By Keren Pollack, on June 11th, 2020

The IIS web server provides the frontline to your Web site, providing authentication options and Web permissions.

 

IIS integrates into the server’s security model and operating systems services such as file system and directory. Because IIS uses the server’s user database, and the same Access Control Lists like all other Windows services it is important to make sure it is properly configured. Otherwise, it can be leveraged to be used as the gate to the server’s OS and your network.

 

Hardening IIS server guide

 

IIS 10 has some out of the box configurations that may be used as attack vectors and require hardening actions. This list contains the most common hardening actions required to successfully pass an audit and secure your IIS server, and how to perform them.

1. Secure your cookies:

Cookies are a common tool, especially for authentication. In cases that the application running on the site doesn’t need to access them with client-side JavaScript, you should secure them by setting them as httpOnly.

 

If your application does need to have access to the cookie, you should set a secure flag. Setting a secure flag will mean that cookies can only be accessed using SSL.

 

How?

Add to your site’s system.web element of the web.config file the following:

 

<httpCookies domain="String" 
httpOnlyCookies="true" 
requireSSL="true" />

Learn how you can know what will be the impact of this action on your server’s functionality.

 

2. Prevent non-HTTPS connections:

Every site should be using SSL. Most sites also use port 80 for users who don’t type https in the URL. Those users need to be directed to the SSL version of the site, and you must make sure they can’t access any non-SSL resource on your site.

 

How?

Use the IIS URL Rewrite module. In the URL Rewrite, add the relevant rule. In the ‘Conditions’ section insert under Input: {HTTPS}, under Type: Matches the Pattern, and under ‘Pattern’: off.

 

In the ‘Action’ section insert under ‘Action Type’: Redirect, under ‘Redirect URL’: https://{HTTP_HOST}/{R:1} . Mark the ‘Append query string’ and choose ‘Permanent (301)’ under ‘Redirected type’.

 

3. Remove IIS’s branded response headers:

One of the most valuable steps of network reconnaissance is discovering the software and version you are using. Different versions suffer from specific vulnerabilities. Once the attacker has these details, he can search for specific attacks to compromise the system, or use relevant information to perform social engineering-based attacks. Your branded response headers can be easily located using developers’ tools and will be held under the ‘Server’ and ‘X-Powered-By’ headlines. You must remove them to avoid this information being discovered.

 

How?

In order to get rid of the ‘X-Powered-By’ header add the following lines in each site’s web.config file:

<httpProtocol>
  <costumHeaders>
    <remove name= “X-Powered-By”/>
  </costumHeaders>
</httpProtocol>

 

In order to get rid of the ‘Server’ header, you’ll need to use PowerShell and add the following:

 

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter 
"system.webServer/security/requestFiltering" -name "removeServerHeader" -value "True"
(in one line)

How to Automate IIS Hardening with PowerShell

4. Use a referrer policy:

When a web browser follows a link from one site to another, it sends a ‘referrer’ header that the next website can read. This can be leveraged by attackers and use to hijack your website. If the URL of one of your pages contains sensitive information, it shouldn’t be sent to an external site. A referrer-policy is the way to prevent it.

 

How?

Using ‘origin-when-cross-origin’ value ensures that whenever a referrer information is sent outside your site, it’ll only contain the domain name and not the specific page URL. In order to do it add in the site web.config file the following:

 

<httpProtocol>
  <customHeaders>
    <remove name= “X-Powered-By”/>
    <add name=”Referrer-Policy” value=”origin-when-cross-origin”/>
  </customHeaders>
</httpProtocol>

Learn how you can know what will be the impact of this action on your server’s functionality.

5. Use HSTS:

HSTS stands for Http Strict Transport Security. Enforcing SSL using Rewrite rules is not enough. Attackers can use packet sniffers to redirect traffic that relies on 301 redirects alone to enforce SSL. When your web server insist that web browsers connect only via SSL, attempts to intercept traffic between users and your site will fail.

 

How?

Add the system.webServer section in your web.config file the following:

 

<httpProtocol>
  <customHeaders>
    <remove name=”X-Powered-By”/>
    <add name=”Referrer-Policy” value=”origin-when-cross-origin”/>
    <add name=”Strict-Transport-Security” value=”max-age-31536000”/>
  </customHeaders>
</httpProtocol>

6. Fix IIS cryptography settings:

Using veteran versions of IIS cryptography, such as TLS 1.0 and different cipher suits, holds huge risks to your web site. Some sites require stricter cryptography than others, but default IIS cryptography in all cases are vulnerable. Take into consideration that changing these values may affect the functionality of your site.

 

How?

One useful free tool to do this is ‘IISCrypto’. Make sure that its best practices really suit your needs.

 

How can you make sure nothing will break when hardening?

Hardening your IIS server may have disastrous results on your web. Securing configurations may lead to other services and functions to break. In order to prevent outages, you have two options:

  1. Manually check the impact before implementing- establish a test environment where you can accurately measure the impact of every change on the rest of the IIS server functionalities. The test environment should be an exact copy of your production IIS, and each change must be tested before implemented.
  2. Use CalCom Security Solution for IIS- this tool will do the entire testing process for you directly on your production environment. CalCom Security Solution for IIS (CSS for IIS) will produce an impact report for your policy, so you can decide your decide course of action. Once you’ll make a decision, CalCom IIS Hardening Solution will implement the configuration change on your entire production from a centralized point of control. Once you hardened your IIS, CSS for IIS will monitor your IIS server and remediate any configuration drifts.