IIS 7 and Above
IIS 7.0 Hardening Recomendations
Last post Jul 02, 2012 09:01 AM by jekram
Jun 28, 2007 07:57 PM|BCurry|LINK
I'm working on a paper about this and thought, I'd ping those in the know. Other than the standard "don't install a module that you don't need" advice, are there any more in-depth recomendations? I'm looking at 2 scenarios, an Internet facing static Web
server, and a Intranet Web server that serves dynamic content (ASP.NET, ISAPI, CGI, etc) What ACLs do I need to set for each scenario? Group policy recomendations?
I'm basing this on the recommendations for IIS 6--found at
Any pointers to good info is greatly appreciated.
Jul 02, 2007 06:27 PM|willsad|LINK
Jul 04, 2007 09:23 AM|steve schofield|LINK
For your static internet facing server. You could look at server core / web edition that does not serve .NET applications, but support classic ASP and HTML pages. This would be a perfect situation for this version of Windows Server 2008 / IIS7. I'm not
quite sure when this version is available, but it will be in the near future.
Windows Server MVP - IIS
Log archival solution
Install, Configure, Forget
Dec 30, 2009 11:30 AM|grayboy|LINK
as i found this post i realized its for about 2 years ago that IIS 7.0 has released in that time
these days im looking for hardening recomendations and vulnerabilites IIS7.0 in order to document them
please give me some info or resource
thank you very much
Dec 30, 2009 11:58 AM|Rovastar|LINK
There is not much more hardening recommendation for IIS7.
In fact IIS6 WIndows 2003 is pretty solid out the box and more so with best practices. In fact we had the penetration testers in for 3 days last week just to look at my IIS config. And we really tried to break stuff. And the conclusions were that only minor
problem occur. Irrelevant things like showing banners and low chipers that always appear on pen tests and are only in there to bulk it out.
In fact you will have more problems with teh technologies employed on top .net, php, etc.
IIS7 is more robust still and I not expecting any problems there. For crazy security follow the guidelines in this post but sensible app pool identity with the minimum privileges for separate sites is more then enough.
Dec 31, 2009 02:24 AM|steve schofield|LINK
Rovastar is correct, unlike w2k and iis 5, w2k3 was pretty locked down and doesn't need much additional out of the box. Here is a few things I've done to lockdown IIS 7 and w2k8. It some IIS and OS specific items I've done.
1) Run as applicationpoolidentity
2) Uninstall any modules that aren't used, especially authentication modules. Not having modules reduces the surface attack. If you install additional modules, run at website level, don't load at server level, use the web.config to load the modules in
the <system.Webserver> section.
3) Look at using Request Filtering or urlscan to block sql injections
4) You can use host-headers to help reduce automated ip-based bot attacks.
5) Do not enable remote management, it's disabled by default
6) Don't install FTP, SMTP services.
7) Run each website in their own application pool
8) Lockdown any delegated permissions or remove them all together.
OS, App suggestions
9) Run Security Config wizard this does OS level changes. Definitely spin up a test VM or box to test SCW before applying at GPO level
10) Run Windows firewall, block all but 3389, 80, 443, echo reply (for monitoring and pings).
11) Place Data on a separate drive, remove default NTFS permissions,
12) Keep up on security patches, service packs.
13) Run asp.net apps in medium or partial trust if possible. Don't install DLL's in the GAC (global assembly cache)
14) Enable auditing in the local security policy (or GPO).
15) Run Anti-virus software.
16) Enable custom errors errors so unhandled errors aren't displayed remotely
17) Most web applications need to be properly tested for hacking, unhandled exceptions, etc.. IIS 7 itself is solid, the applications need to be both load tested and how they handle such situations.
18) Run 64 bit version of w2k8 or R2.
Jan 03, 2010 08:56 AM|grayboy|LINK
Jan 03, 2010 05:59 PM|steve schofield|LINK
I personally haven't done anything locking down the registry and IIS 7. The security configuration wizard could have some recommendations, but if you use the principal of having the account have little or no permissions except what it needs on the box,
the registry would be offlimits for the most part. Run SCW and see if there is any recommendations is all i can suggest. I like SCW since it'll show you want it wants to lockdown, you can see the results in your environment, investigate any settings you
are not sure about then, test on a non-production box or TEST VM. MS has done a great job since windows 2003 locking things down by default. Hope there is an answer in there. :)
Jan 04, 2010 07:32 AM|petsch|LINK
Jan 05, 2010 03:43 AM|steve schofield|LINK
I can only speak from my experience. 1) if you install Sharepoint or other software, there are specific recommendations by MS. General rules I've done is be as aggressive as possible, have exclusions for file types, log files, temporary internet files,
paging files, MDF, LDF, NDF. Most software allows for file exclusions by file extension such as aspx, ascx and other normal web type files. I've also not had AV installed on windows servers although for pci compliance, AV is almost required. Hope this
Jan 05, 2010 06:50 PM|ma_khan|LINK
Just to add to what Steve has mentioned... Some AV have policy of scanning files "on Access" ... that's not such a useful thing and sometimes even troublesome... Rather change the AV Policy to scan "on Modify"... this will give you great performance benefits...
Jun 02, 2010 09:32 PM|EyalEstrin|LINK
Check out the step-by-step guide bellow:
Jul 02, 2012 09:01 AM|jekram|LINK
The above link is broken. Try the link below: