Configuration changes that can be made to increase the security of IIS.

Default Web Site

Header Changes

Remove the X-Powered-By header and and a content security policy (CSP) header.

IIS Manager → server → Sites → Default Web Site

HTTP Response Headers
Select the X-Powered-By header
Click Remove
Yes
Add…
Name: Content-Security-Policy
Value: default-src 'self'; script-src 'none'; frame-ancestors 'none'; form-action 'none';
OK

Configuration

Prevent the “Server” header from being included in responses.

IIS Manager → server → Sites → Default Web Site

Configuration Editor
Section: system.webServer/security/requestFiltering
removeServerHeader: True
Apply

Microsoft IIS Tilde Character Short File/Folder Name Disclosure

Primarily for OS/IIS versions prior to Windows Server 2012 R2/IIS 8.5 when the default setting for short file names changed to disabled by default. You can skip this unless your OS/IIS version is earlier or a scanning tool has reported an issue.

Test

Check the setting for the volume on which IIS and/or the web applications are installed.

From a command prompt with administrative privileges. change “C:” to the drive letter you want to test.

fsutil 8dot3name query C:

You should see output like the following:

The volume state is: 1 (8dot3 name creation is disabled).
The registry state is: 2 (Per volume setting - the default).

Based on the above settings, 8dot3 name creation is disabled on C:

If not then do the following.

Configure

From a command prompt with administrative privileges.

fsutil behavior set disable8dot3 1

Note that this change will only affect new files. To remove existing 8.3 names, you can use:

fsutil 8dot3name strip /l C:

Foray Support

Securing IIS