Ensure ‘Host headers’ are on all sites (Automated)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter’system.applicationHost/sites/site[@name='<websitename>’]/bindings/binding[@protocol=’http’ and @bindingInformation=’*:80:’]’ –
name ‘bindingInformation’ -value ‘*:80:<host header value>’ |
1.3 (L1) Ensure ‘Directory browsing’ is set to Disabled (Automated)
| Set-WebConfigurationProperty -Filter system.webserver/directorybrowse -PSPathiis: -Name Enabled -Value False |
1.4 (L1) Ensure ‘application pool identity’ is configured for all application pools (Automated)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter’system.applicationHost/applicationPools/add[@name='<apppoolname>’]/processModel’ -name ‘identityType’ -value ‘ApplicationPoolIdentity’ |
1.5 (L1) Ensure ‘unique application pools’ is set for sites (Automated)
| Set-ItemProperty -Path ‘IIS:Sites<website name>’ -Name applicationPool -Value <apppool name> |
1.6 (L1) Ensure ‘application pool identity’ is configured for anonymous user identity (Automated)
| Set-ItemProperty -Path IIS:AppPools<apppool name> -Name passAnonymousToken-Value True |
1.7 (L1) Ensure’ WebDav’ feature is disabled (Automated)
| Uninstall-WindowsFeature Web-DAV-Publishing |
2. Configuration Authentication and Authorization Benchmark Remediation using PowerShell (8 IIS Security Settings)
2.1 (L1) Ensure ‘global authorization rule’ is set to restrict access (Manual)
| Remove-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter”system.webServer/security/authorization” -name “.” -AtElement@{users=’*’;roles=”;verbs=”}
Add-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter “system.webServer/security/authorization” -name “.” -value @{accessType=’Allow’;roles=’Administrators’} |
2.2 (L1) Ensure access to sensitive site features is restricted to authenticated principals only (Manual)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -location'<website location>’ -filter’system.webServer/security/authentication/anonymousAuthentication’ -name
‘enabled’ -value ‘False’ Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -location ‘<website location>’ -filter ‘system.webServer/security/authentication/windowsAuthentication’ -name ‘enabled’ -value ‘True’ |
2.3 (L1) Ensure ‘forms authentication’ require SSL (Manual)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/Default WebSite’ -filter ‘system.web/authentication/forms’ -name ‘requireSSL’ -value’True’ |
2.4 (L2) Ensure ‘forms authentication’ is set to use cookies (Manual)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/Default WebSite’ -filter ‘system.web/authentication/forms’ -name ‘cookieless’ -value’UseCookies’ |
2.5 (L1) Ensure ‘cookie protection mode’ is configured for forms authentication (Manual)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/<website name>’-filter ‘system.web/authentication/forms’ -name ‘protection’ -value ‘All’ |
2.6 (L1) Ensure transport layer security for ‘basic authentication’ is configured (Automated)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -location'<website name>’ -filter ‘system.webServer/security/access’ -name ‘sslFlags’-value ‘Ssl’ |
2.7 (L1) Ensure ‘passwordFormat’ is not set to clear (Manual)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/<website name>’-filter ‘system.web/authentication/forms/credentials’ -name ‘passwordFormat’-value ‘SHA1’ |
2.8 (L2) Ensure ‘credentials’ are not stored in configuration files (Manual)
| Remove-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/<websitename>’ -filter ‘system.web/authentication/forms/credentials’ -name ‘.’ |
3. ASP.NET Configuration Benchmark Remediation using PowerShell (12 IIS Security Settings)
3.1 (L1) Ensure ‘deployment method retail’ is set (Manual)
[Configuration details for this specific benchmark are not available in the current CIS Microsoft IIS 10 benchmark v1.2.0 -11-15-2022]
3.2 (L2) Ensure ‘debug’ is turned off (Manual)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/<website name>’-filter “system.web/compilation” -name “debug” -value “False” |
3.3 (L2) Ensure custom error messages are not off (Manual)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/Default WebSite’ -filter “system.web/customErrors” -name “mode” -value “RemoteOnly” |
3.4 (L1) Ensure IIS HTTP detailed errors are hidden from displaying remotely (Manual)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/<website name>’-filter “system.webServer/httpErrors” -name “errorMode” -value”DetailedLocalOnly” |
3.5 (L2) Ensure ASP.NET stack tracing is not enabled (Manual)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/<website name>’-filter “system.web/trace” -name “enabled” -value “False” |
3.6 (L2) Ensure ‘httpcookie’ mode is configured for session state (Manual)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/<website name>’-filter “system.web/sessionState” -name “mode” -value “StateServer” |
3.7 (L1) Ensure ‘cookies’ are set with HttpOnly attribute (Manual)
[Configuration details for this specific benchmark are not available in the CIS Microsoft IIS 10 benchmark v1.2.0 -11-15-2022]
3.8 (L2) Ensure ‘MachineKey validation method – .Net 3.5’ is configured (Manual)
[Configuration details for this specific benchmark are not available in the CIS Microsoft IIS 10 benchmark v1.2.0 -11-15-2022]
3.9 (L1) Ensure ‘MachineKey validation method – .Net 4.5’ is configured (Manual)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT’ -filter”system.web/machineKey” -name “validation” -value “<validation method>” |
3.10 (L1) Ensure global .NET trust level is configured (Manual)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT’ -filter”system.web/trust” -name “level” -value “Medium” |
3.11 (L2) Ensure X-Powered-By Header is removed (Manual)
| Remove-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter”system.webserver/httpProtocol/customHeaders” -name “.” -AtElement @{name=’XPowered-By’} |
3.12 (L2) Ensure Server Header is removed (Manual)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST/’ -filter”system.webServer/security/requestFiltering” -name “removeServerHeader” -value “True” |
4. Request Filtering and other Restriction Modules Benchmark Remediation using PowerShell (11 IIS Security Settings)
4.1 (L2) Ensure ‘maxAllowedContentLength’ is configured (Manual)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter “system.webServer/security/requestFiltering/requestLimits” -name “maxAllowedContentLength” -value 30000000 “ |
4.2 (L2) Ensure ‘maxURL request filter’ is configured (Automated)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter”system.webServer/security/requestFiltering/requestLimits” -name “maxUrl” -value 4096 |
4.3 (L2) Ensure ‘MaxQueryString request filter’ is configured (Automated)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter”system.webServer/security/requestFiltering/requestLimits” -name”maxQueryString” -value 2048 |
4.4 (L2) Ensure non-ASCII characters in URLs are not allowed (Automated)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter”system.webServer/security/requestFiltering” -name “allowHighBitCharacters” -value “False” |
4.5 (L1) Ensure Double-Encoded requests will be rejected (Automated)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter”system.webServer/security/requestFiltering” -name “allowDoubleEscaping” -value “True” |
4.6 (L1) Ensure ‘HTTP Trace Method’ is disabled (Manual)
| Add-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter”system.webServer/security/requestFiltering/verbs” -name “.” -value@{verb=’TRACE’;allowed=’False’} |
4.7 (L1) Ensure Unlisted File Extensions are not allowed(Automated)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter”system.webServer/security/requestFiltering/fileExtensions” -name”allowUnlisted” -value “False” |
4.8 (L1) Ensure Handler is not granted Write and Script/Execute (Manual)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter”system.webServer/handlers” -name “accessPolicy” -value “Read,Script” |
4.9 (L1) Ensure ‘notListedIsapisAllowed’ is set to false (Automated)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter”system.webServer/security/isapiCgiRestriction” -name”notListedIsapisAllowed” -value “False” |
4.10 (L1) Ensure ‘notListedCgisAllowed’ is set to false (Automated)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter”system.webServer/security/isapiCgiRestriction” -name “notListedCgisAllowed”-value “False” |
4.11 (L1) Ensure ‘Dynamic IP Address Restrictions’ is enabled (Manual)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter”system.webServer/security/dynamicIpSecurity/denyByConcurrentRequests” -name”enabled” -value “True”
Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter “system.webServer/security/dynamicIpSecurity/denyByConcurrentRequests” -name “maxConcurrentRequests” -value <number of requests> |
5. IIS Logging Benchmark Remediation using PowerShell (3 IIS Security Settings)
5.1 (L1) Ensure Default IIS web log location is moved (Automated)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter”system.applicationHost/sites/siteDefaults/logFile” -name “directory” -value<new log location> |
5.2 (L1) Ensure Advanced IIS logging is enabled (Automated)
[Configuration details for this specific benchmark are not available in the CIS Microsoft IIS 10 benchmark v1.2.0 -11-15-2022]
5.3 (L1) Ensure ‘ETW Logging’ is enabled (Manual)
[Configuration details for this specific benchmark are not available in the CIS Microsoft IIS 10 benchmark v1.2.0 -11-15-2022]
6. FTP Request Benchmark Remediation using PowerShell (2 IIS Security Settings)
6.1 (L1) Ensure FTP requests are encrypted (Manual)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter”system.applicationHost/sites/siteDefaults/ftpServer/security/ssl” -name”controlChannelPolicy” -value “SslRequire”
Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter “system.applicationHost/sites/siteDefaults/ftpServer/security/ssl” -name “dataChannelPolicy” -value “SslRequire” |
6.2 (L1) Ensure FTP Logon attempt restrictions is enabled (Manual)
| Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter”system.ftpServer/security/authentication/denyByFailure” -name “enabled” -value “True” |
7. Transport Encryption Benchmark Remediation using PowerShell (12 IIS Security Settings)
7.1 (L2) Ensure HSTS Header is set (Manual)
[Configuration details for this specific benchmark are not available in the CIS Microsoft IIS 10 benchmark v1.2.0 -11-15-2022]
7.2 (L1) Ensure SSLv2 is Disabled (Automated)
| New-Item’HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0Server’ -Force | Out-Null
New-Item ‘HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols SSL 2.0Client’ -Force | Out-Null New-ItemProperty -path ‘HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols SSL 2.0Server’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null New-ItemProperty -path ‘HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols SSL 2.0Client’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null New-ItemProperty -path ‘HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols SSL 2.0Server’ -name ‘DisabledByDefault’ -value ‘1’ -PropertyType ‘DWord’ – Force | Out-Null New-ItemProperty -path ‘HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols SSL 2.0Client’ -name ‘DisabledByDefault’ -value ‘1’ -PropertyType ‘DWord’ – Force | Out-Null |
7.3 (L1) Ensure SSLv3 is Disabled (Automated)
| New-Item’HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 3.0Server’ -Force | Out-Null
New-Item ‘HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols SSL 3.0Client’ -Force | Out-Null New-ItemProperty -path ‘HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols SSL 3.0Server’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null New-ItemProperty -path ‘HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols SSL 3.0Client’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null New-ItemProperty -path ‘HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols SSL 3.0Server’ -name ‘DisabledByDefault’ -value ‘1’ -PropertyType ‘DWord’ – Force | Out-Null New-ItemProperty -path ‘HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols SSL 3.0Client’ -name ‘DisabledByDefault’ -value ‘1’ -PropertyType ‘DWord’ – Force | Out-Null |
7.4 (L1) Ensure TLS 1.0 is Disabled (Automated)
| New-Item’HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.0Server’ -Force | Out-Null
New-Item ‘HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols TLS 1.0Client’ -Force | Out-Null New-ItemProperty -path ‘HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols TLS 1.0Server’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null New-ItemProperty -path ‘HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols TLS 1.0Client’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null New-ItemProperty -path ‘HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols TLS 1.0Server’ -name ‘DisabledByDefault’ -value ‘1’ -PropertyType ‘DWord’ – Force | Out-Null New-ItemProperty -path ‘HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols TLS 1.0Client’ -name ‘DisabledByDefault’ -value ‘1’ -PropertyType ‘DWord’ – Force | Out-Null |
7.5 (L1) Ensure TLS 1.1 is Disabled (Automated)
| New-Item’HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1Server’ -Force | Out-Null
New-Item ‘HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols TLS 1.1Client’ -Force | Out-Null New-ItemProperty -path ‘HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols TLS 1.1Server’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null New-ItemProperty -path ‘HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols TLS 1.1Client’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null New-ItemProperty -path ‘HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols TLS 1.1Server’ -name ‘DisabledByDefault’ -value ‘1’ -PropertyType ‘DWord’ – Force | Out-Null New-ItemProperty -path ‘HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols TLS 1.1Client’ -name ‘DisabledByDefault’ -value ‘1’ -PropertyType ‘DWord’ – Force | Out-Null |
7.6 (L1) Ensure TLS 1.2 is Enabled (Automated)
| New-Item’HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Server’ -Force | Out-Null
New-ItemProperty -path ‘HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols TLS 1.2Server’ -name ‘Enabled’ -value ‘1’ -PropertyType ‘DWord’ -Force | Out-Null New-ItemProperty -path ‘HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols TLS 1.2Server’ -name ‘DisabledByDefault’ -value ‘0’ -PropertyType ‘DWord’ – Force | Out-Null |
7.7 (L1) Ensure NULL Cipher Suites is Disabled (Automated)
| New-Item’HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersNULL’ -Force | Out-Null
New-ItemProperty -path ‘HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersNU LL’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null |
7.8 (L1) Ensure DES Cipher Suites is Disabled (Automated)
| (Get-Item’HKLM:’).OpenSubKey(‘SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphers’, $true).CreateSubKey(‘DES 56/56’)
New-ItemProperty -path ‘HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersDE S 56/56’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null |
7.9 (L1) Ensure RC4 Cipher Suites is Disabled (Automated)
| (Get-Item’HKLM:’).OpenSubKey(‘SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphers’, $true).CreateSubKey(‘RC4 40/128’)
New-ItemProperty -path ‘HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC 4 40/128’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null (Get-Item ‘HKLM:’).OpenSubKey(‘SYSTEMCurrentControlSetControlSecurityProvidersSCHA NNELCiphers’, $true).CreateSubKey(‘RC4 56/128’) New-ItemProperty -path ‘HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC 4 56/128’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null (Get-Item ‘HKLM:’).OpenSubKey(‘SYSTEMCurrentControlSetControlSecurityProvidersSCHA NNELCiphers’, $true).CreateSubKey(‘RC4 64/128’) New-ItemProperty -path ‘HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC 4 64/128’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null (Get-Item ‘HKLM:’).OpenSubKey(‘SYSTEMCurrentControlSetControlSecurityProvidersSCHA NNELCiphers’, $true).CreateSubKey(‘RC4 128/128’) New-ItemProperty -path ‘HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC 4 128/128’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null |
7.10 (L1) Ensure AES 128/128 Cipher Suite is Disabled (Automated)
| (Get-Item’HKLM:’).OpenSubKey(‘SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphers’, $true).CreateSubKey(‘AES 128/128’)
New-ItemProperty -path ‘HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersAE S 128/128’ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null |
7.11 (L1) Ensure AES 256/256 Cipher Suite is Enabled (Automated)
| (Get-Item’HKLM:’).OpenSubKey(‘SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphers’, $true).CreateSubKey(‘AES 256/256’)
New-ItemProperty -path ‘HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersAE S 256/256’ -name ‘Enabled’ -value ‘1’ -PropertyType ‘DWord’ -Force | Out-Null |
7.12 (L2) Ensure TLS Cipher Suite ordering is Configured (Automated
| New-Item’HKLM:SOFTWAREPoliciesMicrosoftCryptographyConfigurationSSL0010002′ -Force | Out-Null
New-ItemProperty -path ‘HKLM:SOFTWAREPoliciesMicrosoftCryptographyConfigurationSSL0010002’ – name ‘Functions’ -value ‘TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_G CM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_ GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256 _CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_25 6_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256’ -PropertyType ‘MultiString’ -Force | Out-Null |
Wrap Up
That’s it! You now have PowerShell code snippets for all CIS remediation recommendations for IIS servers. Creating a new PowerShell script or integrating this code into existing scripts will now allow you to easily confirm if your IIS server is properly hardened.
PowerShell gets you started — but maintaining benchmarks across environments is a different challenge. Download the Planning and Managing Server Hardening guide to see how to build a repeatable, audit-ready hardening program around controls like these.
