Five IIS 8 Settings You Need to Check Today

Posted by Jon Hendren


If you’re working with IIS 8 then you know that preventing configuration drift is as important as it is time consuming. In the best case scenario you’re monitoring configs daily to keep development, testing, and deployment running smoothly. In the worst case—well, all-nighters make good war stories but aren’t much fun.

To help, we've prepared an automated test of forty-three must-have settings for IIS servers. It's free and takes less than a minute to run. (Yes, it is faster to use UpGuard than to finish reading this article.) If you want to learn more about how to run this scan, you can read or watch the video in our documentation section.

Let's do this 

Here are the top five critical configuration problems we see on IIS servers:

1. IIS should be moved from its default location.

IIS should be moved from its default location, preferably off the system drive to prevent system collapse due to the application exhausting disk capacity.

2. Web applications should not be stored on the system drive.

Isolating web content from system files reduces the probability of file IO vulnerability in the web site/application from affecting the confidentiality and/or integrity of system files.

3. Application pools should run as application pool identity.

Configuring the anonymous user identity to use the application pool identity will help ensure site isolation.

4. SSL 3.0 security should be enabled.

SSL-based services should not offer the possibility to utilize weak encryption protocols or ciphers. Weak encryption protocols SSL 2.0 and PCT 1.0 should be disabled and SSL 3.0 and TLS 1.x should be enabled. 

5. Directory browsing should be disabled.

Directory browsing allows the contents of a directory to be displayed upon request from a web client. You don't want that.

Along with the five critical tests listed above, UpGuard's IIS checklist includes forty-three more for an all-points inspection. Try it now to see how your configurations measure up to our Gold Standard checklist of best practices.

  I think my configs are fine...but I want to be sure.

See your website's flaws and vulnerabilities

Topics: configuration testing, IIS

UpGuard Customers