Application security

Securing IIS Server Checklists

Ajay Yadav
April 28, 2014 by
Ajay Yadav


This paper is designed to demonstrate the common IIS web server security specifications in the form of a checklist that aids web masters or penetration testers to implement a secure web server infrastructure swiftly. It is mandatory for a web application to be duly full proof from vicious attacks and for stopping damage which could be in any form. Security professionals and penetration testers are typically part of a web project to ensure the website is protected from various attacks by detecting loopholes which might be exploited later. But such a critical task is typically not followed in a proper manner, and web applications go live into the production environment with inherent vulnerabilities, or even without complying to security guidelines. It is so because developers and organizations are often in a hurry to launch the software into the production environment due to various unnamed pressures.

Unfortunately, there is no single tool available which can claim comprehensive security of an application, because attacks can come in any form, in fact the horizon is so extensive that it is beyond assumption. So such summarized checklist snapshots have proven to be truly a savior for hardening or to improve our deployment workstation security precipitously.

Virtual Directory

Security Specifications


Ensure restriction is enabled to those directories that allow anonymous access

Ensure IISAdmin, IISHelp, IISamples directory are removed

Confirm PARENT PATH configuration is disabled

Ensure unused Front pages extension is removed

Ensure website directories are dislocated from the system partition drive

Ensure directory traversing is disabled (uncheck write permission)

Ensure other unused utilities such resource kit, SDK are detached

Machine Configuration File

Security Specifications


Ensure DEBUG is turned off in WEB.CONFIG file

Ensure TRACE is set to false or disabled

Ensure unnecessary HTTP Modules are removed

Secure Communication

Security Specifications


Ensure HTTP requests are filtered or categorized

Ensure HTTPS is enabled, in case your website deals with sensitive data

Ensure Server Certificates are updated and issued by a trusted organization

Ensure Certificates have not withdrawn

In case of remote administration, ensure proper time-outs and encryption are configured

Ensure communication happens through only port 80 or 443

Ensure that IPSec is formed in the network for secure communication

Logging and Audit

Security Specifications


Ensure Failed Logon Attempts are regularly inspected

Ensure Log files are properly maintained and audited

Confirm W3C extended format is enabled for auditing

IIS Metabase and Filters

Security Specifications


Ensure Banner grabbing is disabled

Ensure File (%systemroot%system32inetsrvmetabase.bin)

access is restricted

Ensure unused extensions (.shtml, .hta, .htw, .stm) are removed

Ensure unemployed ISAPI filters are disabled or removed.

Ensure 'Forbidden Handler' is mapped to unemployed ASP.NET files extension

Server Accounts

Security Specifications


Ensure anonymous logon is disabled

Ensure unused IUSR_MACHINE account is disabled

Ensure a solitary administrator account only

Ensure administrator account is properly hardened by strong password scheme

Ensure GUEST account is disabled

Ensure remote logon is disabled

Ensure ASP.NET process account is configured to least access

Ensure anyone couldn't login locally except administrator

Code Access Security

Security Specifications


Confirm CAS is enabled

Confirm source code is obfuscated

Confirm custom error page is installed on server

Confirm permissions removed from Internet and Intranet zone

System Configuration

Security Specifications


Confirm ASP .NET state service is disabled

Confirm Remote Registry Administration is disabled

Confirm WebDAW service is disabled

Confirm FTP and SMTP services are disabled

Confirm SMB service is disabled

Confirm All Redundant share's (C$, D$,..) is removed

Confirm Remote Administration by TELNET is disabled

Confirm only essential System Services are given least privileges

Confirm redundant system services are stopped

Ensure IIS is not installed on domain controller

Ensure IDS is installed in the network perimeter

Ensure that IIS server is configured inside DMZ

Server Updates

Security Specifications


Ensure Windows Operating System is updated

Ensure .NET Framework is Updated

Ensure IIS web server is duly patched

Ensure MBSA is configured and running regularly

Ensure EMET is installed on server and enabled

Ensure Microsoft Notification Service is Enabled

Ensure effective Anti-virus is installed and running

Final Note

11 courses, 8+ hours of training

11 courses, 8+ hours of training

Learn cybersecurity from Ted Harrington, the #1 best-selling author of "Hackable: How to Do Application Security Right."

In this article, we have seen how to harden the IIS web server to protect ASP.NET websites. This article in fact didn't explain various attacks and their countermeasure. Instead, it is pinpointing major security guidelines in the form of checklists which can be applied swiftly over a web server, so that a developer can ensure himself that a particular security mechanism is applied and it is enabled. Because some critical bugs go unnoticed and remain in the final version of the software, which could get the application into trouble. Hence, such a synopsis reference eases the undertaking of developers or security professionals in terms of not overlooking or forgetting critical security configurations on the web server.

Ajay Yadav
Ajay Yadav

Ajay Yadav is an author, Cyber Security Specialist, SME, Software Engineer, and System Programmer with more than eight years of work experience. He earned a Master and Bachelor Degree in Computer Science, along with abundant premier professional certifications. For several years, he has been researching Reverse Engineering, Secure Source Coding, Advance Software Debugging, Vulnerability Assessment, System Programming and Exploit Development.

He is a regular contributor to programming journal and assistance developer community with blogs, research articles, tutorials, training material and books on sophisticated technology. His spare time activity includes tourism, movies and meditation. He can be reached at om.ajay007[at]gmail[dot]com