Hardening a Microsoft IIS Web Server

Here are some quick tips on how to harden a Microsoft IIS web server for production use:

1. Enable SSL

When possible, configure your web server and sites to utilize an SSL certificate. SSL will protect client-server communication. Instructions on how to configure SSL in IIS can be found at: http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis

2. Disable Weak SSL and TLS Ciphers

Paste the following registry configuration into a text file:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000

Save the file then rename it “Disable_Weak_Ciphers.reg”. Double click the file to import the configuration into your web servers registry file.

Note: These settings will not take affect until your server is rebooted.

3. Install & Configure URLScan

Download URLScan from: http://www.iis.net/download/UrlScan, x86 version: http://go.microsoft.com/?linkid=9655677 and x64 version: http://go.microsoft.com/?linkid=9655678. Run the installer and accept the installation defaults.

Once URLScan is installed, please open and modify the UrlScan.ini file in this location: %windir%\system32\inetsrv\urlscan\UrlScan.ini

Near the bottom of the UrlScan.ini file you’ll find a [DenyQueryStringSequences] section.  Add an additional “aspxerrorpath=” entry immediately below it and then save the file:

[DenyQueryStringSequences]
aspxerrorpath=

In addition, tilde characters can be added to [DenyUrlSequences] to deny it in the urls.

[DenyUrlSequences]
~

The above entry disallows URLs that have an “aspxerrorpath=” querystring attribute from making their way to ASP.NET applications, and will instead cause the web-server to return a HTTP error.  Adding this rule prevents attackers from distinguishing between the different types of errors occurring on a server – which helps block attacks using this vulnerability.

Lastly, set the AlternateServerName= variable to:

AlternateServerName=Apache

After saving this change, run “iisreset” from a command prompt (elevated as admin) for the above changes to take effect. Alternatively, reboot your server.

Note: For more information about URLScan please visit: http://www.iis.net/learn/extensions/working-with-urlscan

4. Log Configuration

I recommend storing your IIS logs on a separate drive to your IIS installation. This will protect your log file integrity in the event your server is compromised or a rogue script attempts to remove the logs.

To change the log file location open the Internet Information Services (IIS) Manager and under the ‘IIS’ section select ‘Logging’. Under ‘Directory’ click browse and select a log file location on another drive, for example: E:\Logs\IIS.

Lastly, click ‘Select Fields’ and select all available fields. This will allow you to log everything. To save the change click ‘Apply’ at the right side of the screen.

5. Authentication

If possible, utilize Integrated Windows authentication which permits a Cryptographic login credential exchange between your visitors web browser and the web server. Digest authentication is also an alternative but requires Active Directory.

6. Unbind Network Services

Open your network adapter configuration and unbind ‘File and Printer Sharing’, ‘Client for Microsoft Networks’ and any other unnecessary services.

7. Windows Updates

Configure your server to automatically check for Windows Updates. Be sure to apply updates on a weekly basis.

8. Firewall

Install and configure a firewall (e.g. Symantec Network Threat Protection) or use the build in Windows Internet Connection Firewall. Configure rules to only permit public access to HTTP (TCP/80) and HTTPS (TCP/443).