Webserver Hardening
To achieve the required level of security, the implementation to the following configurations are recommended.
Basic Configurations
- Ensure web content is on non-system partition
- Ensure 'host headers' are on all sites
- Ensure 'directory browsing' is set to disabled
- Ensure 'Application pool identity' is configured for all application pools
- Ensure 'unique application pools' is set for sites
- Ensure 'application pool identity' is configured for anonymous user identity
- Ensure WebDav feature is disabled
- Ensure 'global authorization rule' is set to restrict access
- Ensure access to sensitive site features is restricted to authenticated principals only
- Ensure 'forms authentication' requires SSL
- Ensure 'forms authentication' is set to use cookies
- Ensure 'cookie protection mode' is configured for forms authentication
- Ensure transport layer security for 'basic authentication' is configured
- Ensure 'passwordFormat' is not set to clear
- Ensure 'credentials' are not stored in configuration files
ASP.NET Configuration Recommendations
- Ensure 'deployment method retail' is set
- Ensure 'debug' is turned off
- Ensure custom error messages are not off
- Ensure IIS HTTP detailed errors are hidden from displaying remotely
- Ensure ASP.NET stack tracing is not enabled
- Ensure 'httpcookie' mode is configured for session state
- Ensure 'cookies' are set with HttpOnly attribute
- Ensure 'MachineKey validation method - .Net 3.5' is configured
- Ensure 'MachineKey validation method - .Net 4.5' is configured
- Ensure global .NET trust level is configured
- Ensure X-Powered-By Header is removed
- Ensure Server Header is removed
Request Filtering and other Restriction Modules
- Ensure 'maxAllowedContentLength' is configured
- Ensure 'maxURL request filter' is configured
- Ensure 'MaxQueryString request filter' is configured
- Ensure non-ASCII characters in URLs are not allowed
- Ensure Double-Encoded requests will be rejected
- Ensure 'HTTP Trace Method' is disabled
- Ensure Unlisted File Extensions are not allowed
- Ensure Handler is not granted Write and Script/Execute
- Ensure 'notListedIsapisAllowed’ is set to false
- Ensure 'notListedCgisAllowed’ is set to false
- Ensure 'Dynamic IP Address Restrictions’ is enabled
IIS Logging Recommendations
- Ensure Default IIS web log location is moved
- Ensure Advanced IIS logging is enabled
- Ensure 'ETW Logging’ is enabled
Transport Encryption
- Ensure HSTS Header is set
- Ensure SSLv2 is disabled
- Ensure SSLv3 is Disabled
- Ensure TLS 1.0 is Disabled
- Ensure TLS 1.1 is Disabled
- Ensure TLS 1.2 is Enabled
- Ensure NULL Cipher Suites is Disabled
- Ensure DES Cipher Suites is Disabled
- Ensure RC4 Cipher Suites is Disabled
- Ensure AES 128/128 Cipher Suite is Disabled
- Ensure AES 256/256 Cipher Suite is Enabled
- Ensure TLS Cipher Suite Ordering is Configured