Trouble viewing images? Click on images to enlarge.
Article Goal: IIS Server Security / Configuration Hardening Example
Every organization's security posturing and requirements are different, and often vary significantly from one organization to the next. We provide this article as an example of what we do internally at BridgeWorks to secure our environments based on our security policies. BridgeWorks does not provide support or assistance with securing your IIS environment. Configurations such as IIS and Operating System restrictions for protocols, cipher/cipher suites, hashes and key exchanges, as well as firewall configurations, should be implemented. Please consult with your security and compliance team to insure your environment is compliant with your organization's policies.
What are IIS Best Practices?
Let's start with, "what is IIS?" Simply put, IIS is a Microsoft hosting platform for web based applications. The more difficult question is, "what are IIS best practices?" You'll find hundreds of articles online, including on Microsoft's websites, referencing IIS Best Practices, and in almost every article you'll see that there isn't one universal best practice. Below you'll find some some of the scripts, tools and sites that we leverage at BridgeWorks. Please consult with your security and compliance team for your best practices.
IIS Hardening Scripts
The script below was created by Alexander Hass, and more information is available here: Setup Microsoft Windows or IIS for SSL Perfect Forward Secrecy and TLS 1.2 | Hass - IT Consulting
"This PowerShell script setups your Windows Computer to support TLS 1.1 and TLS 1.2 protocol with Forward secrecy. Additionally it increases security of your SSL connections by disabling insecure SSL2 and SSL3 and all insecure and weak ciphers that a browser may fall-back, too. This script implements the current best practice rules. It was originally written for Microsoft Internet Information Server 7.5/8.0/8.5/10 (IIS) on Windows 2008R2/2012/2012R2/2016/2019..." ~ Alex Hass
- Launch Power Shell as administrator on the IIS server.
- Download IISHardening_RunInPowerShell.txt and open the file using a text editor.
- Copy and paste the script from the text editor to Power Shell.
- Reboot the server.
HTTPS/TLS and Certificates
It is strongly recommended that your IIS environment has a valid certificate from a trusted Certificate Authority (CA), and the certificate is applied to your site.
Protocols, Ciphers, Hashes and Key Exchanges
It is strongly recommended you verify your Operating Systems' protocols, ciphers, hashes and key exchanges meet your organization's policies. There are a number of ways to configure this on your Windows environment, and we recommend talking to your security and compliance team for guidance.
A free tool from Nartac is available that simplifies the configuration process. While they offer a "Best Practices" button that automatically adjusts the Operating Systems configuration, we find that option not quite good enough. Below is a screen shot of the Schannel and Cipher Suites configurations used on our public IIS servers:
It is strongly recommended you perform an independent scan against your environment using a service such as SSLLabs. The goal is the highest possible score, while meeting your organization's security and compliance policies.
It is strongly recommended your firewall restrict traffic to your IIS environment to the minimum required. This would include restricting traffic to the IIS website's IP Address and Port Binding, as well as a set of whitelisted IP addresses or domains that are permitted to access your site. There are hundreds of firewalls on the market and each have different capabilities, and configuration methods. Please check with your firewall administrator for additional information.