Blog Post

ITOps Talk Blog
5 MIN READ

Windows Server 101: Hardening IIS via Security Control Configuration

OrinThomas's avatar
OrinThomas
Icon for Microsoft rankMicrosoft
Feb 05, 2019

IIS, the web server that’s available as a role in Windows Server, is also one of the most used web server platforms on the internet. Hardening IIS involves applying a certain configuration steps above and beyond the default settings. The default settings on IIS provide a mix of functionality and security. As with any hardening operation, the harder you make a configuration, the more you reduce functionality and compatibility.

 

The two important third party guides for hardening IIS are the OWASP guide and the Center for Internet Security guide. You can access these guides here:

 

The CIS IIS 10 benchmark is more fleshed out at the time of writing and is an approximately 140 page PDF with 55 separate security recommendations. The OWASP guide is shorter and provides approximately 23 separate security recommendations.

 

Table 1.1 provides a high level list of the CIS IIS 10 benchmarks. For more detail on how to implement and check each security control, download the CIS IIS 10 benchmark file from the above website.

 

Table 1.1: High Level Center for Internet Security IIS 10 Security Controls

1.       Basic Configurations

   1.1.    Ensure web content is on non-system partition

   1.2.    Ensure 'host headers' are on all sites

   1.3.    Ensure 'directory browsing' is set to disabled

   1.4.    Ensure 'Application pool identity' is configured for all application pools

   1.5.    Ensure 'unique application pools' is set for sites

   1.6.    Ensure 'application pool identity' is configured for anonymous user  identity

   1.7.    Ensure WebDav feature is disabled

2.       Configure Authentication and Authorization

   2.1.    Ensure 'global authorization rule' is set to restrict access

   2.2.    Ensure access to sensitive site features is restricted to authenticated principals only

   2.3.    Ensure 'forms authentication' requires SSL

   2.4.    Ensure 'forms authentication' is set to use cookies

   2.5.    Ensure 'cookie protection mode' is configured for forms authentication

   2.6.    Ensure transport layer security for 'basic authentication' is configured

   2.7.    Ensure 'passwordFormat' is not set to clear

   2.8.    Ensure 'credentials' are not stored in configuration files

3.       ASP.NET Configuration Recommendations

   3.1.    Ensure 'deployment method retail' is set

   3.2.    Ensure 'debug' is turned off

   3.3.    Ensure custom error messages are not off

   3.4.    Ensure IIS HTTP detailed errors are hidden from displaying remotely

   3.5.    Ensure ASP.NET stack tracing is not enabled

   3.6.    Ensure 'httpcookie' mode is configured for session state

   3.7.    Ensure 'cookies' are set with HttpOnly attribute

   3.8.    Ensure 'MachineKey validation method - .Net 3.5' is configured

   3.9.    Ensure 'MachineKey validation method - .Net 4.5' is configured

   3.10.  Ensure global .NET trust level is configured

   3.11.  Ensure X-Powered-By Header is removed

   3.12.  Ensure Server Header is removed

4.       Request Filtering and other Restriction Modules

   4.1.    Ensure 'maxAllowedContentLength' is configured

   4.2.    Ensure 'maxURL request filter' is configured

   4.3.    Ensure 'MaxQueryString request filter' is configured

   4.4.    Ensure non-ASCII characters in URLs are not allowed

   4.5.    Ensure Double-Encoded requests will be rejected

   4.6.    Ensure 'HTTP Trace Method' is disabled

   4.7.    Ensure Unlisted File Extensions are not allowed

   4.8.    Ensure Handler is not granted Write and Script/Execute

   4.9.    Ensure ‘notListedIsapisAllowed’ is set to false

   4.10.  Ensure ‘notListedCgisAllowed’ is set to false

   4.11.  Ensure ‘Dynamic IP Address Restrictions’ is enabled

5.       IIS Logging Recommendations

   5.1.    Ensure Default IIS web log location is moved

   5.2.    Ensure Advanced IIS logging is enabled

   5.3.    Ensure ‘ETW Logging’ is enabled

6.       FTP Requests

   6.1.    Ensure FTP requests are encrypted

   6.2.    Ensure FTP Logon attempt restrictions is enabled

7.       Transport Encryption

   7.1.    Ensure HSTS Header is set

   7.2.    Ensure SSLv2 is Disabled

   7.3.    Ensure SSLv3 is Disabled

   7.4.    Ensure TLS 1.0 is Disabled

   7.5.    Ensure TLS 1.1 is Disabled

   7.6.    Ensure TLS 1.2 is Enabled

   7.7.    Ensure NULL Cipher Suites is Disabled

   7.8.    Ensure DES Cipher Suites is Disabled

   7.9.    Ensure RC4 Cipher Suites is Disabled

   7.10.  Ensure AES 128/128 Cipher Suite is Disabled

   7.11.  Ensure AES 256/256 Cipher Suite is Enabled

   7.12.  Ensure TLS Cipher Suite Ordering is Configured

 

Table 1.2 provides a high level overview of the OWASP benchmarks

 

Table 1.2: OWASP IIS 10 Security Configuration Controls

1.1   Basic Configuration

   1.1.1         Disable directoryBrowsing

   1.1.2         Avoid wildcard host headers

   1.1.3         Ensure applicationPoolIdentity is configured for all application ppols

   1.1.4         Use an unique applicationPool per site

   1.1.5         Disable IIS detailed error page from displaying remotely

1.2   Request Filtering

   1.2.1         Configure maxAllowedContentLength

   1.2.2         Configure maxURL request filter

   1.2.3         Configure maxQueryString request filter

   1.2.4         Reject non-ASCII characters in URLs

   1.2.5         Reject double-encoded requests

   1.2.6         Disable HTTP trace requests

   1.2.7         Disallow unlisted file extensions

   1.2.8         Enable Dynamic IP Address Restrictions

1.3   Transport Encryption

   1.3.1         SSL/TLS settings are controlled at the SChannel level. They are set machine wide and IIS respects these values

   1.3.2         A list of recommendations for IIS

      1.3.2.1    Disable SSL v2/v3

      1.3.2.2    Disable TLS 1.0

      1.3.2.3    Disable TLS 1.1

      1.3.2.4    Ensure TLS 1.2 is enabled

      1.3.2.5    Disable weak cipher suites (NULL cipher suites, DES cipher suites, RC4 cipher suites, Triple DES, etc)

      1.3.2.6    Ensure TLS cipher suites are correctly ordered

1.4   HSTS support

   1.4.1         IIS recently (Windows Server 1709+) added turnkey support for HSTS

1.5   CORS support

   1.5.1         Implement OWASP IIS CORS configuration module if your application does not natively handle CORS.

 

When hardening IIS, review each control and determine its appropriateness to your existing deployment. With any hardening strategy, you need to be incremental in your approach, applying and testing each new security control in a development or test environment before deploying it into a production environment. As wonderful as it is to have a secure deployment, it’s not so wonderful if the web application your IIS server is hosting no longer works because you made everything a little too secure.

Updated Feb 07, 2019
Version 3.0
  • gplasch's avatar
    gplasch
    Copper Contributor

    CIS Security Control 7.6. should be "Ensure TLS 1.2 is Enabled"

    (quote: 7.6 (L1) Ensure TLS 1.2 is Enabled (Scored))

  • When it comes to Exchange, I'd be careful and ensure that I implemented each security control one at a time, as I'm not sure that there is any official guidance on using the 3rd party hardening guidelines with OWA.

  • Renan_Galang's avatar
    Renan_Galang
    Copper Contributor

    We're currently evaluating hardening procedures, and are having trouble with" Ensure Unlisted File Extensions are not allowed". When we turn it on, all of our servlet URLs are being blocked by IIS (we are running IIS8.5 connected to WebSphere 8.5). We've already added the period "." in the whitelist, as in the other suggestions we've seen in the net, but still no luck. Any advice here?

  • Renan_Galang 

    If an extensionless-URL request arrives and you're getting the 404.7 (File extension denied) status, even when you've added the '.', then it most likely means under-the-hood that request was transferred to a file with an extension. This could happen with the DefaultDocument, for example. Your best bet to find the extension you need to allow is to enable Failed Request Tracing for the 404 status code, then inspect the traces to see the appropriate extension.

  • TheOtherJosh's avatar
    TheOtherJosh
    Brass Contributor

    OrinThomas Would one use the CIS or OWASP guidance to harden IIS as installed by an Exchange Server?

     

    For example, turning off Trace/Track by disabling this verbs?

     

    Or would any side changes like that merely get reset on a CU upgrade as Exchange manages IIS from top to bottom?

     

    Do the newer exchange versions (2016/2019) align closer to the CIS recommendations in their IIS implementation?

  • JefByls's avatar
    JefByls
    Copper Contributor

    The issue that I am having is with Request Filtering, and 'Disallow unlisted file extensions'. I am trying to harden an instance of Certificate Enrollment Web Services on a subordinate CA. I can't find anything on what file extensions need to be allowed and the list I am creating seems to be getting pretty long. Can't find any documentation from Microsoft on what file extensions the Certificate Enrollment Web Services need.