IIS Security Assessment - ConnorEast/Tech-Journal GitHub Wiki

SIS-260 IIS Security Assignment

Link 1: https://www.upguard.com/blog/10-steps-for-improving-iis-security

Link 2: https://techcommunity.microsoft.com/t5/itops-talk-blog/windows-server-101-hardening-iis-via-security-control/ba-p/329979

Link 3: https://support.hedgehogsecurity.com/index.php/knowledge-base/article/iis-server-hardening-guide-secure-configuration-and-best-practices

Link 4: https://www.acunetix.com/websitesecurity/iis-security/

Security Controls

**1. Enable Logging **

Logging is essentially a list of all of the actions that occur on a device or on a service run by said system. This is typically saved in a readible file so actions done on a machine can easily be found. In the case of IIS this can be found under the %SystemDrive%\inetpub\logs\LogFiles directory. To set it up go to this link here

2. Ensure 'directory browsing' is set to disabled

Directory browsing is essentially where any individual can gain access to the list of all of the sites held under a specific address. This allows for hackers to gain information about your server which allows for multiple different forms of attacks. To do this follow the steps here

3. Ensure TLS Cipher Suite Ordering is Configured

Essentially this is just confirming that the server has been properly encrypted. To do this follow the steps here

4. Issue and Install an SSL Certificate

This will allow for https communication which is more secure the http. Follow the steps located here when you are ready to do this.