Wesbytes Knowledge Base

Search our articles or browse by category below

Tips: IIS 6.0 – Security Best Practices

Last modified: July 2, 2022
You are here:
Estimated reading time: 1 min

1. Use end-to-end encryption

  • If you have reverse proxy and/or load balancer in front of your web servers, prefer to use SSL-bridging instead of SSL-offloading
  • Disable older SSL/TLS versions than TLS 1.2
  • Disable weak cypher suits
  • SSL/TLS and cypher suit settings are server-wide settings, and IIS supports whatever the OS supports. However, for .NET applications check the below article:

    Transport Layer Security (TLS) best practices with the .NET Framework
    https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls

3. Configure "Request Filtering"

4. Remove HTTP headers

Remove HTTP headers which identifies the server and application. These headers are believed to cause security vulnerability:

    removeServerHeader
    https://docs.microsoft.com/en-
    us/iis/configuration/system.webserver/security/requestfiltering/#new-i…

    Remove Unwanted HTTP Response Headers
    https://techcommunity.microsoft.com/t5/iis-support-
    blog/remove-unwanted-http-response-headers/ba-p/3…

5. Set NTFS permissions

Set NTFS permissions on the content folders as needed:

  • Do not give unnecessary permissions to unnecessary users. Remove permissions of Users and other groups. You should consider authentication and impersonation configurations to do this.
  • The content folder should only need “read” and “read and execute” permissions. If your application needs to write something (like logs or temp files) write them to a separate folder (one for each application on the server) and give “write” permission only to that specific folder.
  • Make sure that the folders with write permissions cannot be accessed through HTTP protocol. i.e. make sure that access to that folder is denied by Request Filtering module. 

Other Security Practices

  • If using anonymous authentication, set the user to “Application pool identity” to be able to isolate your sites and applications.
  • Do not store sensitive information in configuration files. Encrypt such fields if you need to have them:

      Protecting Connection Strings and Other Configuration Information (C#)
      https://docs.microsoft.com/en-us/aspnet/web-forms/overview/data-
      access/advanced-data-access-scenario…

  • Remove any unused modules to reduce attack surface. For example, if you do not specifically need WebDAV, do not install it.
  • Consider adding the host names of your web sites to Hosts file to point 127.0.0.1, so that you can test your applications locally on the servers in a web farm environment. This would be the first and the easiest test to eliminate network issues.
Was this article helpful?
Dislike 0
Views: 22