Forum Discussion

Michel Baker's avatar
Michel Baker
Copper Contributor
Feb 09, 2017
Solved

IIS hardening and Sharepoint

When using Sharepoint 2016, should we leave IIS untouched ? Is it ok to harden IIS ? WIll it create any issues for Sharepoint ? Is there any compnents of IIS that should be left untouched ? ANy reference to Microsoft's recommendation with regards to IIS hardening when used for Sharepoint ?

 

Many thanks

security
  • Trevor Seward's avatar
    Trevor Seward
    Feb 14, 2017
    The retail switch only needs to be set if you're going to attempt to deploy debug code. Microsoft doesn't ship debug code. As for allowed, you can control the file types uploaded to SharePoint via the Web Application config (and you would be the one adding files outside of that method, if you chose to do so for some reason). You shouldn't be adjusting allowed verbs in SharePoint. That said, any change you do make to the web.config should go through the WebConfigModification class rather than going through IIS Manager and/or direct web.config edits.
  • Trevor Seward's avatar
    Trevor Seward
    MVP
    Feb 13, 2017
    What hardening do you plan on performing? From a permissions/authentication standpoint, you should never change anything on an IIS Site that SharePoint has deployed. But other items may be modifiable, it just depends on the specifics that you normally employ as to whether you can do them on an IIS Site provisioned by SharePoint.
    • Michel Baker's avatar
      Michel Baker
      Copper Contributor
      Feb 14, 2017

      I agree that IIS site components should probably not be touched. However, just a few examples....should we change things like setting the file Extension allowunlisted to True in web.config, setting deployment retail switch to true, disabling http trace method, enabling dynamic ip address restrictions, ensuring cookies are set with httponly attribute, disallowing non ascii characters in urls...

      • Trevor Seward's avatar
        Trevor Seward
        MVP
        Feb 14, 2017
        The retail switch only needs to be set if you're going to attempt to deploy debug code. Microsoft doesn't ship debug code. As for allowed, you can control the file types uploaded to SharePoint via the Web Application config (and you would be the one adding files outside of that method, if you chose to do so for some reason). You shouldn't be adjusting allowed verbs in SharePoint. That said, any change you do make to the web.config should go through the WebConfigModification class rather than going through IIS Manager and/or direct web.config edits.

Resources