cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

IIS hardening and Sharepoint

Michel Baker
Copper Contributor

‎Feb 09 2017 01:05 PM

‎Feb 09 2017 01:05 PM

IIS hardening and Sharepoint

When using Sharepoint 2016, should we leave IIS untouched ? Is it ok to harden IIS ? WIll it create any issues for Sharepoint ? Is there any compnents of IIS that should be left untouched ? ANy reference to Microsoft's recommendation with regards to IIS hardening when used for Sharepoint ?

 

Many thanks

Labels:
3,439 Views
0 Likes
4 Replies
Reply
4 Replies
Loryan Strant

‎Feb 12 2017 04:23 PM

‎Feb 12 2017 04:23 PM

Re: IIS hardening and Sharepoint

I found this but it relates to SharePoint Server 2013, however you might be able to find some useful and still relevant pointers: https://technet.microsoft.com/en-us/library/cc262849.aspx

0 Likes
Reply
Trevor Seward

‎Feb 13 2017 10:00 AM

‎Feb 13 2017 10:00 AM

Re: IIS hardening and Sharepoint

What hardening do you plan on performing? From a permissions/authentication standpoint, you should never change anything on an IIS Site that SharePoint has deployed. But other items may be modifiable, it just depends on the specifics that you normally employ as to whether you can do them on an IIS Site provisioned by SharePoint.
2 Likes
Reply
Michel Baker

‎Feb 13 2017 06:06 PM

‎Feb 13 2017 06:06 PM

Re: IIS hardening and Sharepoint

I agree that IIS site components should probably not be touched. However, just a few examples....should we change things like setting the file Extension allowunlisted to True in web.config, setting deployment retail switch to true, disabling http trace method, enabling dynamic ip address restrictions, ensuring cookies are set with httponly attribute, disallowing non ascii characters in urls...

0 Likes
Reply
best response confirmed by Michel Baker (Copper Contributor)
Trevor Seward

‎Feb 14 2017 09:56 AM

‎Feb 14 2017 09:56 AM

Solution

Re: IIS hardening and Sharepoint

The retail switch only needs to be set if you're going to attempt to deploy debug code. Microsoft doesn't ship debug code. As for allowed, you can control the file types uploaded to SharePoint via the Web Application config (and you would be the one adding files outside of that method, if you chose to do so for some reason). You shouldn't be adjusting allowed verbs in SharePoint. That said, any change you do make to the web.config should go through the WebConfigModification class rather than going through IIS Manager and/or direct web.config edits.
1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by Michel Baker (Copper Contributor)
Trevor Seward

‎Feb 14 2017 09:56 AM

‎Feb 14 2017 09:56 AM

Solution

Re: IIS hardening and Sharepoint

The retail switch only needs to be set if you're going to attempt to deploy debug code. Microsoft doesn't ship debug code. As for allowed, you can control the file types uploaded to SharePoint via the Web Application config (and you would be the one adding files outside of that method, if you chose to do so for some reason). You shouldn't be adjusting allowed verbs in SharePoint. That said, any change you do make to the web.config should go through the WebConfigModification class rather than going through IIS Manager and/or direct web.config edits.

View solution in original post

1 Like
Reply