Hardening IIS

= Draft - Work In Progress =

Ensure TLS cipher suites are correctly ordered
https://cloudblogs.microsoft.com/microsoftsecure/2017/09/07/new-iis-functionality-to-help-identify-weak-tls-usage/

IIS recently (Windows Server 1709) added turnkey support for HSTS
https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10-version-1709/iis-10-version-1709-hsts

If you choose not to handle CORS in your application, we ship an IIS an IIS module to help configure CORS
https://blogs.iis.net/iisteam/getting-started-with-the-iis-cors-module

Authors
Sourabh Shirhatti (Microsoft)

Bill Sempf (bill.sempf@owasp.org)