Hardening IIS Servers – some nifty tools

I was recently in need of the ability to harden an IIS server to remove things like the IIS and ASP.NET identifiers as well as enforce HTTPS, when I came across a great Powershell (go Powershell!) script that automates the whole process. You can download the script from https://github.com/drewhjelm/iis-hardening/blob/master/configure%20IIS%20security.ps1

*Test in a non-production environment first!*

There is only one prerequisite to deploy to IIS servers and that is URL Rewrite 2.0. After deploying URL Rewrite, run the Powershell Script (reboot will be required) and it will set the following settings:

  • Remove IIS and ASP.NET identification
  • Enforce HSTS (HTTP Strict Transport Security)
  • Enforce HTTPS (redirects all requests from HTTP to HTTPS)
  • Prevent framejacking
  • Disables insecure / weak ciphers
  • Configures SSL / TLS to meet PCI best practices

Another useful tool is Nartac Software IISCrypto. This tool focuses on crypto management of IIS in an easy to use interface as opposed to making all changes in the registry.

Windows Server “8” Beta released

This morning, Microsoft announced the release of the Windows Server “8” beta. Windows Server “8” is the successor to Windows Server 2008 R2 and is a member of the Windows 8 family.

Microsoft has four pillars around the release of Windows Server “8”:

– Windows Server “8” goes beyond virtualization – With this release, Microsoft is building an infrastructure capable of running much more than a simple virtual machine. Features are being built in that enable new public and private cloud based scenarios.

– Windows Server “8” brings the power of many servers and the simplicity of one – New features are added that enable users to take better advantage of commodity storage, provide simplification to server management, and provide uptime in a better and more cost-effective manner.

– Windows Server “8” is designed for every app and every cloud – Server “8” will enable flexibility in deploying applications on-premise or in the cloud or a combination thereof using similar tools and frameworks. Windows Server “8” will be highly scalable and elastic providing for better density and efficiency, as well as providing a better platform for hosting providers.

– Windows Server “8” enables the modern workstyle – Server “8” enables enterprises to offer access to corporate data and applications on any device while providing a secure and seamless experience no matter where users are in the world.

Microsoft’s Bill Laing has a post for more on Windows Server “8” that I highly suggest reading.

If you want to download and evaluate Windows Server “8”, click here