Difference between revisions of "Hardening IIS"

From OWASP
Jump to: navigation, search
(Created page with "== draft == 1. Basic configuration · Disable directoryBrowsing · Avoid wildcard host headers · Ensure applicationPoolIdentity is configure...")
 
m (Formatted the layout of the headers.)
Line 1: Line 1:
== draft ==
+
= Draft - Work In Progress =
  
1.      Basic configuration
+
=== Basic configuration ===
  
·        Disable directoryBrowsing
+
==== Disable directoryBrowsing ====
  
·        Avoid wildcard host headers
+
==== Avoid wildcard host headers ====
  
·        Ensure applicationPoolIdentity is configured for all application pools
+
==== Ensure applicationPoolIdentity is configured for all application pools ====
  
·        Use an unique applicationPool per site
+
==== Use an unique applicationPool per site ====
  
·        Disable IIS detailed error page from displaying remotely
+
==== Disable IIS detailed error page from displaying remotely ====
  
2.      Request filtering
+
=== Request filtering ===
  
·        Configure maxAllowedContentLength
+
==== Configure maxAllowedContentLength ====
  
·        Configure maxURL request filter
+
==== Configure maxURL request filter ====
  
·        Configure MaxQueryString request filter
+
==== Configure MaxQueryString request filter ====
  
·        Reject non-ASCII characters in URLs
+
==== Reject non-ASCII characters in URLs ====
  
·        Reject double-encoded requests
+
==== Reject double-encoded requests ====
  
·        Disable HTTP trace requests
+
==== Disable HTTP trace requests ====
  
·        Disallow unlisted file extensions
+
==== Disallow unlisted file extensions ====
  
·        Enable Dynamic IP Address Restrictions
+
==== Enable Dynamic IP Address Restrictions ====
  
3.      Transport Encryption
+
=== Transport Encryption ===
  
·        SSL/TLS settings are controlled at the SChannel level. They are set machine wide and IIS respects these values.
+
==== SSL/TLS settings are controlled at the SChannel level. They are set machine wide and IIS respects these values. ====
  
·        A list of recommendations for IIS
+
==== A list of recommendations for IIS ====
  
                                                  i.      Disable SSL v2/v3
+
===== Disable SSL v2/v3 =====
  
                                                ii.      Disable TLS 1.0
+
===== Disable TLS 1.0 =====
  
                                              iii.      Disable TLS 1.1
+
===== Disable TLS 1.1 =====
  
                                              iv.      Ensure TLS 1.2 is enabled
+
===== Ensure TLS 1.2 is enabled =====
  
                                                v.      Disable weak cipher suites (NULL cipher suites, DES cipher suites, RC4 cipher suites, Triple DES, etc)
+
===== Disable weak cipher suites (NULL cipher suites, DES cipher suites, RC4 cipher suites, Triple DES, etc) =====
  
                                              vi.      Ensure TLS cipher suites are correctly ordered
+
===== Ensure TLS cipher suites are correctly ordered =====
 +
https://cloudblogs.microsoft.com/microsoftsecure/2017/09/07/new-iis-functionality-to-help-identify-weak-tls-usage/
  
·        https://cloudblogs.microsoft.com/microsoftsecure/2017/09/07/new-iis-functionality-to-help-identify-weak-tls-usage/
+
=== HSTS support ===
  
4.       HSTS support
+
==== IIS recently (Windows Server 1709) added turnkey support for HSTS ====
 +
https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10-version-1709/iis-10-version-1709-hsts
  
·        IIS recently (Windows Server 1709) added turnkey support for HSTS
+
=== CORS support ===
  
·        https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10-version-1709/iis-10-version-1709-hsts
+
==== If you choose not to handle CORS in your application, we ship an IIS an IIS module to help configure CORS ====
 
+
https://blogs.iis.net/iisteam/getting-started-with-the-iis-cors-module
5.      CORS support
 
 
 
·        If you choose not to handle CORS in your application, we ship an IIS an IIS module to help configure CORS
 
 
 
·        https://blogs.iis.net/iisteam/getting-started-with-the-iis-cors-module
 
  
 
== Authors ==
 
== Authors ==
 
Sourabh Shirhatti (Microsoft)
 
Sourabh Shirhatti (Microsoft)
Bill Sempf (bill.lsempf@owasp.org)
+
 
 +
Bill Sempf (bill.sempf@owasp.org)

Revision as of 15:53, 12 July 2018

Draft - Work In Progress

Basic configuration

Disable directoryBrowsing

Avoid wildcard host headers

Ensure applicationPoolIdentity is configured for all application pools

Use an unique applicationPool per site

Disable IIS detailed error page from displaying remotely

Request filtering

Configure maxAllowedContentLength

Configure maxURL request filter

Configure MaxQueryString request filter

Reject non-ASCII characters in URLs

Reject double-encoded requests

Disable HTTP trace requests

Disallow unlisted file extensions

Enable Dynamic IP Address Restrictions

Transport Encryption

SSL/TLS settings are controlled at the SChannel level. They are set machine wide and IIS respects these values.

A list of recommendations for IIS

Disable SSL v2/v3
Disable TLS 1.0
Disable TLS 1.1
Ensure TLS 1.2 is enabled
Disable weak cipher suites (NULL cipher suites, DES cipher suites, RC4 cipher suites, Triple DES, etc)
Ensure TLS cipher suites are correctly ordered

https://cloudblogs.microsoft.com/microsoftsecure/2017/09/07/new-iis-functionality-to-help-identify-weak-tls-usage/

HSTS support

IIS recently (Windows Server 1709) added turnkey support for HSTS

https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10-version-1709/iis-10-version-1709-hsts

CORS support

If you choose not to handle CORS in your application, we ship an IIS an IIS module to help configure CORS

https://blogs.iis.net/iisteam/getting-started-with-the-iis-cors-module

Authors

Sourabh Shirhatti (Microsoft)

Bill Sempf (bill.sempf@owasp.org)