These two labs required research into four security controls that could be implmented into ISS, and then actually implmenting them on our systems.

---

Four URLS that discuss how to secure the IIS web server:

1. https://docs.delinea.com/online-help/secret-server/security-hardening/securing-iis-server/index.htm
2. https://www.upguard.com/blog/10-steps-for-improving-iis-security
3. https://blog.netwrix.com/2022/10/21/enable-windows-authentication-iis/
4. https://www.calcomsoftware.com/iis-10-hardening-6-configurations-changes-to-harden-iis-10-web-server
5. https://www.xsofthost.com/help/setup-dynamic-ip-address-restrictions-anti-ddos-attack-iis8/

---

Four security controls that I will implement into my IIS web server in the next class lab:

1. Prevent non HTTPS Connections: HTTPS uses SSL, which is much more secure than other protocols like HTTP. Users need to be redirected to HTTPS if they attempt to access any non-SSL resource.
2. Restrict User Access: Make sure users only have read access (perhaps even disabling anonymous authentication, will check with professor about this)
3. Dynamic IP Restrictions Module: Enable and configure this module so that IP addresses are temporarily blocked if they make an high number of concurrent requests or make a large number of requests over small per-defined period of time.
4. Relocate and secure IIS log files: Attackers may attempt to locate the default IIS log file location and scrub evidence of their activities, so moving the location that the log files are stored on away from the directory where web applications are being stored.

---

Some of the ideas I decided to implement are different than the original four I picked out. This is because of ease of implementation/further reading I did into the resources I found.

---

• Open up the webpage to edit and select the "Request Filtering" option. This is being done in IIS Manager

In the request filtering page, there are many options: File Name Extensions, Rules, Hidden Segments, URLs, HTTP Verbs, Headers, and Query Strings. All can provide different hardening settings.

• In the "HTTP Verbs" section, select "Deny Verb" in the right Actions panel.
• Now, I can select certain verbs to be denied
  • HTTP Verbs aka Methods

• Exit and restart the webpage
• According to TechTarget, the above methods are unsafe and should be blocked

• To test this, I temporarily blocked "GET" requests. Then, I re-enabled them. As you can see, this was successful.

Resources:

• https://learn.microsoft.com/en-us/iis/manage/configuring-security/configure-request-filtering-in-iis
• https://www.linkedin.com/advice/1/how-can-you-use-iis-request-filtering-block-hhzsf
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods
• https://www.theserverside.com/blog/Coffee-Talk-Java-News-Stories-and-Opinions/HTTP-methods

---

Server Manager > Install Roles and Features > Server Roles > Web Server (IIS) > Web Server > Security > IP and Domain Restrictions. After installation:

• Select your website within IIS Manager and click IP address and Domain Restrictions Icon.
• Select the "Edit Dynamic Restriction Settings" in the right corner

• Select these options and save
• Restart the web page

Set the Behavior for IIS when Denying IP Addresses

• Select your website within IIS Manager and click IP address and Domain Restrictions Icon.
• Select "Edit Features Settings..."
• Deny Action Type drop-down menu options:
  • Unauthorized: IIS will return an HTTP 401 response error code.
  • Forbidden: IIS returns an HTTP 403 response error code.
  • Not Found: IIS returns an HTTP 404 response error code..
  • Abort: IIS will terminate the current HTTP connection.

Resources:

• https://www.xsofthost.com/help/setup-dynamic-ip-address-restrictions-anti-ddos-attack-iis8/

---

• Current Server header

• Install Microsoft URL Rewrite Module with this link: https://learn.microsoft.com/en-us/exchange/plan-and-deploy/deployment-ref/ms-exch-setupreadiness-iisurlrewritenotinstalled?view=exchserver-2019
• After, the module should be available

• Select "Add Rule(s)..." > Outbound Rules > Blank rule

Select the below values for the new outbound rule, then click "Apply" on the right panel:

• Precondition:
• Matching scope: Server Variable
• Variable name: RESPONSE_Server
• Variable value: Matches the Pattern
• Using: Regular Expressions
• Pattern: .*
• Action type: Rewrite
• Value: Whatever you want your server header to be.

• URL Rewrite page after the outbound rule is made
• Restart the page

• When I implement this rule, the server no longer wants to connect to IIS. It seems that this may be a compatibility issue with the very old IIS version we are running. On newer versions, this rule would work better.

Resources:

• https://support.waters.com/KB_Inf/Other/WKB202501_How_to_disable_the_Server_HTTP_header_in_Microsoft_IIS
• https://www.petefreitag.com/blog/iis-server-header/

---

• XSS attacks can be conducted through URLs. However, using request filtering Query Strings, I can block strings commonly used in a scripting attack.

• Now the test attack is blocked