IIS Server Hardening
A checklist you can use to make your IIS environment more secure. Inspired by Michael Cobb and Orin Thomas.
Preparation
Do not connect an IIS Server to the Internet until it is fully hardened: Ensures that the server is protected from external threats during setup.
Implementation: Set up and configure IIS on a private network before exposing it to the internet.
Place the server in a physically secure location: Prevents unauthorized physical access to the server.
Implementation: Use locked server rooms with restricted access.
Do not install the IIS server on a domain controller: Reduces the risk of an IIS breach compromising the domain controller.
Implementation: Install IIS on a separate server.
Do not install a printer: Minimizes unnecessary services that could be exploited.
Implementation: Ensure no printer drivers or services are installed.
Network Configuration
Use two network interfaces in the server — one for admin and one for the network: Separates management traffic from general network traffic.
Implementation: Configure two NICs in the server, assigning different roles.
Harden TCP/IP stack: Improves network stack security by disabling unnecessary features.
Implementation: Edit registry settings to disable features like source routing and ICMP redirects.
Disable NetBIOS and SMB (closing ports 137, 138, 139, and 445): Prevents common attack vectors for network-based attacks.
Implementation: Use firewall rules or disable these services via server settings.
Security Tools
Run IISLockdown on the server: Applies a range of security settings to lock down IIS.
Implementation: Download and run the IISLockdown tool from Microsoft.
Install and configure URLScan: Filters incoming requests to block potentially harmful ones.
Implementation: Install URLScan and configure its .ini file to suit your security needs.
Secure remote administration of the server and configure for encryption, low session time-outs, and account lockouts: Protects administrative access from being hijacked.
Implementation: Configure Remote Desktop and other admin tools to use encryption, set session time-outs, and enable account lockouts.
Services and Components
Disable unnecessary Windows services: Reduces attack surface by limiting services that can be exploited.
Implementation: Use the Services management console to disable unneeded services.
Ensure services are running with least-privileged accounts: Limits the impact of a service being compromised.
Implementation: Configure service accounts to use the minimum privileges necessary.
Disable FTP, SMTP, NNTP, Telnet, and ASP.NET state services if not required: Minimizes attack vectors.
Implementation: Disable these services in the Services management console.
Disable WebDAV if not used by the application, or secure it if required: Prevents exploitation of WebDAV vulnerabilities.
Implementation: Remove WebDAV through the Server Manager or configure it for security.
File System
Reconfigure Recycle Bin and Page file system data policies: Prevents sensitive data from being easily recovered.
Implementation: Use Group Policy or system settings to adjust these policies.
Contain files and directories on NTFS volumes: Ensures file system security features are utilized.
Implementation: Convert any FAT volumes to NTFS using the convert command.
Physical Security
Secure CMOS settings: Prevents unauthorized changes to system settings.
Implementation: Set a BIOS/UEFI password.
Secure physical media (floppy drive, CD-ROM drive, etc.): Prevents booting from unauthorized media.
Implementation: Disable boot options for these devices in the BIOS/UEFI settings.
Accounts
Account Management
Remove unused accounts from the server: Reduces the number of potential targets for attackers.
Implementation: Use the Local Users and Groups management console to remove accounts.
Disable Windows Guest account: Prevents its use as an entry point.
Implementation: Disable the Guest account via the Local Users and Groups management console.
Rename Administrator account and set a strong password: Makes it harder for attackers to guess credentials.
Implementation: Use the Local Users and Groups management console to rename the account and set a strong password.
Disable IUSR_MACHINE account if it is not used by the application: Limits unnecessary accounts.
Implementation: Use the Local Users and Groups management console to disable the account.
Privilege Management
Configure ASP.NET process account for least privilege: Limits the impact of a process being compromised.
Implementation: Use the aspnet_regiis tool to configure the ASP.NET account.
Enforce strong account and password policies for the server: Ensures accounts are protected with strong credentials.
Implementation: Configure password policies via Group Policy.
Restrict remote logons: Limits the potential for remote attacks.
Implementation: Use Group Policy to restrict remote logon permissions.
Files and Directories
Volume Management
Use multiple disks or partition volumes and do not install the Web server home directory on the same volume as the operating system folders: Prevents a compromised web server from affecting the OS.
Implementation: Use Disk Management to partition disks and configure IIS directories.
Put Web site content on a non-system NTFS volume: Utilizes NTFS security features.
Implementation: Move web content directories to an NTFS volume.
Access Control
Restrict the Everyone group (no access to \WINNT\system32 or Web directories): Prevents unauthorized access.
Implementation: Adjust NTFS permissions on these directories.
Ensure Web site root directory has deny write ACE for anonymous Internet accounts: Protects web content from being modified.
Implementation: Set NTFS permissions to deny write access for anonymous users.
Shares and Ports
Shares
Remove all unnecessary shares (including default administration shares): Reduces the number of potential entry points.
Implementation: Use the Shared Folders management console to remove shares.
Restrict access to required shares (the Everyone group does not have access): Limits share access to authorized users.
Implementation: Adjust share permissions via the Shared Folders management console.
Ports
Restrict Internet-facing interfaces to port 80 (and 443 if SSL is used): Limits exposed services.
Implementation: Use firewall rules to restrict port access.
Registry and Logging
Registry
Restrict remote registry access: Prevents unauthorized registry modifications.
Implementation: Disable the Remote Registry service.
Secure SAM (HKLM\System\CurrentControlSet\Control\LSA\NoLMHash): Protects password hashes.
Implementation: Set the NoLMHash registry key to 1.
Auditing and Logging
Audit failed logon attempts: Tracks potential unauthorized access attempts.
Implementation: Configure audit policies via Group Policy.
Relocate and secure IIS log files: Ensures logs are protected and not easily tampered with.
Implementation: Move log file locations in IIS Manager.
Sites and Virtual Directories
Site Management
Put Web sites on a non-system partition: Isolates web content from the OS.
Implementation: Configure site directories in IIS Manager.
Disable "Parent paths" setting: Prevents directory traversal attacks.
Implementation: Disable Parent Paths in the ASP settings of IIS Manager.
Access Control
Do not grant included directories Read Web permission: Limits exposure of sensitive files.
Implementation: Adjust directory permissions in IIS Manager.
Restrict Write and Execute Web permissions for anonymous accounts in virtual directories: Prevents unauthorized modifications and script execution.
Implementation: Set appropriate permissions in IIS Manager.
Script Mappings and ISAPI Filters
Script Mappings
Map extensions not used by the application to 404.dll: Prevents execution of unnecessary scripts.
Implementation: Configure script mappings in IIS Manager.
Map unnecessary ASP.NET file type extensions to "HttpForbiddenHandler" in Machine.config: Blocks execution of potentially harmful scripts.
Implementation: Edit the Machine.config file.
ISAPI Filters
Remove from the server unnecessary or unused ISAPI filters: Reduces attack surface.
Implementation: Remove ISAPI filters via IIS Manager.
IIS Metabase and Server Certificates
IIS Metabase
Restrict access to the metabase by using NTFS permissions (%systemroot%\system32\inetsrv\metabase.bin): Protects configuration settings.
Implementation: Set NTFS permissions on the metabase.bin file.
Restrict IIS banner information (Disable IP address in content location): Hides server information from attackers.
Implementation: Edit the Metabase.xml file.
Server Certificates
Ensure certificate date ranges are valid: Prevents the use of expired certificates.
Implementation: Check certificate properties in the Certificates management console.
Only use certificates for their intended purpose: Ensures correct usage of certificates.
Implementation: Configure certificate purposes in the Certificates management console.
Ensure the certificate's public key is valid, all the way to a trusted root authority: Verifies the trust chain.
Implementation: Check the certificate chain in the Certificates management console.
Machine.config and ASP.NET Configuration
Machine.config
Map protected resources to HttpForbiddenHandler: Blocks access to sensitive resources.
Implementation: Edit the Machine.config file.
Remove unused HttpModules: Reduces the attack surface.
Implementation: Edit the Machine.config file.
Disable tracing: Prevents the exposure of detailed application information.
Implementation: Edit the Web.config file.
ASP.NET Configuration
Ensure 'deployment method retail' is set: Disables features useful for development but risky in production.
Implementation: Set deployment mode to retail in the Web.config file.
Ensure 'debug' is turned off: Prevents detailed error messages from being shown to users.
Implementation: Set debug to false in the Web.config file.
Ensure custom error messages are not off: Provides user-friendly error messages.
Implementation: Configure custom errors in the Web.config file.
Ensure IIS HTTP detailed errors are hidden from displaying remotely: Prevents the exposure of detailed server information.
Implementation: Set custom error pages in IIS Manager.
Request Filtering and Other Restriction Modules
Request Filtering
Configure 'maxAllowedContentLength': Limits the size of requests to prevent DoS attacks.
Implementation: Set maxAllowedContentLength in the Request Filtering settings.
Configure 'maxURL request filter': Limits the length of URLs to prevent buffer overflow attacks.
Implementation: Set maxUrl in the Request Filtering settings.
Configure 'MaxQueryString request filter': Limits the length of query strings to prevent buffer overflow attacks.
Implementation: Set maxQueryString in the Request Filtering settings.
Reject non-ASCII characters in URLs: Prevents attacks using non-standard characters.
Implementation: Enable non-ASCII character rejection in the Request Filtering settings.
Reject double-encoded requests: Prevents bypassing of security filters.
Implementation: Enable double-encoded request rejection in the Request Filtering settings.
Disable HTTP Trace Method: Prevents trace method attacks.
Implementation: Disable TRACE method in the IIS Manager.
Disallow unlisted file extensions: Limits file types that can be executed.
Implementation: Configure file extension restrictions in the Request Filtering settings.
Ensure Handler is not granted Write and Script/Execute: Prevents unauthorized code execution.
Implementation: Configure handler mappings in IIS Manager.
Set ‘notListedIsapisAllowed’ to false: Prevents execution of unlisted ISAPI extensions.
Implementation: Configure ISAPI restrictions in IIS Manager.
Set ‘notListedCgisAllowed’ to false: Prevents execution of unlisted CGI scripts.
Implementation: Configure CGI restrictions in IIS Manager.
Enable ‘Dynamic IP Address Restrictions’: Mitigates DoS attacks by blocking IPs with suspicious activity.
Implementation: Configure Dynamic IP Restrictions in the IIS Manager.
IIS Logging Recommendations
Logging
Ensure Default IIS web log location is moved: Protects logs from being easily accessed or tampered with.
Implementation: Change the log file directory in the IIS Manager.
Enable Advanced IIS logging: Provides detailed logging for better analysis.
Implementation: Configure Advanced Logging in IIS Manager.
Enable ‘ETW Logging’: Enables real-time event tracing.
Implementation: Enable ETW Logging in the IIS Manager.
FTP Requests
FTP Configuration
Ensure FTP requests are encrypted: Protects data transmitted via FTP.
Implementation: Configure FTP over SSL in the IIS Manager.
Enable FTP Logon attempt restrictions: Limits the number of login attempts to prevent brute force attacks.
Implementation: Configure FTP login restrictions in the IIS Manager.
Transport Encryption
SSL/TLS
Set HSTS Header: Enforces HTTPS usage.
Implementation: Add HSTS headers in the HTTP Response Headers settings in IIS Manager.
Disable SSLv2, SSLv3, TLS 1.0, and TLS 1.1: Disables outdated and insecure protocols.
Implementation: Edit the registry or use Group Policy to disable these protocols.
Enable TLS 1.2: Ensures the use of a secure protocol.
Implementation: Edit the registry or use Group Policy to enable TLS 1.2.
Disable weak cipher suites (NULL, DES, RC4, Triple DES, etc): Prevents the use of insecure encryption algorithms.
Implementation: Edit the registry to disable weak cipher suites.
Ensure TLS cipher suites are correctly ordered: Ensures the strongest ciphers are used first.
Implementation: Configure cipher suite order in the registry.
Each of these steps enhances the security of your IIS server by reducing its attack surface, enforcing strong authentication and authorization policies, and ensuring secure communication. Implementing these practices helps protect the server from a variety of potential threats and vulnerabilities.
Last updated
