Webserver Hardening

To achieve the required level of security, the implementation to the following configurations are recommended.

Basic Configurations

  • Ensure web content is on non-system partition
  • Ensure 'host headers' are on all sites
  • Ensure 'directory browsing' is set to disabled
  • Ensure 'Application pool identity' is configured for all application pools
  • Ensure 'unique application pools' is set for sites
  • Ensure 'application pool identity' is configured for anonymous user identity
  • Ensure WebDav feature is disabled

Configure Authentication and Authorization

  • Ensure 'global authorization rule' is set to restrict access
  • Ensure access to sensitive site features is restricted to authenticated principals only
  • Ensure 'forms authentication' requires SSL
  • Ensure 'forms authentication' is set to use cookies
  • Ensure 'cookie protection mode' is configured for forms authentication
  • Ensure transport layer security for 'basic authentication' is configured
  • Ensure 'passwordFormat' is not set to clear
  • Ensure 'credentials' are not stored in configuration files

ASP.NET Configuration Recommendations

  • Ensure 'deployment method retail' is set
  • Ensure 'debug' is turned off
  • Ensure custom error messages are not off
  • Ensure IIS HTTP detailed errors are hidden from displaying remotely
  • Ensure ASP.NET stack tracing is not enabled
  • Ensure 'httpcookie' mode is configured for session state
  • Ensure 'cookies' are set with HttpOnly attribute
  • Ensure 'MachineKey validation method - .Net 3.5' is configured
  • Ensure 'MachineKey validation method - .Net 4.5' is configured
  • Ensure global .NET trust level is configured
  • Ensure X-Powered-By Header is removed
  • Ensure Server Header is removed

Request Filtering and other Restriction Modules

  • Ensure 'maxAllowedContentLength' is configured
  • Ensure 'maxURL request filter' is configured
  • Ensure 'MaxQueryString request filter' is configured
  • Ensure non-ASCII characters in URLs are not allowed
  • Ensure Double-Encoded requests will be rejected
  • Ensure 'HTTP Trace Method' is disabled
  • Ensure Unlisted File Extensions are not allowed
  • Ensure Handler is not granted Write and Script/Execute
  • Ensure 'notListedIsapisAllowed’ is set to false
  • Ensure 'notListedCgisAllowed’ is set to false
  • Ensure 'Dynamic IP Address Restrictions’ is enabled

IIS Logging Recommendations

  • Ensure Default IIS web log location is moved
  • Ensure Advanced IIS logging is enabled
  • Ensure 'ETW Logging’ is enabled

Transport Encryption

  • Ensure HSTS Header is set
  • Ensure SSLv2 is disabled
  • Ensure SSLv3 is Disabled
  • Ensure TLS 1.0 is Disabled
  • Ensure TLS 1.1 is Disabled
  • Ensure TLS 1.2 is Enabled
  • Ensure NULL Cipher Suites is Disabled
  • Ensure DES Cipher Suites is Disabled
  • Ensure RC4 Cipher Suites is Disabled
  • Ensure AES 128/128 Cipher Suite is Disabled
  • Ensure AES 256/256 Cipher Suite is Enabled
  • Ensure TLS Cipher Suite Ordering is Configured