If you’re working with IIS 8 then you know that preventing configuration drift is as important as it is time consuming. In the best case scenario you’re monitoring configs daily to keep development, testing, and deployment running smoothly. In the worst case—well, all-nighters make good war stories but aren’t much fun.
To help, we've prepared an automated test of forty-three must-have settings for IIS servers. It's free and takes less than a minute to run. (Yes, it is faster to use UpGuard than to finish reading this article.) If you want to learn more about how to run this scan, you can read or watch the video in our documentation section.
Here are the top five critical configuration problems we see on IIS servers:
1. IIS should be moved from its default location.
IIS should be moved from its default location, preferably oﬀ the system drive to prevent system collapse due to the application exhausting disk capacity.
2. Web applications should not be stored on the system drive.
Isolating web content from system ﬁles reduces the probability of file IO vulnerability in the web site/application from aﬀecting the conﬁdentiality and/or integrity of system files.
3. Application pools should run as application pool identity.
Conﬁguring the anonymous user identity to use the application pool identity will help ensure site isolation.
4. SSL 3.0 security should be enabled.
SSL-based services should not offer the possibility to utilize weak encryption protocols or ciphers. Weak encryption protocols SSL 2.0 and PCT 1.0 should be disabled and SSL 3.0 and TLS 1.x should be enabled.
5. Directory browsing should be disabled.
Directory browsing allows the contents of a directory to be displayed upon request from a web client. You don't want that.
Along with the five critical tests listed above, UpGuard's IIS checklist includes forty-three more for an all-points inspection. Try it now to see how your configurations measure up to our Gold Standard checklist of best practices.