Skip to main content Link Menu Expand (external link) Document Search Copy Copied
DevSecOps Guides

IIS Hardening for DevSecOps

Table of contents

  1. Disable directory browsing
  2. Remove unneeded HTTP headers
  3. Set secure HTTP response headers
  4. Enable HTTPS and configure SSL/TLS settings
  5. Restrict access to files and directories
  6. Enable logging and configure log settings

List of some best practices to harden IIS for DevSecOps

Disable directory browsing

Set-WebConfigurationProperty -filter /system.webServer/directoryBrowse -PSPath "IIS:\Sites\Default Web Site" -name enabled -value $false

Remove unneeded HTTP headers

Remove-WebConfigurationProperty -filter "system.webServer/httpProtocol/customHeaders" -name ."X-Powered-By"

Set secure HTTP response headers

Add-WebConfigurationProperty -filter "system.webServer/staticContent" -name "clientCache.cacheControlMode" -value "UseMaxAge"<br>Set-WebConfigurationProperty -filter "system.webServer/staticContent/clientCache" -name "cacheControlMaxAge" -value "365.00:00:00"<br>Add-WebConfigurationProperty -filter "system.webServer/httpProtocol/customHeaders" -name "X-Content-Type-Options" -value "nosniff"<br>Add-WebConfigurationProperty -filter "system.webServer/httpProtocol/customHeaders" -name "X-Frame-Options" -value "SAMEORIGIN"<br>Add-WebConfigurationProperty -filter "system.webServer/httpProtocol/customHeaders" -name "X-XSS-Protection" -value "1; mode=block"

Enable HTTPS and configure SSL/TLS settings

New-WebBinding -Name "Default Web Site" -Protocol https -Port 443 -IPAddress "*" -SslFlags 1<br>Set-ItemProperty -Path IIS:\SslBindings\0.0.0.0!443 -Name "SslFlags" -Value "1"<br>Set-WebConfigurationProperty -filter "system.webServer/security/authentication/iisClientCertificateMappingAuthentication" -name enabled -value $false<br>Set-WebConfigurationProperty -filter "system.webServer/security/authentication/anonymousAuthentication" -name enabled -value $false<br>Set-WebConfigurationProperty -filter "system.webServer/security/authentication/basicAuthentication" -name enabled -value $false<br>Set-WebConfigurationProperty -filter "system.webServer/security/authentication/digestAuthentication" -name enabled -value $false<br>Set-WebConfigurationProperty -filter "system.webServer/security/authentication/windowsAuthentication" -name enabled -value $true<br>Set-WebConfigurationProperty -filter "system.webServer/security/authentication/windowsAuthentication" -name useKernelMode -value $true

Restrict access to files and directories

Set-WebConfigurationProperty -filter "/system.webServer/security/requestFiltering/fileExtensions" -name "." -value @{allowed="$false"}<br>Set-WebConfigurationProperty -filter "/system.webServer/security/requestFiltering/hiddenSegments" -name "." -value @{allowed="$false"}<br>Set-WebConfigurationProperty -filter "/system.webServer/security/requestFiltering/denyUrlSequences" -name "." -value @{add="$false"}

Enable logging and configure log settings

Set-WebConfigurationProperty -filter "/system.webServer/httpLogging" -name dontLog -value $false

or

Set-WebConfigurationProperty -filter "/system.webServer/httpLogging" -name logExtFileFlags -value "Date, Time, ClientIP, UserName, SiteName, ComputerName, ServerIP, Method, UriStem, UriQuery, HttpStatus, Win32Status, BytesSent, BytesRecv, TimeTaken