Forum Discussion

olkipolki's avatar
olkipolki
Copper Contributor
Oct 18, 2023

IIS Hardening issues

Hello,

we need to fix these IIS hardening issues. Is it allowed to set these without break sharepoint functionality?  and how should i set/fix these? 

1. Ensure 'host headers' are on all sitesYou need to define a host on your binding: *:32843: *:32844: 32845:* * on site SharePoint Web Services. You need to define a host on your binding: :2016: on site SharePoint Central Administration v4.
2. Ensure Unlisted File Extensions are not allowedSharePoint Central Administration v4:In web config filter: 'system.webServer/security/requestFiltering/fileExtensions' the property: 'allowUnlisted' is set to 'True' but expected is: 'False'.
3. Ensure HSTS Header is setServer Default Setting:OK In web config filter: '/system.webServer/httpProtocol/customHeaders' of site 'Server Default Setting' a customHeader 'Strict-Transport-Security' should be defined.

Thanks a lot 

Kind regards

  • LuigiBruno's avatar
    LuigiBruno
    Steel Contributor

    Hello olkipolki.

     

    I would avoid touching those IIS settings: as an example, you can control the file types uploaded to SharePoint via the web application configuration from the Central Administration; on the other side, you shouldn't adjust allowed verbs in IIS unless strictly necessary for some specific reason (e.g.: custom code).
    You can perform some tests after taking a backup of the sites that would be affected by the changes in IIS settings, for you to be able to restore the previous configuration in case of any error.

     

    Bye.

    • olkipolki's avatar
      olkipolki
      Copper Contributor

      LuigiBruno Thanks for your reply. What do you think about the other two settings 1. host headers, 3. HSTS Header? for the HSTS header settings i'
      ve found this powershell script. is it viable/recommended to set it this way for Sharepoint 2016?

      $wa = Get-SPWebApplication https://sharepoint.example.com
      $wa.HttpStrictTransportSecuritySettings.IsEnabled = $true
      $wa.Update()

      thanks

       

Resources