IIS Security Assignment - Hsanokklis/2023-2024-Tech-journal GitHub Wiki

Assignment Detail

  • Locate 4 URLs on the Internet that discuss how to secure the IIS web server
  • Select 4 security controls that you will implement into your IIS web server

Security Controls:

Configuring authentication to an IIS website

This security control can make it so a certain user or group has access to the website. This helps keep out unauthorized users.

  • Add role via Windows Server Manager:
    • Web Server (IIS)
    • Security
    • URL Authorization
  • Open the IIS Manager, you should see Authorization Rules
  • Click on the right side panel
    • Add Allow Rule
  • Under Specified roles or user groups type the name of the AD group you need

Link: https://learn.microsoft.com/en-us/answers/questions/1373544/configuring-authentication-to-an-iis-website

Additional link: https://blog.netwrix.com/2022/10/21/enable-windows-authentication-iis/

Disable unnecessary services

  • Unnecessary Windows services are disabled
  • FTP, SMTP, and NNTP services are disabled if they are not required
  • Telnet service is disabled

Link: https://docs.delinea.com/online-help/privilege-manager/how-to/best-practices/securing-iis.htm

Secure your cookies

Cookies are pieces of information from a website that is stored within a web browser that the website can retrieve at a later time (cached data). Cookies can be used for authentication, but also can be exploited if a malicious actor gets ahold of cookies with credentials. Its best to secure your cookies when you can.

  • Add to your sites system.web element of the web.config file:
<httpCookies domain="String" 
httpOnlyCOokies="true" 
requireSSL="true"/>

Link: https://www.calcomsoftware.com/iis-10-hardening-6-configurations-changes-to-harden-iis-10-web-server/

Request Filtering

Request Filtering allows you to configure what type of request should be allowed or denied for the web site and web server. There are few types of filtering you are able to implement such as filtering by HTTP, file extension, request limit and URL sequence.

Example: Maximum allowed content length

  • appcmd set config /section:requestfiltering /requestlimits.maxallowedcontentlength:unit
    • requestlimits.maxallowedcontentlength specifies the maximum length of the content

Link: https://www.infosecinstitute.com/resources/application-security/hardening-iis-security/

Additional Link: https://learn.microsoft.com/en-us/iis/manage/configuring-security/configure-request-filtering-in-iis