This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Hardening IIS"
From OWASP
Bill Sempf (talk | contribs) m (Formatted the layout of the headers.) (Tag: Visual edit) |
Bill Sempf (talk | contribs) (Reformatted headers.) |
||
Line 1: | Line 1: | ||
= Draft - Work In Progress = | = Draft - Work In Progress = | ||
− | + | == Basic configuration == | |
− | + | === Disable directoryBrowsing === | |
− | + | === Avoid wildcard host headers === | |
− | + | === Ensure applicationPoolIdentity is configured for all application pools === | |
− | + | === Use an unique applicationPool per site === | |
− | + | === Disable IIS detailed error page from displaying remotely === | |
− | + | == Request filtering == | |
− | + | === Configure maxAllowedContentLength === | |
− | + | === Configure maxURL request filter === | |
− | + | === Configure MaxQueryString request filter === | |
− | + | === Reject non-ASCII characters in URLs === | |
− | + | === Reject double-encoded requests === | |
− | + | === Disable HTTP trace requests === | |
− | + | === Disallow unlisted file extensions === | |
− | + | === Enable Dynamic IP Address Restrictions === | |
− | + | == Transport Encryption == | |
− | + | === SSL/TLS settings are controlled at the SChannel level. They are set machine wide and IIS respects these values. === | |
− | + | === A list of recommendations for IIS === | |
− | + | ==== Disable SSL v2/v3 ==== | |
− | + | ==== Disable TLS 1.0 ==== | |
− | + | ==== Disable TLS 1.1 ==== | |
− | + | ==== Ensure TLS 1.2 is enabled ==== | |
− | + | ==== Disable weak cipher suites (NULL cipher suites, DES cipher suites, RC4 cipher suites, Triple DES, etc) ==== | |
− | + | ==== Ensure TLS cipher suites are correctly ordered ==== | |
https://cloudblogs.microsoft.com/microsoftsecure/2017/09/07/new-iis-functionality-to-help-identify-weak-tls-usage/ | https://cloudblogs.microsoft.com/microsoftsecure/2017/09/07/new-iis-functionality-to-help-identify-weak-tls-usage/ | ||
− | + | == HSTS support == | |
− | + | === IIS recently (Windows Server 1709) added turnkey support for HSTS === | |
https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10-version-1709/iis-10-version-1709-hsts | https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10-version-1709/iis-10-version-1709-hsts | ||
− | + | == CORS support == | |
− | + | === If you choose not to handle CORS in your application, we ship an IIS an IIS module to help configure CORS === | |
https://blogs.iis.net/iisteam/getting-started-with-the-iis-cors-module | https://blogs.iis.net/iisteam/getting-started-with-the-iis-cors-module | ||
Revision as of 21:52, 16 August 2018
- 1 Draft - Work In Progress
- 1.1 Basic configuration
- 1.2 Request filtering
- 1.2.1 Configure maxAllowedContentLength
- 1.2.2 Configure maxURL request filter
- 1.2.3 Configure MaxQueryString request filter
- 1.2.4 Reject non-ASCII characters in URLs
- 1.2.5 Reject double-encoded requests
- 1.2.6 Disable HTTP trace requests
- 1.2.7 Disallow unlisted file extensions
- 1.2.8 Enable Dynamic IP Address Restrictions
- 1.3 Transport Encryption
- 1.4 HSTS support
- 1.5 CORS support
- 1.6 Authors
Draft - Work In Progress
Basic configuration
Disable directoryBrowsing
Avoid wildcard host headers
Ensure applicationPoolIdentity is configured for all application pools
Use an unique applicationPool per site
Disable IIS detailed error page from displaying remotely
Request filtering
Configure maxAllowedContentLength
Configure maxURL request filter
Configure MaxQueryString request filter
Reject non-ASCII characters in URLs
Reject double-encoded requests
Disable HTTP trace requests
Disallow unlisted file extensions
Enable Dynamic IP Address Restrictions
Transport Encryption
SSL/TLS settings are controlled at the SChannel level. They are set machine wide and IIS respects these values.
A list of recommendations for IIS
Disable SSL v2/v3
Disable TLS 1.0
Disable TLS 1.1
Ensure TLS 1.2 is enabled
Disable weak cipher suites (NULL cipher suites, DES cipher suites, RC4 cipher suites, Triple DES, etc)
Ensure TLS cipher suites are correctly ordered
HSTS support
IIS recently (Windows Server 1709) added turnkey support for HSTS
CORS support
If you choose not to handle CORS in your application, we ship an IIS an IIS module to help configure CORS
https://blogs.iis.net/iisteam/getting-started-with-the-iis-cors-module
Authors
Sourabh Shirhatti (Microsoft)
Bill Sempf ([email protected])