Microsoft Internet Information Services is regarded as a robust product from Microsoft but its default installation and configuration are far from secure. After installing an IIS server on your Windows server, you should review its configuration very carefully. This is not a unique problem of IIS – nginx and Apache must also be hardened after installation.
In this article, we would like to offer you important tips for securing your IIS installations.
1. Move the Inetpub Folder to a Different Drive
The Inetpub folder is the default location for your web content, IIS logs, and so on. By default, IIS 7 and newer versions install the Inetpub folder in the system drive. It’s good practice to move the Inetpub folder to a different partition of the file system so that the web content is separate from the operating system.
This folder can be moved after IIS installation is completed. Thomas Deml, IIS Lead Program Manager provided this batch file to help with the move.
2. Install Appropriate IIS Modules
IIS includes more than 30 modules – you should only install the ones that are needed by your web applications. Disable any modules that are not required to reduce the potential attack surface. Periodically review the modules that are installed and enabled and remove any that are no longer required. You can use IIS Manager to list all the modules that are enabled.
- Open the IIS Manager
- Select the name of the machine to view the modules for the whole machine or change to the specific web site to view the modules enabled for the selected site
- Double click on Modules
- To disable a module, click on the module from the list and select Remove from the Actions pane
- Confirm the removal by pressing Yes
3. Disable the OPTIONS Method
The OPTIONS method provides a list of methods that are supported by the web server. Although this might seem beneficial, it also provides useful information to the attacker at the reconnaissance stage. Therefore, we recommend that you disable the OPTIONS method completely. This can be done by denying the OPTIONS verb in HTTP verb request filtering rules in IIS.
- Open the IIS Manager
- Select the name of the machine to configure this globally (or change to the specific web site for which you need to configure this)
- Double click on Request Filtering
- Change to the HTTP Verbs tab
- From the Actions pane, select Deny Verb
- Insert OPTIONS in the Verb field and click on OK to save changes
4. Enable Dynamic IP Address Restrictions
The Dynamic IP Restrictions module helps to block access to IP addresses that exceed a specified number of requests and thus helps prevent denial-of-service (DoS) attacks. This module will inspect the IP address of each request sent to the web server and will filter these requests in order to temporarily deny IP addresses that follow a particular attack pattern.
The Dynamic IP Restrictions module can be configured to block IP addresses after a number of concurrent requests or to block IP addresses that perform a number of requests over a period of time. Depending on your IIS version you will need to enable either the IP Security feature or the IP and Domain Restrictions as explained in this Microsoft article.
To set or modify dynamic IP restrictions:
- Open the IIS Manager
- Select the name of the machine to configure this globally (or change to the specific web site for which you need to configure this)
- Double click on IP Address and Domain Restrictions
- From the Actions pane, select Edit Dynamic Restriction Settings
- Modify and set the dynamic IP restriction settings as needed and click on OK to save changes
5. Enable and Configure Request Filtering Rules
It is also a good idea to restrict the types of HTTP requests that are processed by IIS. Setting up exclusions and rules can prevent potentially harmful requests from passing through to the server since IIS can block these requests on the basis of the request filtering rules defined.
For example, you can set a rule to filter traffic for SQL injection attempts. Whilst SQL Injection vulnerabilities should be fixed at source, filtering for SQL injection attacks is useful as initial mitigation. This can be set from the Rules tab found on the Request Filtering page in the IIS Manager.
- Open the IIS Manager
- Select the name of the machine to configure this globally (or change to the specific web site for which you need to configure this)
- Double click on Request Filtering
- Change to the Rules tab
- From the Actions pane, select Add Filtering Rule
- Set the required rules and click on OK to save changes
The rule set in the below screenshot would instruct IIS to check for the provided strings in requests for .asp and .aspx pages. IIS will then block the request if any of these strings are found.
You can also filter requests that contain elements like high-bit characters or double escape characters. This and other similar filtering options are explained in this Microsoft article.
6. Enable Logging
After you configure IIS logging, you will be able to log various information from HTTP requests received by the server. This will come in handy and can give a better understanding of issues that might have occurred on your website when things go wrong. It’s the place where you will start the troubleshooting process in such situations.
Server logs can also be continuously or periodically monitored in order to review server performance and provide optimizations if needed. This can be automated using various server monitoring tools. Make sure to keep a backup of the logs. Microsoft also provides the Log Parser, which is a tool that can be used to query and retrieve specific data from IIS logs. Additionally, log consolidation tools prove useful for consolidating and archiving data from logs in a more meaningful way.
IIS logging can be enabled and configured from the IIS Manager: select the machine name or the specific site that you want to configure and click on Logging. Since these log files might grow quite large, it would be a good idea to start a new file periodically.
7. Use the Security Configuration Wizard (SCW) and the Security Compliance Manager (SCM)
Both of these Microsoft tools can be used to test your IIS security. The Security Configuration Wizard (SCW) runs different checks and provides advice and recommendations on how to boost your server security. The Security Compliance Manager (SCM) tool performs security tests on your server and compares server configurations to predefined templates as per industry best practices and security guide recommendations.
8. Remember to Install IIS and Windows Updates
Finally, ensure that you keep up to date with the latest updates and security patches. The majority of hacks affecting the web server occur on unpatched servers. This just demonstrates how important it is to always keep your Microsoft Windows and your IIS web server up to date.
Get the latest content on web security
in your inbox each week.