Ensure TLS Cipher Suite Ordering is Configured Ensure AES 256/256 Cipher Suite is Enabledħ.12. Ensure AES 128/128 Cipher Suite is Disabledħ.11. Ensure RC4 Cipher Suites is Disabledħ.10. Ensure NULL Cipher Suites is Disabledħ.8. Ensure FTP Logon attempt restrictions is enabledħ.7. Ensure Advanced IIS logging is enabledĦ.2. Ensure Default IIS web log location is movedĥ.2. Ensure ‘Dynamic IP Address Restrictions’ is enabledĥ.1.
Ensure ‘notListedCgisAllowed’ is set to falseĤ.11. Ensure ‘notListedIsapisAllowed’ is set to falseĤ.10. Ensure Handler is not granted Write and Script/ExecuteĤ.9. Ensure Unlisted File Extensions are not allowedĤ.8. Ensure 'HTTP Trace Method' is disabledĤ.7.
Ensure Double-Encoded requests will be rejectedĤ.6. Ensure non-ASCII characters in URLs are not allowedĤ.5. Ensure 'MaxQueryString request filter' is configuredĤ.4. Ensure 'maxURL request filter' is configuredĤ.3. Ensure 'maxAllowedContentLength' is configuredĤ.2.
Request Filtering and other Restriction ModulesĤ.1. Ensure 'cookies' are set with HttpOnly attributeģ.8. Ensure 'httpcookie' mode is configured for session stateģ.7. Ensure ASP.NET stack tracing is not enabledģ.6. Ensure IIS HTTP detailed errors are hidden from displaying remotelyģ.5. Ensure custom error messages are not offģ.4. Ensure 'deployment method retail' is setģ.3. Ensure 'credentials' are not stored in configuration filesģ.1. Ensure 'passwordFormat' is not set to clearĢ.8. Ensure transport layer security for 'basic authentication' is configuredĢ.7. Ensure 'cookie protection mode' is configured for forms authenticationĢ.6. Ensure 'forms authentication' is set to use cookiesĢ.5. Ensure 'forms authentication' requires SSLĢ.4. Ensure access to sensitive site features is restricted to authenticated principals onlyĢ.3. Ensure 'global authorization rule' is set to restrict accessĢ.2. Configure Authentication and AuthorizationĢ.1. Ensure 'application pool identity' is configured for anonymous user identityĢ. Ensure 'unique application pools' is set for sitesġ.6. Ensure 'Application pool identity' is configured for all application poolsġ.5. Ensure 'directory browsing' is set to disabledġ.4. Ensure 'host headers' are on all sitesġ.3. Ensure web content is on non-system partitionġ.2. Table 1.1: High Level Center for Internet Security IIS 10 Security Controlsġ.1.
#Windows iis web server windows 10 how to#
For more detail on how to implement and check each security control, download the CIS IIS 10 benchmark file from the above website. Table 1.1 provides a high level list of the CIS IIS 10 benchmarks. The OWASP guide is shorter and provides approximately 23 separate security recommendations.
#Windows iis web server windows 10 pdf#
The CIS IIS 10 benchmark is more fleshed out at the time of writing and is an approximately 140 page PDF with 55 separate security recommendations. Center for Internet Security IIS 10 Benchmark.The two important third party guides for hardening IIS are the OWASP guide and the Center for Internet Security guide. As with any hardening operation, the harder you make a configuration, the more you reduce functionality and compatibility. The default settings on IIS provide a mix of functionality and security. Hardening IIS involves applying a certain configuration steps above and beyond the default settings. IIS, the web server that’s available as a role in Windows Server, is also one of the most used web server platforms on the internet.
0 kommentar(er)
