/
Securing IIS

Securing IIS

Configuration changes that can be made to increase the security of IIS.

Default Web Site

Default Document

Disable the default document.

IIS Manager → server → Sites → Default Web Site

  1. Default Document

  2. Actions → Disable

Header Changes

Remove the X-Powered-By header and and a content security policy (CSP) header.

IIS Manager → server → Sites → Default Web Site

  1. HTTP Response Headers

  2. Select the X-Powered-By header

  3. Click Remove

  4. Yes

  5. Add…

  6. Name: Content-Security-Policy

  7. Value: default-src 'self'; script-src 'none'; frame-ancestors 'none'; form-action 'none';

  8. OK

Configuration

Prevent the “Server” header from being included in responses.

IIS Manager → server → Sites → Default Web Site

  1. Configuration Editor

  2. Section: system.webServer/security/requestFiltering

  3. removeServerHeader: True

  4. Apply

Microsoft IIS Tilde Character Short File/Folder Name Disclosure

Test

Check the setting for the volume on which IIS and/or the web applications are installed.

From a command prompt with administrative privileges. change “C:” to the drive letter you want to test.

fsutil 8dot3name query C:

You should see output like the following:

The volume state is: 1 (8dot3 name creation is disabled). The registry state is: 2 (Per volume setting - the default). Based on the above settings, 8dot3 name creation is disabled on C:

If not then do the following.

Configure

From a command prompt with administrative privileges.

fsutil behavior set disable8dot3 1

Note that this change will only affect new files. To remove existing 8.3 names, you can use:

fsutil 8dot3name strip /l C:

 

© 2023 Foray, LLC - All Rights Reserved