Hardening IIS server guide

 

IIS server- Microsofts’ Windows web server is one of the most used web server platforms on the internet. Hardening your IIS server is basic and essential for preventing cyber-attacks and data thefts. Some of the most common and harmful breaches happen by using IIS server protocols, such as SMB and TLS/SSL. Relaying on the IIS default configurations, as arrives from manufacture is not recommended. Default configurations often target functionality rather than security, thereby relaying on them will leave your IIS server vulnerable and convenient and easy target for attackers.

The Center for Internet Security (CIS) Benchmarks are considered as gold standard when it comes to hardening guidelines. The CIS IIS 10 Benchmark conducts all of the configuration’s settings recommended in order to achieve secured IIS server. CIS IIS 10 Benchmark is a long 140 pages file. Configurations settings are divided into 7 groups: 1. Basic configurations. 2. Authentication and Authorization configurations. 3. ASP.NET configurations recommendations. 4. Request Filtering and Other Restriction Modules. 5. IIS Logging recommendations. 6. FTP Requests. 7. Transport Encryption.

The table below contains the configurations status required to achieve a hardened IIS server. The table contains the configuration, it’s security ranking, the level that needs to be configured (application / operating system), and links to guides and further information on the configuration change.

Configuration Ranking Level Guides
Basic Configurations Ensure web content is on non-system partition L1 App IIS7: Moving the INETPUB directory to a different drive
Ensure ‘host headers’ are on all sites

 

L1 App Configure a Host Header for a web site (IIS7)

 

SSL Host Headers in IIS7

Ensure ‘directory browsing’ is set to disabled L1 App Enable or disable directory browsing in IIS7

 

 

Ensure ‘Application pool identity’ is configured for all application pools L1 App Specify an Identity for an Application Pool (IIS 7)

 

Application pool identities

Ensure ‘unique application pools’ is set for sites L1 App Managing application pools in IIS7

 

Application pool identities

Ensure ‘application pool identity’ is configured for anonymous user identity L1 App Application Pool identity as Anonymous user

 

Application pool identities

Ensure WebDav feature is disabled L1 App
Configure Authentication and Authorization Ensure ‘global authorization rule’ is set to restrict access. L1 App Understanding IIS7 URL authorization
Ensure access to sensitive site features is restricted to authenticated principals only L1 App Authentication

 

Forms authentication in ASP.NET 2.0

 

Configuring authentication in IIS 7

Ensure ‘forms authentication’ requires SSL

 

L1 App Enable forms authentication (IIS7)
Ensure ‘forms authentication’ is set to use cookies

 

L2 App Configure the cookie mode for forms authentication
Ensure ‘cookie protection mode’ is configured for forms authentication

 

L1 App Configure the cookie protection mode for form authentication (IIS7)
Ensure transport layer security for ‘basic authentication’ is configured L1 App IIS: Use SSL when you use basic authentication
Ensure ‘passwordFormat’ is not set to clear L1 App Management authentication credentials <credentials>

 

What’s new in .NET framework

 

 

Ensure ‘credentials’ are not stored in configuration files L2 App Add elements for credentials for authentication (IIS settings schema)

Management authentication credentials

ASP.NET Configuration Recommendations Ensure ‘deployment method retail’ is set L1 App Deployment element (ASP.NET setting schema)
Ensure ‘debug’ is turned off L2 App Edit compilation settings (IIS7)
Ensure custom error messages are not off

 

L2 App Edit ASP.NET error pages settings dialog box
Ensure IIS HTTP detailed errors are hidden from displaying remotely L1 App IIS: Hide custom errors from displaying remotely
Ensure ASP.NET stack tracing is not enabled L2 App How to: Enable tracing for an ASP.NET page

 

How to: Enable tracing for an ASP.NET application

Ensure ‘httpcookie’ mode is configured for session state L2 App Planning step 2: plan ASP.NET settings
Ensure ‘cookies’ are set with HttpOnly attribute L1 App HttpOnly

 

Mitigating cross- site scripting with HttpOnly cookies

Ensure ‘MachineKey validation method – .Net 3.5’ is configured L2 App Generate a machine key (IIS7)

 

Select a machine key encryption method (IIS7)

Ensure ‘MachineKey validation method – .Net 4.5’ is configured L1 App IIS 8 ASP.NET configuration management
Ensure global .NET trust level is configured L1 App Configuring .NET trust levels in IIS7

 

TrustLevel class (IIS7 and higher)

Ensure X-Powered-By Header is removed L2 App Remove ‘Server’ and ‘X-Powered-By’ headers from your Azure mobile apps
Ensure Server Header is removed L2 App Remove ‘Server’ and ‘X-Powered-By’ headers from your Azure mobile apps
Request Filtering and other Restriction Modules Ensure ‘maxAllowedContentLength’ is configured L2 App Request limits

 

Use request filtering

Ensure ‘maxURL request filter’ is configured L2 App Request limits

 

Use request filtering

Ensure ‘MaxQueryString request filter’ is configured L2 App Request limits

 

Use request filtering

Ensure non-ASCII characters in URLs are not allowed L2 App Use request filtering

 

UrlScan 1 reference

Ensure Double-Encoded requests will be rejected L1 App Request limits

 

Use request filtering

Ensure ‘HTTP Trace Method’ is disabled L1 App Verbs <verbs>

 

Web servers enable HTTP TRACE method by default

Ensure Unlisted File Extensions are not allowed L1 App Configure request filtering in IIS

 

Request limits

Ensure Handler is not granted Write and Script/Execute L1 App IIS: Grant a handler execute/script of write permissions, but not both

 

AccessFlags

Ensure ‘notListedIsapisAllowed’ is set to false L1 App IIS: The configuration attribute ‘notListedIsapisAllowed’ should be false
Ensure ‘notListedCgisAllowed’ is set to false L1 App IIS: The configuration attribute ‘notListedCgisAllowed’ should be false
Ensure ‘Dynamic IP Address Restrictions’ is enabled L1 App IIS 8.0 dynamic IP address restrictions
IIS Logging Recommendations Ensure Default IIS web log location is moved L1 App Logging features requirements (IIS 7)
Ensure Advanced IIS logging is enabled L1 App Enhanced logging for IIS 8.5
Ensure ‘ETW Logging’ is enabled L1 App Logging to event tracing for windows in IIS 8.5

 

Common questions for ETW and Windows even log

FTP Requests Ensure FTP requests are encrypted L1 App Using FTP over SSL in IIS 7
Ensure FTP Logon attempt restrictions is enabled L1 App IIS 8.0 FTP logon attempt restrictions
Transport Encryption Ensure HSTS Header is set L2 App IIS 8.0 FTP logon attempt restrictions
Ensure SSLv2 is Disabled L1 OS/ App Testing for SSL-TLS
Ensure SSLv3 is Disabled L1 OS/ App Testing for SSL-TLS
Ensure TLS 1.0 is Disabled L1 OS/ App Cipher suits in TLS/SSL

 

Supported cipher suits and protocols in the Schannel SSP

Ensure TLS 1.1 is Disabled L1 OS/ App Cipher suits in TLS/SSL

 

Supported cipher suits and protocols in the Schannel SSP

Ensure TLS 1.2 is Enabled L1 OS/ APP Cipher suits in TLS/SSL

 

Supported cipher suits and protocols in the Schannel SSP

Ensure NULL Cipher Suites is Disabled L1 App Cipher suits in TLS/SSL

 

Supported cipher suits and protocols in the Schannel SSP

Ensure DES Cipher Suites is Disabled L1 App
Ensure RC4 Cipher Suites is Disabled L1 App
Ensure AES 128/128 Cipher Suite is Disabled L1 App
Ensure AES 256/256 Cipher Suite is Enabled L1 App
Ensure TLS Cipher Suite Ordering is Configured L2 App

 

8 Hardening Actions That Will Break Your IIS Server

Using this table as a check list will ensure your IIS server is hardened, but easier said than done. Dependencies complexity is every IT ops nightmare. In order to achieve server compliance, a dip understanding of the dependencies in the system is required. Every change in one of the values in the table may lead to outages of your production environment. Lab testing required for every small change done in the system. CHS by CalCom offer a way to save you the trouble. Our server hardening automated tool will learn the dependencies and give you a full report about the consequences of every configuration change. After you’ll decided your best course of action, CHS will enforce your policy on the entire production environment, without causing outages.