IIS is a popular web server developed by Microsoft for its Windows Server operating system. While not as popular as Apache or Nginx, it’s still quite used in the Windows hosting environment. That’s one of the reasons on why IIS security is still so important these days.
Currently, IIS has an estimated market share of 7,94% according to 6Sense, and among its versions, the most popular one is IIS 10, which is used by 77,2% of IIS-based servers, as indicated by W3Techs.
ISS is utilized by thousands of servers worldwide, so those looking for an IIS security guide have come to the right place. Our guide covers updates, strong auth, and SSL/TLS. Learn how to lock down your server.
Understanding the IIS Architecture
Internet Information Services (IIS) is a robust web server software developed by Microsoft that plays a crucial role in hosting and managing web applications. Understanding the IIS architecture is essential for effectively configuring and securing your web server. The architecture consists of several key components:
- Application Pools: These are mechanisms for isolating web applications, ensuring each application runs in its process. This isolation improves overall security and stability by preventing one application from affecting others.
- Worker Processes: These processes are responsible for handling HTTP requests and responses. They are the core of the IIS architecture, ensuring that web applications run smoothly and efficiently.
- Request Processing Pipeline: This is a series of events that occur when a request is received, including authentication, authorization, and content processing. Understanding this pipeline helps configure security and performance settings.
- Modules: These are components that extend the functionality of IIS, such as authentication, caching, and compression. Modules can be added or removed based on the specific needs of your web applications.
Understanding these components will help you better configure and harden your IIS security, ensuring optimal performance and protection.
Top 20 IIS Security Tips to Secure Your Web Applications
Now let’s deep dive into the top 20 IIS security tips for developers and sysadmins.
Update IIS and Windows Server
Updating your IIS web server and Windows Server is the foundation of your IIS security. Microsoft releases patches to fix vulnerabilities and improve security regularly. These updates not only harden your defenses but also improve performance and add new features to make your life easier.
Updating IIS and Windows Server protects against new vulnerabilities. Don’t deploy updates blindly; create a test environment similar to your production server to test updates before deploying to production. This way you can find issues without risking your live environment.
Deploy during off-peak hours to minimize downtime. And have a rollback plan in case of update issues. This combination of testing and strategic deployment keeps your IIS server safe and running.
Strong Auth and Authz
Strong authentication and authorization protect your IIS server from unauthorized access. It’s recommended to configure different auth methods based on your app’s needs. For example, enable Windows authentication by going to IIS Manager, selecting your site, and enabling the option.
Disable anonymous authentication to prevent unauthorized users and anonymous users from accessing your web apps. Properly configuring the anonymous user identity in IIS is crucial to ensure that the application pool can appropriately access site files. Windows authentication can be enabled in the same panel.
URL Auth rules add an extra layer of security by granting access based on user roles and names. These can be configured in IIS Manager to have fine-grained control over who can access what resources.
Strong password policies like minimum length and complexity are a must for auth. Regular IIS user account audits will bolster security and find vulnerabilities. These will harden your IIS security.
Enable SSL/TLS
The SSL/TLS protocol encrypts sensitive data, especially for forms-based auth by encrypting data and preventing unauthorized access. Employ TLS when using basic authentication to prevent credentials from being transmitted in clear text. Forms authentication should be implemented with SSL to protect credentials transmitted over the network. Manage SSL in IIS through IIS Manager, AppCmd.exe, or WMI scripts.
To force HTTPS for specific sites, use the sslFlags attribute in IIS. Make sure you have a valid SSL certificate installed and configured correctly to negotiate SSL. Take your time to choose the right SSL certificate issuer.
Enabling SSL/TLS encrypts all data between your server and clients, reducing data breaches by a lot. Also, remember that you must install new certificates before the current ones reach the SSL/TLS certificate expiration date.
Remove Unnecessary Services and Features
A minimalistic server is good for both security and performance. Removing unnecessary services and features reduces the attack surface and makes maintenance easier. Start by finding unused modules in IIS through the ‘Modules’ feature in IIS Manager.
Disable unnecessary components like CGI files and ISAPI extensions to improve security and performance. A lean config means fewer points of failure and easier troubleshooting, which means a more robust and faster IIS server.
We also suggest that you check out our HTTP misconfigurations guide to avoid common mistakes while configuring your server.
HTTP Request Filtering
HTTP request filtering in IIS allows you to define rules to block malicious requests before they hit your app. For example, restrict file extensions to prevent access to sensitive files to mitigate code injection and other common attacks.
Allow or deny specific HTTP verbs to enforce your security policies. And block requests based on URL length to prevent buffer overflow attacks. These will secure and reduce server load by filtering out unnecessary traffic.
Our HTTP header security guide provides further information to bolster your IIS security.
Configure an application pool to use a unique identity
Application pool identities in IIS run your apps under unique accounts. This isolates worker processes and gives you more granular security. Each site in IIS should have its own application pool for better isolation.
To configure an application pool to use a unique identity, you can do it through IIS Manager or the command line. Make sure each application pool identity has the least privileged access to minimize security risks. This reduces your reliance on built-in accounts like Network Service and makes it more secure.
Set Proper Folder Permissions
File system security is important for your web apps and server resources. Secure folder permissions by removing access for non-essential users and only grant permission to ‘SYSTEM’, ‘Administrators’, and ‘ApplicationPoolIdentity’. This will minimize access to sensitive files and folders.
Disable inheritance for folder permissions. Click ‘Advanced’ and then ‘Disable inheritance’ option to do this. Using NTFS permissions correctly will overall secure your files and directories.
Dynamic IP Restrictions
Dynamic IP restrictions will block IP addresses based on certain criteria. The Dynamic IP Restrictions module in IIS will mitigate DDoS and brute force attacks by blocking IP addresses that have too many requests.
Administrators can configure restrictions based on the number of concurrent connections and volume of requests over a time frame. When denying IP addresses, IIS can return different HTTP status codes like 401 (Unauthorized) or 403 (Forbidden) to secure and control.
Disable Directory Browsing
Directory browsing can be pretty dangerous. According to CWE, having it enabled “can lead to an attacker gaining access to source code or providing useful information for the attacker to devise exploits.”
Disabling directory browsing is a must to prevent unauthorized access to your server’s directory structure. If directory browsing is active, attackers can see the contents of your directories and potentially exploit vulnerabilities.
Disable directory browsing by going to your site in IIS Manager, double click on the Directory Browsing icon and select Disable. Or execute the command ‘appcmd set config /section:directoryBrowse /enabled:false’ in the command line. This will hide your directory contents from prying eyes.
Enable Logging and Monitoring
Logging and monitoring are important to detect and respond to incidents. Specify the log path in IIS to know where the log files are stored and make it easy to manage. Tools like Azure Monitor will collect and analyze IIS logs and will make monitoring your app performance and security easier.
Log Parser will allow you to analyze IIS logs in detail and get better insights into your app’s health and performance. Auditing file and folder access will track attempts to access sensitive data and will reinforce the monitoring process. Monitor your log file size regularly to manage storage and performance.
Custom fields in logs will capture additional data like real client IP in NAT environments to help you analyze traffic in detail. Integrate logging and monitoring with Web Application Firewall (WAF) to get a better understanding of traffic patterns and potential security threats.
Use a Web Application Firewalls (WAF)
A Web Application Firewall (WAF) will act as a barrier between your web servers and the internet, inspect and filter HTTP traffic for security. It will prevent attacks like SQL injection and cross-site scripting (XSS) by monitoring and filtering incoming and outgoing traffic.
Install a WAF with IIS by installing the URL Rewrite module which will allow you to create custom security rules. This will protect your web apps from malicious users and overall internet security.
Perform Security Audits and Penetration Testing
Regular security audits will help you discover system weaknesses before attackers can exploit them. These will build customer trust by showing you are committed to protecting sensitive data.
Frequent audits will ensure compliance with industry regulations and avoid fines and legal issues. Identifying and fixing vulnerabilities through regular audits will minimize the financial impact of data breaches. Define clear objectives for security audits to focus on compliance, vulnerabilities, or overall security posture.
Enable TLS for Basic Authentication
TLS is required for Basic Authentication for any site or app that uses this method. TLS is disabled by default when Basic Authentication is set up.
IIS Manager will allow you to configure HTTPS bindings to enable SSL for sites that require Basic Authentication. Enable SSL in IIS by selecting ‘Require SSL’ in the SSL Settings feature of the site configuration. Enforcing SSL/TLS will make all authenticated traffic secure and prevent credential exposure.
We recommend checking out our SSL/TLS security guide to boost your server security even further.
Set Custom Error Messages
Custom error messages will prevent the exposure of sensitive data. The <httpErrors> element will allow you to define custom error responses for your site, including IIS http detailed errors. Each error is specified in an <error> element inside <httpErrors>
Response Mode will specify whether to serve static or dynamic content or redirect to another URL. Custom error messages will look professional and protect your web server from information leaks.
Disable Debugging and Tracing
Disable debugging in production environments to secure your app as it can expose sensitive application data. In production environments, set debug to false in both machine.config and web.config files.
Disable tracing in web.config to secure and prevent sensitive data exposure. Set the IIS deployment method to retail mode to remove debug and trace outputs before production deployment.
Enable HTTP Strict Transport Security (HSTS)
Enforcing HTTP Strict Transport Security (HSTS) will make your traffic secure by making encryption mandatory. HSTS will send a header from the server to the browser telling the browser how long it should remember to only connect via HTTPS. This will eliminate the need for HTTP to HTTPS redirects and will automatically enforce a secure connection in the browser.
Set max-age in HSTS header to at least 1 year. Preload will include your domain in the browser’s internal list for HSTS enforcement upon the first visit. Make sure your SSL certificate is valid and recognized by the client to fully enable HSTS.
Disable Insecure Cipher Suites
Disabling insecure SSL/TLS cipher suites is required to secure your IIS server. SSL 2 & 3 and TLS 1.0 are no longer enough for security. The NULL cipher suite should also be disabled to prevent exploitation.
To disable insecure cipher suites, modify the registry by opening Regedit and entering the following path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
To disable SSL 3.0, set ‘Enabled’ to ‘0’ and ‘DisabledByDefault’ to ‘1’ under the SSL 3.0 server and client registry keys.
Follow the same steps to disable TLS 1.0 and TLS 1.1. Enforce TLS 1.2 through registry settings to get robust security.
Enable Secure Cipher Suites
Enable secure cipher suites for HTTP traffic. AES 256/256 is recommended for its strength and is enabled by default on Windows Server 2019 and 2022. Audit and update your cipher suites regularly to ensure only strong ciphers like AES 256/256 are enabled.
Disable insecure cipher suites like RC4, SSLv2, and SSLv3 to secure your cryptography. Tweaking these settings will keep your web server safe.
Control Traffic with Rate Limiting for Better Security
Rate limiting is a smart way to protect your IIS server from abusive traffic, like bots trying to brute-force their way in or unexpected spikes that could slow everything down. By setting boundaries on how many requests each user can make in a given timeframe, you’ll help keep things running smoothly without overloading your server.
How to Set Up Rate Limiting in IIS
- Install the Dynamic IP Restrictions Module: Open IIS Manager, and look for “Dynamic IP Restrictions” on your server or site. If you don’t see it, you can download it from the Microsoft site to get started.
- Set Request Thresholds: Inside the module, set limits for how many requests can come from the same IP within a specific timeframe. For example, after reaching your threshold, the module can automatically block the IP and return an HTTP status code like 429 (Too Many Requests), letting users know they’ve hit the cap.
- Customize to Match Your Traffic Needs: Find a balance that works well with your app’s traffic. For sites with heavier traffic, adding a WAF (Web Application Firewall) can give you even more control over rate limits and help prevent unintentional blocking of legitimate users.
Scan Your Webserver for Misconfigurations
Using our free security scanner you will be able to evaluate the security of your webserver. Doing this is pretty easy and will only take a few seconds.
- Start by accessing our Webserver Security Test.
- Input your site in the box and click the two options below.
- Now just hit the scan button and wait a few seconds for your results.
IIS Security FAQ
Why should I keep IIS and Windows Server up to date?
You should keep IIS and Windows Server up to date because updates fix vulnerabilities, improve security, and boost server performance. This is a proactive measure to protect against new threats.
How do I enable SSL/TLS on my IIS server?
To enable SSL/TLS on your IIS server, you need to manage the SSL settings through IIS Manager and make sure a valid SSL certificate is installed. This will encrypt the data between your server and clients.
What is the benefit of application pool identities in IIS?
Using application pool identities in IIS secures your applications by isolating worker processes, gives you more control, and reduces dependency on built-in accounts. This will improve the overall security of your application pool identities in IIS.
How can dynamic IP restrictions bolster security?
Dynamic IP restrictions harden your server by temporarily blocking IP addresses that exceed specified request thresholds, so DDoS and brute force attacks are mitigated. This is a proactive measure to protect your systems from threats.
Why disable directory browsing in IIS?
Disable directory browsing in IIS to protect your server’s directory structure from unauthorized access and exploitation. This is a must for your web applications’ integrity and confidentiality.
Bottom Line
Securing your IIS web server involves many layers of protection, from keeping your software up to date to strong authentication, enabling SSL/TLS, and request filtering. Each step is essential to protect your server from threats.
By following these tips you can turn your IIS server into a robust and secure platform and your web applications will run smoothly and securely. Implement these and you’ll reduce the risk of security breaches and give your users a safer experience and yourself peace of mind.