I was recently in need of the ability to harden an IIS server to remove things like the IIS and ASP.NET identifiers as well as enforce HTTPS, when I came across a great Powershell (go Powershell!) script that automates the whole process. You can download the script from https://github.com/drewhjelm/iis-hardening/blob/master/configure%20IIS%20security.ps1
*Test in a non-production environment first!*
There is only one prerequisite to deploy to IIS servers and that is URL Rewrite 2.0. After deploying URL Rewrite, run the Powershell Script (reboot will be required) and it will set the following settings:
- Remove IIS and ASP.NET identification
- Enforce HSTS (HTTP Strict Transport Security)
- Enforce HTTPS (redirects all requests from HTTP to HTTPS)
- Prevent framejacking
- Disables insecure / weak ciphers
- Configures SSL / TLS to meet PCI best practices
Another useful tool is Nartac Software IISCrypto. This tool focuses on crypto management of IIS in an easy to use interface as opposed to making all changes in the registry.
Tom on Tech 