Windows IIS

server hardening checklist

General P Disable FTP, Simple Mail Transfer P Secure CMOS (complementary metal-
Protocol and Network News Transfer oxide semiconductor) settings.
P Never connect an IIS server to the Protocol services if they are not
internet until it is fully hardened.
required. P Secure physical media—CD-ROM drive
and so on.
P Place the server in a physically secure P  Disable Telnet service.
location.

P Do not install the IIS server on a domain P Disable ASP.NET state service if not used Accounts
by your applications.
controller.
P Disable Web Distributed Authoring and P Remove unused accounts from the
P  Do not install a printer.
Versioning if not used by the application,
server.

P Use two network interfaces in the or secure it if it is required. P Disable Windows Guest account.
server: one for admin and one for the
network. P Do not install Microsoft Data Access P Rename Administrator account, and set
Components (MDAC) unless specifically a strong password.
P  Install service packs, patches and hot needed.
P Disable IUSR_Machine account if it is not
fixes.
P  Do not install the HTML version of used by the application.
P  Run Microsoft Security Compliance Internet Services Manager.
P Create a custom least-privileged
Toolkit.
P  Do not install Microsoft Index Server anonymous account if applications
P  Run IIS Lockdown on the server. unless required. require anonymous access.

P Install and configure URLScan. P Do not install Microsoft FrontPage Server P Do not give the anonymous account
Extensions (FPSE) unless required. write access to web content directories
P Secure remote administration of the or allow it to execute command-line
server, and configure for encryption, low P Harden the TCP/IP stack. tools.
session timeouts and account lockouts.
P Disable NetBIOS and Server Message P If you host multiple web applications,
P Disable unnecessary Windows services. Block—closing ports 137, 138, 139 and
configure a separate anonymous user
445.
P Ensure services are running with least- account for each one.
privileged accounts. P Reconfigure recycle bin and page file
system data policies.

1 ©2020 TECHTARGET. ALL RIGHTS RESERVED

P Configure ASP.NET process account P Put website content on a nonsystem Ports
for least privilege. This only applies if NTFS volume.
you are not using the default ASP.NET P Restrict internet-facing interfaces to
account, which is a least-privileged P  Create a new site, and disable the port 443 (SSL).
default site.
account. P Run IIS Lockdown Wizard on the server.
P Enforce strong account and password P Put log files on a nonsystem NTFS
volume but not on the same volume
policies for the server.
where the website content resides. Registry
P Enforce two-factor authentication where P Restrict the Everyone group—no access P Restrict remote registry access.
possible.
to \WINNT\system32 or web directories.
P Restrict remote logons. (The “access P Secure the local Security Account
this computer from the network” user P Ensure website root directory has deny Manager (SAM) database by
implementing the NoLMHash Policy.
write access control entry (ACE) for
right is removed from the Everyone
anonymous internet accounts.
group.)

P Do not share accounts among P Ensure content directories have deny Auditing and logging
write ACE for anonymous internet
administrators.
accounts. P Audit failed logon attempts.
P  Disable null sessions (anonymous
P Remove resource kit tools, utilities and P Relocate and secure IIS log files.
logons).
SDKs.
P Require approval for account delegation. P Configure log files with an appropriate
P Remove any sample applications or file size depending on the application
P Do not allow users and administrators to code. security requirement.
share accounts.
P Remove IP address in header for P Regularly archive and analyze log files.
P Do not create more than two accounts in Content-Location.
P Audit access to the MetaBase.xml and
the administrator group.
MBSchema.xml files.
P  Require administrators to log on locally,
Shares P Configure IIS for World Wide Web
or secure the remote administration
Consortium extended log file format
system. P Remove all unnecessary shares, auditing.
including default administration shares.

P Restrict access to required shares—the P Read how to use SQL Server to analyze
Files and directories web logs here.
Everyone group does not have access.
P Use multiple disks or partition volumes, P Remove administrative shares—C$
and do not install the web server home
and Admin$ -- if they are not required. Sites and virtual directories
directory on the same volume as the OS
(Microsoft System Center Operations
folders.
Manager—formerly Microsoft Systems P Put websites on a nonsystem partition.
P Contain files and directories on NT file Management Server and Microsoft P Disable Parent Paths setting.
system (NTFS) volumes. Operations Manager—requires these
shares.) P Remove any unnecessary virtual
directories.

2 ©2020 TECHTARGET. ALL RIGHTS RESERVED

P Remove or secure MDAC Remote Data Script mappings Server certificates
Services virtual directory.
P Map extensions not used by the P Ensure certificate date ranges are valid.
P  Do not grant included directories read application to 404.dll—.idq, .htw, .ida,
P Only use certificates for their intended
web permission. .shtml, .shtm, .stm, idc, .htr, .printer.
purpose. For example, the server
P Restrict write and execute web P  Map unnecessary ASP.NET file type certificate is not used for email.
permissions for anonymous accounts extensions to HttpForbiddenHandler
in virtual directories. in Machine.config. P Ensure the certificate’s public key
is valid, all the way to a trusted root
P  Ensure there is script source access authority.
only on folders that support content
authoring.
ISAPI filters P Confirm that the certificate has not been
revoked.
P Ensure there is write access only on P Remove unnecessary or unused Internet
Server Application Program Interface
folders that support content authoring
filters from the server.
and these folders are configured for Machine.config
authentication and SSL encryption.
P Map protected resources to
P  Remove FPSE if not used. If FPSE are IIS Metabase HttpForbiddenHandler.
used, update and restrict access to
them. P Restrict access to the metabase by using P Remove unused HttpModules.
NTFS permissions (%systemroot%\
P Remove the IIS Internet Printing virtual system32\inetsrv\metabase.bin). P Disable tracing: <trace enable=”
false”/>.
directory.
P  Restrict IIS banner information (disable
P Turn off debug compiles: <compilation
IP address in content location).
debug=”false” explicit=”true” default
Language=”vb”>.

3 ©2020 TECHTARGET. ALL RIGHTS RESERVED