Updated on May 1, 2017 by Jon Hendren
IIS should be moved from its default location, preferably oﬀ the system drive to prevent system collapse due to the application exhausting disk capacity.
With UpGuard, you can track file location and other information easily, and only for the files you care about. For example, we can track the web.config file in the web root to determine if it's on the E: drive, like we expect, or if the default C: drive configuration was left on it. Here we can see an example of it still being on the system disk, causing our policy to fail:
Isolating web content from system ﬁles reduces the probability of file IO vulnerability in the web site/application from aﬀecting the conﬁdentiality and/or integrity of system files.
UpGuard can also monitor your web content files and check that they are in the right location, with the right permissions. This helps prevent resource contention and also improves security for web applications. Here we can see that our Contoso test application is living on C, the system disk:
Conﬁguring the anonymous user identity to use the application pool identity will help ensure site isolation. Failure to do this can greatly extend the damage if a web app is compromised and violates the principle of least privilege you should be following in all cases.
UpGuard tracks IIS configurations and how services are authenticating to minimize the risk your web servers face on the internet. Tracking and standardizing IIS configs with UpGuard makes your environment more reliable and your web applications more resilient.
SSL-based services should not offer the possibility to utilize weak encryption protocols or ciphers. Weak encryption protocols SSL 2.0 and PCT 1.0 should be disabled, as well as the Poodle-sensitive SSL 3.0. TLS 1.0 and 1.2 have no discovered flaws, but only 1.2 supports modern encryption ciphers. Therefore, all website should be encrypted using the TLS 1.2 protocol with strong, 2048-bit cipher suites and other SSL best practices.
UpGuard monitors your IIS servers from the inside, as we've seen, and from the outside. An external view of a website in UpGuard will analyze and track encryption details, and policies can be created to ensure all websites follow best practices and are using secure protocols.
Directory browsing allows the contents of a directory to be displayed upon request from a web client. You don't want that. This seems simple, but many production websites accidentally leave this on from a bad default config, or accidentally turn it on without realizing the implications.
UpGuard can tell you which of your IIS servers have directory browsing disabled in seconds, and should any of them be enabled at a later date, you'll know right away, because UpGuard will notify you of the unauthorized change.
Along with the five critical tests listed above, UpGuard can track and compare any IIS or Windows settings. We also include built-in policies from the Center for Internet Security (CIS) to harden servers even further. Try UpGuard now to see how we can help your organization trust its technology.
Misconfigurations are an internal problem that emanate from within the IT infrastructure of any enterprise; no hacker is necessary for massive damage to occur to digital systems and stored data. And the problem is pervasive, with Gartner estimating anywhere from 70% to 99% of data breaches result not from external, concerted attacks, but from internal misconfiguration of the affected IT systems.