Free Republic
Browse · Search 		General/Chat
Topics · Post Article

To: ConservativeMind

Interesting.

https://www.acunetix.com/blog/articles/iis-security-best-practices/

Hadn’t delved into that prior. Hmmm...


16 posted on 04/12/2025 2:27:10 PM PDT by logi_cal869 (-cynicus the "concern troll" a/o 10/03/2018 /!i!! &@$%&*(@ -)
[ Post Reply | Private Reply | To 2 | View Replies ]

To: logi_cal869

Thank you for sharing that...

1. Move the Inetpub Folder to a Different Drive

The Inetpub folder is the default location for your web content, IIS logs, and so on. By default, IIS 7 and newer versions install the Inetpub folder in the system drive. It’s good practice to move the Inetpub folder to a different partition of the file system so that the web content is separate from the operating system.

This folder can be moved after IIS installation is completed. Thomas Deml, IIS Lead Program Manager provided this batch file to help with the move.

3. Disable the OPTIONS Method

The OPTIONS method provides a list of methods that are supported by the web server. Although this might seem beneficial, it also provides useful information to the attacker at the reconnaissance stage. Therefore, we recommend that you disable the OPTIONS method completely. This can be done by denying the OPTIONS verb in HTTP verb request filtering rules in IIS.

4. Enable Dynamic IP Address Restrictions

The Dynamic IP Restrictions module helps to block access to IP addresses that exceed a specified number of requests and thus helps prevent denial-of-service (DoS) attacks. This module will inspect the IP address of each request sent to the web server and will filter these requests in order to temporarily deny IP addresses that follow a particular attack pattern.

The Dynamic IP Restrictions module can be configured to block IP addresses after a number of concurrent requests or to block IP addresses that perform a number of requests over a period of time. Depending on your IIS version you will need to enable either the IP Security feature or the IP and Domain Restrictions as explained in this Microsoft article.

5. Enable and Configure Request Filtering Rules

It is also a good idea to restrict the types of HTTP requests that are processed by IIS. Setting up exclusions and rules can prevent potentially harmful requests from passing through to the server since IIS can block these requests on the basis of the request filtering rules defined.

6. Enable Logging

After you configure IIS logging, you will be able to log various information from HTTP requests received by the server. This will come in handy and can give a better understanding of issues that might have occurred on your website when things go wrong. It’s the place where you will start the troubleshooting process in such situations.

7. Use the Security Configuration Wizard (SCW) and the Security Compliance Manager (SCM)

Both of these Microsoft tools can be used to test your IIS security. The Security Configuration Wizard (SCW) runs different checks and provides advice and recommendations on how to boost your server security. The Security Compliance Manager (SCM) tool performs security tests on your server and compares server configurations to predefined templates as per industry best practices and security guide recommendations. (Still trusting MS)


20 posted on 04/12/2025 2:35:47 PM PDT by Openurmind
[ Post Reply | Private Reply | To 16 | View Replies ]

Free Republic
Browse · Search 		General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson