Hardening IIS

Best practices and references used for hardening IIS.

CIS Benchmarks

IIS 8.x CIS version 1.5 Settings Scored Level
Recommendations
1 Basic Configurations
1.1 Ensure web content is on non-system partition (Scored) Y 1
1.2 Ensure ‘host headers’ are on all sites (Scored) Y 1
1.3 Ensure ‘directory browsing’ is set to disabled (Scored) Y 1
1.4 Ensure ‘application pool identity’ is configured for all application pools (Scored) Y 1
1.5 Ensure ‘unique application pools’ is set for sites (Scored) Y 1
1.6 Ensure ‘application pool identity’ is configured for anonymous user identity (Scored) Y 1
2 Configure Authentication and Authorization
2.1 Ensure ‘global authorization rule’ is set to restrict access (Not Scored) N 1
2.2 Ensure access to sensitive site features is restricted to authenticated principals only (Not Scored) N 1
2.3 Ensure ‘forms authentication’ require SSL (Scored) Y 1
2.4 Ensure ‘forms authentication’ is set to use cookies (Scored) Y 2
2.5 Ensure ‘cookie protection mode’ is configured for forms authentication (Scored) Y 1
2.6 Ensure transport layer security for ‘basic authentication’ is configured (Scored) Y 1
2.7 Ensure ‘passwordFormat’ is not set to clear (Scored) Y 1
2.8 Ensure ‘credentials’ are not stored in configuration files (Scored) Y 2
3 ASP.NET Configuration Recommendations
3.1 Ensure ‘deployment method retail’ is set (Scored) Y 1
3.2 Ensure ‘debug’ is turned off (Scored) Y 2
3.3 Ensure custom error messages are not off (Scored)  Y 2
3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely (Scored) Y 1
3.5 Ensure ASP.NET stack tracing is not enabled (Scored) Y 2
3.6 Ensure ‘httpcookie’ mode is configured for session state (Scored) Y 2
3.7 Ensure ‘cookies’ are set with HttpOnly attribute (Scored)  Y 1
3.8 Ensure ‘MachineKey validation method – .Net 3.5’ is configured (Scored) Y 2
3.9 Ensure ‘MachineKey validation method – .Net 4.5’ is configured (Scored) Y 1
3.10 Ensure global .NET trust level is configured (Scored) Y 1
3.11 Ensure ‘encryption providers’ are locked down (Scored) Y 2
4 Request Filtering and Other Restriction Modules
4.1 Ensure ‘maxAllowedContentLength’ is configured (Not Scored) N 2
4.2 Ensure ‘maxURL request filter’ is configured (Scored) Y 2
4.3 Ensure ‘MaxQueryString request filter’ is configured (Scored) Y 2
4.4 Ensure non-ASCII characters in URLs are not allowed (Scored) Y 2
4.5 Ensure Double-Encoded requests will be rejected (Scored) Y 1
4.6 Ensure ‘HTTP Trace Method’ is disabled (Scored) Y 1
4.7 Ensure Unlisted File Extensions are not allowed (Scored) Y 1
4.8 Ensure Handler is not granted Write and Script/Execute (Scored) Y 1
4.9 Ensure ‘notListedIsapisAllowed’ is set to false (Scored) Y 1
4.10 Ensure ‘notListedCgisAllowed’ is set to false (Scored) Y 1
4.11 Ensure ‘Dynamic IP Address Restrictions’ is enabled (Not Scored) N 1
5 IIS Logging Recommendations
5.1 Ensure Default IIS web log location is moved (Scored) Y 1
5.2 Ensure Advanced IIS logging is enabled (Scored) Y 1
5.3 Ensure ‘ETW Logging’ is enabled (Not Scored) N 1
6 FTP Requests
6.1 Ensure FTP requests are encrypted (Scored) Y 1
6.2 Ensure FTP Logon attempt restrictions is enabled (Not Scored) N 1
7 Transport Encryption
7.1 Ensure HSTS Header is set (Not Scored) N 2
7.2 Ensure SSLv2 is disabled (Scored) Y 1
7.3 Ensure SSLv3 is disabled (Scored) Y 1
7.4 Ensure TLS 1.0 is disabled (Not Scored) N 2
7.5 Ensure TLS 1.1 is enabled (Not Scored) N 1
7.6 Ensure TLS 1.2 is enabled (Scored) Y 1
7.7 Ensure NULL Cipher Suites is disabled (Scored) Y 1
7.8 Ensure DES Cipher Suites is disabled (Scored) Y 1
7.9 Ensure RC2 Cipher Suites is disabled (Scored) Y 1
7.10 Ensure RC4 Cipher Suites is disabled (Scored) Y 1
7.11 Ensure Triple DES Cipher Suite is configured (Not Scored) N 1
7.12 Ensure AES 128/128 Cipher Suite is configured (Not Scored) N 1
7.13 Ensure AES 256/256 Cipher Suite is enabled (Scored) Y 1
7.14 Ensure TLS Cipher Suite ordering is configured (Scored) Y 2

 

IIS 7.x CIS version 1.8 Settings Scored Level
Recommendations
1 Basic Configurations
1.1 Ensure web content is on non-system partition (Scored) Y 1
1.2 Ensure ‘host headers’ are on all sites (Scored) Y 1
1.3 Ensure ‘directory browsing’ is set to disabled (Scored) Y 1
1.4 Ensure ‘application pool identity’ is configured for all application pools (Scored) Y 1
1.5 Ensure ‘unique application pools’ is set for sites (Scored) Y 1
1.6 Ensure ‘application pool identity’ is configured for anonymous user identity (Scored) Y 1
2 Configure Authentication and Authorization
2.1 Ensure ‘global authorization rule’ is set to restrict access (Not Scored) N 1
2.2 Ensure access to sensitive site features is restricted to authenticated principals only (Not Scored) N 1
2.3 Ensure ‘forms authentication’ require SSL (Scored) Y 1
2.4 Ensure ‘forms authentication’ is set to use cookies (Scored) Y 2
2.5 Ensure ‘cookie protection mode’ is configured for forms authentication (Scored) Y 1
2.6 Ensure transport layer security for ‘basic authentication’ is configured (Scored) Y 1
2.7 Ensure ‘passwordFormat’ is not set to clear (Scored) Y 1
2.8 Ensure ‘credentials’ are not stored in configuration files (Scored) Y 2
3 ASP.NET Configuration Recommendations
3.1 Ensure transport layer security for ‘basic authentication’ is configured (Scored) Y 1
3.1 Ensure ‘deployment method retail’ is set (Scored) Y 1
3.2 Ensure ‘debug’ is turned off (Scored) Y 2
3.3 Ensure custom error messages are not off (Scored)  Y 2
3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely (Scored) Y 1
3.5 Ensure ASP.NET stack tracing is not enabled (Scored) Y 2
3.6 Ensure ‘httpcookie’ mode is configured for session state (Scored) Y 2
3.7 Ensure ‘cookies’ are set with HttpOnly attribute (Scored)  Y 1
3.8 Ensure ‘MachineKey validation method – .Net 3.5’ is configured (Scored) Y 2
3.9 Ensure ‘MachineKey validation method – .Net 4.5’ is configured (Scored) Y 1
3.10 Ensure global .NET trust level is configured (Scored) Y 1
3.11 Ensure ‘encryption providers’ are locked down (Scored) Y 2
4 Request Filtering and Other Restriction Modules
4.1 Ensure ‘maxAllowedContentLength’ is configured (Not Scored) N 2
4.2 Ensure ‘maxURL request filter’ is configured (Scored) Y 2
4.3 Ensure ‘MaxQueryString request filter’ is configured (Scored) Y 2
4.4 Ensure non-ASCII characters in URLs are not allowed (Scored) Y 2
4.5 Ensure Double-Encoded requests will be rejected (Scored) Y 1
4.6 Ensure ‘HTTP Trace Method’ is disabled (Scored) Y 1
4.7 Ensure Unlisted File Extensions are not allowed (Scored) Y 1
4.8 Ensure Handler is not granted Write and Script/Execute (Scored) Y 1
4.9 Ensure ‘notListedIsapisAllowed’ is set to false (Scored) Y 1
4.10 Ensure ‘notListedCgisAllowed’ is set to false (Scored) Y 1
4.11 Ensure ‘Dynamic IP Address Restrictions’ is enabled (Not Scored) N 1
5 IIS Logging Recommendations
5.1 Ensure Default IIS web log location is moved (Scored) Y 1
5.2 Ensure Advanced IIS logging is enabled (Scored) Y 1
6 FTP Requests
6.1 Ensure FTP requests are encrypted (Scored) Y 1
7 Transport Encryption
7.1 Ensure HSTS Header is set (Not Scored) N 1
7.2 Ensure SSLv2 is disabled (Scored) Y 1
7.3 Ensure SSLv3 is disabled (Scored) Y 1
7.4 Ensure TLS 1.0 is enabled (Not Scored) N 1
7.5 Ensure TLS 1.0 is disabled (Not Scored) N 2
7.6 Ensure TLS 1.1 is enabled (Not Scored) N 1
7.7 Ensure NULL Cipher Suites is disabled (Scored) Y 1
7.8 Ensure DES Cipher Suites is disabled (Scored) Y 1
7.9 Ensure RC2 Cipher Suites is disabled (Scored) Y 1
7.10 Ensure RC4 Cipher Suites is disabled (Scored) Y 1
7.11 Ensure Triple DES Cipher Suite is configured (Not Scored) N 1
7.12 Ensure AES 128/128 Cipher Suite is configured (Not Scored) N 1
7.13 Ensure AES 256/256 Cipher Suite is enabled (Scored) Y 1
7.14 Ensure TLS Cipher Suite ordering is configured (IIS7.0 only) (Scored) Y 1
7.15 Ensure TLS Cipher Suite ordering is configured (IIS7.5 only) (Scored) Y 1

Related Posts

References

Vulnerabilities:

Exploits:

Pluralsight related cources:

Other: