Internet Information Services (IIS) contains several components that perform important functions for the application and Web server roles in Windows Server. As it is designed to be used in an enterprise environment, the security of this system must be kept at a high level.
By default IIS implements a lot of basic security measures, but are these the relevant ones to protect your business?
In order to answer this question for one of our customers, we have compiled the most relevant security settings in an IIS 7.5 Hardening Guide for you. In this guide we define a baseline security level, which is to be used for so called “crash and burn systems” (systems with non-critical data, systems whose availability have no business relevant impact) and a security level high, which includes all other systems. The mitigations in the baseline section are non-critical and therefore no further test are necessary. The mitigation in the section high, are critical in terms of availability and need to be tested extensively. The system owner must decide, which security level is the right one for their system, and which mitigation from section high are mandatory for their system.
The IIS 7.5 Hardening Guide includes configuration examples and all necessary commands for each mitigation.
You may download our Hardening Guide for IIS 7.5 at: ERNW_Checklist_Hardening_Microsoft_IIS_7_5
Have a good one,
Dominik