05-08-2022, 03:26 PM
And speaking of privileges, I hate how the default worker process identity is ApplicationPoolIdentity, but it still pulls from the network service sometimes if you're not watching. You switch that to a custom low-priv account right away, create one just for IIS, and strip it of any extra rights it doesn't need. Or maybe you use the built-in IIS_IUSRS group, but limit what folders it can touch. I do this every time, assign read-only to static files and execute-only to scripts, nothing more. Then, you check the anonymous authentication-it's on by default, which is fine for public sites, but you disable it if your app needs logins, or pair it with Windows auth to keep things tight.
But wait, let's talk about the request filtering, because defaults there are a joke. IIS lets through massive requests by default, like 30MB uploads without blinking, and that opens you up to denial-of-service junk. I crank down the max allowed content length to something sane, say 4MB unless your app demands more, and block those sneaky double extensions or hidden segments that hackers love. You enable the hidden segments feature and add stuff like .config or .ini to the deny list so no one peeks at your web.config files. Also, turn on the verb filtering-defaults allow everything, so you whitelist only GET, POST, HEAD, whatever your site uses, and reject the rest.
Now, if you're running dynamic content, like ASP.NET, the defaults leave machine keys exposed or session state wide open. I always generate a new machine key in the web.config, make it validation strong, and set decryption to AES. You know, because default keys are predictable, and anyone sniffing can replay sessions. Or for session management, I ditch in-process if possible and go to State Server or SQL, but secure the timeout to 20 minutes max, and cookieless false to avoid URL leaks. Perhaps add output caching with private headers so browsers don't cache sensitive pages.
And don't get me started on the directory browsing-it's off by default, thank goodness, but you double-check because sometimes installs flip it. If it's on, attackers list your files like a catalog, so you kill that in the handler mappings. I also mess with the MIME types, remove the extras that IIS throws in, like allowing .exe downloads, because who needs that on a web server? You restrict to html, css, js, images, and your app's specifics, then set default documents to index.html or whatever, but hide the list from errors.
Then there's the HTTP features, where defaults enable trace and options verbs that probe your server. I disable TRACE entirely in the request filtering, because it echoes back inputs and helps attackers test for XSS. Or OPTIONS, if your CORS isn't set up, it reveals too much about your setup. You configure the HTTP response headers too-add X-Content-Type-Options nosniff to stop MIME sniffing, and X-Frame-Options DENY so no clickjacking. I throw in X-XSS-Protection 1; mode=block for older browsers, even though it's legacy now, just in case.
But security isn't just IIS tweaks; you tie it into Windows Defender on the server. I scan the IIS directories regularly with Defender, set real-time protection to watch %SystemRoot%\System32\inetsrv and your wwwroot. You exclude nothing unless absolutely necessary, because defaults might let malware hide in temp files. Or schedule scans for logs too, since IIS writes errors there, and attackers leave traces. I enable Defender's exploit protection for IIS processes, like w3wp.exe, to block memory corruption attempts that defaults ignore.
Also, firewall comes into play-Windows Firewall defaults block inbound, but when you open port 80 or 443 for IIS, you narrow it to just HTTP and HTTPS. I create rules specific to the site bindings, maybe IP restrict if it's not public-facing. You know, use netsh to advfirewall, but keep it simple, allow only from trusted ranges. And for SSL, defaults use HTTP redirects, but you force HTTPS everywhere with URL rewrite rules, install a proper cert from Let's Encrypt or your CA, not self-signed junk.
Perhaps you're thinking about authentication modules-defaults have anonymous and basic, but basic sends creds in base64, which is crackable. I swap to Windows Integrated or Forms with HTTPS, and if you need basic, wrap it in SSL only. Or for APIs, go with OAuth or whatever your stack uses, but disable unused modules in the features view to slim down the attack surface. You unload handlers for ISAPI if you're not using classic ASP, because those are old and leaky.
Now, logging-defaults log to W3C format in a subfolder, but I up the verbosity to medium or high to catch anomalies, without flooding the drive. You rotate logs daily, secure the folder with NTFS perms so only admins read them. And integrate with Event Viewer, where IIS dumps errors; I filter for 4xx and 5xx to spot probes. But tie that to Defender's threat detection- it flags suspicious IIS activity like rapid failed logins. Or use Advanced Threat Protection if your license allows, to correlate with network logs.
Then, updates-Microsoft patches IIS bugs all the time, and defaults leave auto-updates off. I enable Windows Update for Server, target the IIS role specifically, and test in a staging box first. You reboot quarterly at least, because unpatched IIS falls to zero-days easy. Also, disable SMBv1 if it's lingering, since IIS might interact with file shares, and that's a worm magnet.
And file system perms-defaults give IIS_IUSRS read on wwwroot, but I tighten to execute on bins and read on content, deny write everywhere except uploads folder. You use icacls to set inheritance off on sensitive dirs, like bin or App_Data. Or for shared hosting, isolate sites with app pool identities per site. I create virtual dirs only when needed, and map them to non-root paths to avoid traversal tricks.
Perhaps you're running multiple sites-IIS defaults share the same pool, but I spin up separate pools for each, recycle them on memory thresholds to prevent leaks. You set idle timeout to 20 minutes, so dormant sites don't hog resources. And CPU limits, throttle to 50% per pool if one's chatty. Or rapid-fail protection, shut down a pool after five crashes to stop DoS via errors.
But let's not forget the global config-machine.config and applicationHost.config have defaults that propagate risks. I edit applicationHost.config to disable failed request tracing unless debugging, because it logs payloads that could leak data. You secure the config files themselves, ACL them to admins only. Or use config sections locked at server level to prevent site overrides that weaken security.
Also, for static content, defaults serve from anywhere, but I move it to a dedicated partition, isolate with junctions if needed. You compress gzip by default, but exclude exes or zips to avoid inflating attacks. And caching-set kernel mode for static, but validate directives so no stale sensitive data.
Then, error pages-defaults show 404 with file paths, which reveals structure. I custom 4xx and 5xx pages, generic ones that don't leak, and redirect 403s carefully. Or for 500s, log details but show nothing to users. You test with tools like curl to ensure no info slips.
And integration with AD- if you're using Windows auth, defaults pass-through, but I enable kernel-mode auth for speed and security. You configure delegation only for needed backends, like SQL, with constrained creds. Or for anonymous, ensure no NTLM fallback that exposes domains.
Now, on the Defender side deeper, I set exclusions sparingly-maybe temp for uploads, but scan on access. You enable ASR rules for Office, but adapt for IIS to block macros in docs if serving them. Or block credential stealing in lsass, since IIS might auth against it. I monitor with Defender for Endpoint if available, get alerts on IIS anomalies like unusual user agents.
Perhaps enable HTTP Strict Transport Security header, set to 31536000 max-age, includeSubDomains. You preload if public, to force HTTPS chain. And Content-Security-Policy, start with default-src self, block inline scripts if your app allows. I test incrementally to avoid breaking things.
Also, remove server header-defaults banner IIS version, easy fingerprint. Use URLScan or rewrite to blank it. Or X-Powered-By, strip that too. You hide ETags if not needed, to obscure file changes.
Then, for uploads, defaults allow any file, so I add virus scanning with Defender API hooks if custom, or reject by extension. You store uploads outside webroot, serve via handler. Or resize images server-side to limit bombs.
And session fixation-defaults don't protect, so I add anti-fixation in code, regenerate IDs on login. You use secure cookies, HttpOnly true, SameSite strict. Or for CSRF, tokens in forms.
But wait, global.asax or startup.cs, secure those pipelines, remove trace.axd. I disable debug in web.config, compilation debug false. You hash errors before logging if sensitive.
Also, connection limits-defaults unlimited, so I set max connections per IP to 10, timeout 120s. Use dynamic IP restrictions, ban after 5 fails. Or integrate with Fail2Ban if scripting.
Then, for SSL ciphers, defaults include weak ones like RC4. I use IISCrypto to enable only TLS 1.2+, strong suites, disable SSLv2/3. You enforce PFS with ECDHE. Or HSTS preload as said.
And backups-before changes, I snapshot the server, test restores. You version configs in git or something simple.
Perhaps audit with tools like IIS Manager's security tab, but manually verify. I script checks with PowerShell, run weekly.
Or for multi-site, use host headers securely, SNI for HTTPS. You cert per site if needed.
Then, Defender tamper protection on, prevent malware disabling it. I exclude IIS logs from real-time if performance hits, but scan offline.
Also, enable Windows auth auditing, log successes too for baselines. You correlate with SIEM if big setup.
But for small admins like you, start with basics, build up. I always prioritize HTTPS and perms first.
And speaking of keeping things safe long-term, you gotta back up your IIS configs and the whole server setup regularly, because one slip and you're rebuilding from scratch. That's where BackupChain Server Backup steps in as this top-notch, go-to Windows Server backup tool that's super reliable for SMBs handling self-hosted setups, private clouds, or even internet-based backups, tailored just for Hyper-V environments, Windows 11 machines, and all flavors of Windows Server plus regular PCs. No subscription nonsense either, you buy once and own it forever, and we really appreciate BackupChain sponsoring this forum chat, letting us dish out this free advice without the hassle.
