1 of 16

IIS Hardening

SEC 260

2 of 16

Adding IIS Role Services

  • For hardening – may need to Add “Role Services” in Server Manager:

3 of 16

IIS Hardening - Basics

  • Security Parameter Configuration

4 of 16

IIS 10 with Security Features

5 of 16

Authentication

  • IIS Support multiple authentication methods…

6 of 16

Authorization

7 of 16

IP Restrictions

  • IP restriction enables admin to selectively allow or deny access to the files, folder, website, and web server.
  • Determine which remote computer can connect to IIS.
  • Custom rules can be built in context of IP Addresses or DNS lookup to provision their restriction.

  • Using Firewalls is always preferred – but IIS provides restrictions in case firewall not configurable or for Defense-in-Depth

8 of 16

IP Restrictions - Features

  • Set general feature settings
  • Can enable Domain Restrictions (performance penalty so not enabled by default)

9 of 16

IP Restriction Rule

10 of 16

MIME-Type Configuration

  • MIME-Type Configuration
  • Can prevent undefined file types from being hosted by IIS
  • Protects the web server by preventing attackers from downloading sensitive files.
  • Although configuration files and data files would not typically be stored within the web root folder

11 of 16

IIS MIME Types

12 of 16

Directory Browsing-IIS

  • Disabled by Default:

13 of 16

Request Filtering

  • Request filtering enables a configurable set of rules that allows you to determine which type of request should be allowed or denied for the web site and web server.
  • Includes filtering based on:
    • URLs
    • HTTP Methods (VERBS)
    • Headers
    • Custom rules (strings, files…)

14 of 16

Request Filtering

15 of 16

Logging

  • IIS has a feature to prevent providing detailed errors to remote clients:

16 of 16

Simple DoS Protection

  • It is not as comprehensive as Mod-Evasive – but “IP Restrictions” in IIS has some basic DoS protections.
  • Under Dynamic Restriction Settings: