IIS Best Practices


For a very long time, I have been asked for a document on IIS best practices. There are some blogs/articles on the Internet but I could not find a complete one. Actually, the main problem here is that there can not be “best practices” for a web server. A web server is just a hosting platform for applications, and, each and every application has its own needs. Therefore, in many cases, you will not have one universal best practice.

Having these said, I tried to gather a list of things one should check while configuring an IIS server (and an application on IIS). I should say that these are my own thoughts based on my own experience. It is very likely that you will find some resources mentioning just the opposite of what I say.

NOTE: Some of the links I provided below refer to content in Turkish because I usually blog in Turkish.

Application pool configuration

Logging

Content

Security

  • Configure "Request Filtering":
    • “Allow unlisted file name extensions": Uncheck (add only the extensions you will use)
    • “Allow unlisted verbs": Uncheck (add only the verbs you will use) 
    • Lower "request limits" if possible
  • Remove HTTP headers which identifies the server and application. These headers are believed to cause security vulnerability:
       Server ve ASP.NET başlıkları
       http://blogs.msdn.com/b/cenkiscan/archive/2012/01/30/server-ve-asp-net-ba-l-klar.aspx
  • Set NTLM permissions on the content folders as needed; do not give unnecessary permissions to unnecessary users. You should consider authentication and impersonation configurations to do this.
  • Remove any unused modules to reduce attack surface. For example, if you do not  specifically need WebDAV, do not install it.

Other

 

CENK ISCAN

Comments (5)

  1. Anonymous says:

    Nice job

  2. Anonymous says:

    Good Article.

    I would like to some some guideline on how to manage security if multiple IIS servers are  in workgroup and need to communicate with each other..

  3. Anonymous says:

    Nice list. I would add to keep your logs on a disk other the system volume (typically C:). If the logs fill up your system volume, it will crash the entire server and you won't even be able to log into the server clear them. Hopefully you can browse to the server remotely to delete some stuff but that is often restricted in the DMZ. Plus, many servers are now virtualized and it's more difficult (depending on OS at least) to expand the system volume if you're running out of space. Adding space to a non-system volume can be done "hot" while the VM is running with no outage.

  4. Anonymous says:

    This is great!  For some reason there are few books on IIS and what's out there sucks.  Thank you for this.

    Nima Zahadat

  5. Anonymous says:

    Toplu halde, ve düzenli.

    Çok teşekkürler.