Hardening IIS

draft
1.      Basic configuration

·        Disable directoryBrowsing

·        Avoid wildcard host headers

·        Ensure applicationPoolIdentity is configured for all application pools

·        Use an unique applicationPool per site

·        Disable IIS detailed error page from displaying remotely

2.      Request filtering

·        Configure maxAllowedContentLength

·        Configure maxURL request filter

·        Configure MaxQueryString request filter

·        Reject non-ASCII characters in URLs

·        Reject double-encoded requests

·        Disable HTTP trace requests

·        Disallow unlisted file extensions

·        Enable Dynamic IP Address Restrictions

3.      Transport Encryption

·        SSL/TLS settings are controlled at the SChannel level. They are set machine wide and IIS respects these values.

·        A list of recommendations for IIS

i.     Disable SSL v2/v3

ii. Disable TLS 1.0

iii. Disable TLS 1.1

iv. Ensure TLS 1.2 is enabled

v.     Disable weak cipher suites (NULL cipher suites, DES cipher suites, RC4 cipher suites, Triple DES, etc)

vi. Ensure TLS cipher suites are correctly ordered

·        https://cloudblogs.microsoft.com/microsoftsecure/2017/09/07/new-iis-functionality-to-help-identify-weak-tls-usage/

4.      HSTS support

·        IIS recently (Windows Server 1709) added turnkey support for HSTS

·        https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10-version-1709/iis-10-version-1709-hsts

5.      CORS support

·        If you choose not to handle CORS in your application, we ship an IIS an IIS module to help configure CORS

·        https://blogs.iis.net/iisteam/getting-started-with-the-iis-cors-module

Authors
Sourabh Shirhatti (Microsoft) Bill Sempf (bill.lsempf@owasp.org)