1. Use end-to-end encryption
- If you have reverse proxy and/or load balancer in front of your web servers, prefer to use SSL-bridging instead of SSL-offloading
- Disable older SSL/TLS versions than TLS 1.2
- Disable weak cypher suits
- SSL/TLS and cypher suit settings are server-wide settings, and IIS supports whatever the OS supports. However, for .NET applications check the below article:
Transport Layer Security (TLS) best practices with the .NET Framework
https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls
2. Add security headers to your applications
Content Security Policy (CSP)
https://docs.microsoft.com/en-us/microsoft-edge/extensions-chromium/store-policies/csp
HSTS Settings for a Web Site
https://docs.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/site/hsts
X-Frame-Options
https://tools.ietf.org/html/rfc7034
OWASP Secure Headers Project
https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Headers
3. Configure "Request Filtering"
- “Allow unlisted file name extensions”: Uncheck (allow only the extensions you will use; add “.” to allow extensionless requests)
- “Allow unlisted verbs”: Uncheck (allow only the verbs you will use)
- Lower “request limits” if possible
Request Filtering
https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/requestfiltering/
4. Remove HTTP headers
Remove HTTP headers which identifies the server and application. These headers are believed to cause security vulnerability:
removeServerHeader
https://docs.microsoft.com/en-
us/iis/configuration/system.webserver/security/requestfiltering/#new-i…
Remove Unwanted HTTP Response Headers
https://techcommunity.microsoft.com/t5/iis-support-
blog/remove-unwanted-http-response-headers/ba-p/3…
5. Set NTFS permissions
Set NTFS permissions on the content folders as needed:
- Do not give unnecessary permissions to unnecessary users. Remove permissions of Users and other groups. You should consider authentication and impersonation configurations to do this.
- The content folder should only need “read” and “read and execute” permissions. If your application needs to write something (like logs or temp files) write them to a separate folder (one for each application on the server) and give “write” permission only to that specific folder.
- Make sure that the folders with write permissions cannot be accessed through HTTP protocol. i.e. make sure that access to that folder is denied by Request Filtering module.
Other Security Practices
- If using anonymous authentication, set the user to “Application pool identity” to be able to isolate your sites and applications.
- Do not store sensitive information in configuration files. Encrypt such fields if you need to have them:
Protecting Connection Strings and Other Configuration Information (C#)
https://docs.microsoft.com/en-us/aspnet/web-forms/overview/data-
access/advanced-data-access-scenario…
- Remove any unused modules to reduce attack surface. For example, if you do not specifically need WebDAV, do not install it.
- Consider adding the host names of your web sites to Hosts file to point 127.0.0.1, so that you can test your applications locally on the servers in a web farm environment. This would be the first and the easiest test to eliminate network issues.