IIS, the web server that’s available as a role in Windows Server, is also one of the most used web server platforms on the internet. Hardening IIS involves applying certain configuration steps above and beyond the default settings. The default settings on IIS provide a mix of functionality and security. As with any hardening operation, the harder you make a configuration, the more you reduce functionality and compatibility.
The two important third-party guides for hardening IIS are the OWASP guide and the Center for Internet Security guide. You can access these guides here:
- OWASP guide to hardening IIS. https://www.owasp.org/index.php/Hardening_IIS
- Center for Internet Security IIS 10 Benchmark. https://www.cisecurity.org/cis-benchmarks/ or download the CIS Microsoft IIS 10 Benchmark PDF HERE
The CIS IIS 10 benchmark is more fleshed out at the time of writing and is an approximately 140 page PDF with 55 separate security recommendations. The OWASP guide is shorter and provides approximately 23 separate security recommendations.
Originally published in Microsoft TechCommunity
Orin Thomas Microsoft