How To Fix IIS Vulnerabilities

Introduction:

Internet Information Services (IIS) is a robust product offered by Microsoft used as a web server by many popular enterprises. IIS web server runs on Microsoft .NET platform on Windows OS. It’s a versatile and stable application that is being used for many years now. Contrary to its versatile nature, IIS is not popularly known for its security.

However, in recent years Microsoft has been successful in releasing the more stable and secure platform. IIS 8.5 for server 2012 R2 and IIS 10 for 2016 have been hardened and no longer present the dangerous default configurations of older IIS iterations, but can still be further tightened. Here we present you the configurations and more tips to secure various versions of IIS.

VULNERABILITIES:

  • Directory Listing/Directory Browsing
  • METHODS
  • X-Frame OPTIONS
  • Server Version
  • Asp and X-powered Version
  • HTTPs implementation
  • Strict-Transport-Policy
  • X-XSS Protection
  • CSP
  • Improper Error
  • Viewstate unencrypted
  • Host Header Injection
  • Weak SSL/TLS ciphers
  • Cookie Attributes

equirements:

Note: Kindly restart the server after installing the URL Rewrite Module.

1. Directory Listing/Directory Browsing

The below screenshot shows the Directories are listed:

Go to the IIS Manager and select your website and then select the Directory Browsing as shown below:

As we can see that on the right side there is a Disable button. Select it.

As we can see now that the Directories has been disabled

Now select the Directory Browsing and select the Restart button on the right side as shown below:

The Directories are now not accessible.

2.METHODS

To disable the Methods such as OPTIONS, TRACE, DELETE etc.

Go to the IIS Manager and select your website and then select the Request Filtering as shown below:

Now click on the HTTP Verbs, we can see on the right side that there is Allow Verb and Deny Verb:

Select on the Deny verb and type the OPTIONS and then select OK.

Similary we can write for Allow verbs as shown below:

The below screenshot shows that the OPTIONS methods is now disabled (404 NOT FOUND):

Another method is to open the web.config file and write the highlighted rule as shown below:,/

NOTE: To Restart the Request Filtering service, and web.config file is created when the website gets loaded into the IIS manager and web.config file is located from where the application is accessed.

X-Frame Options:

The below screenshot shows that the X-Frame is set to SAMEORIGIN:

Go to the IIS Manager and select your website and then select the HTTP Response:

In here we can see that the X-Frame is set to SAMEORIGIN and we have to change it to DENY

Select the X-Frame Options and on the right we can see the Edit, click on it and set it to DENY as shown below:

Restart the HTTP response headers so that the changes could take place.

The X-Frame is now set to DENY

Another method is make changes to the web.config file as shown below:

Locate the X-Frame Options and set the value from SameOrigin to DENY:

After making the changes save the file and restart the server :

The X-Frame is now set to DENY:

4.Server version disclosure:

The below screenshot shows that the server version is disclosed.

Select your website and click on the URL Rewrite:

In the URL Rewrite rule, we can see in the top right there is View Server Variable, click on it.

Then in it click on the Add on the top right and add the server variable as Response_Server.

Then go back to the URL Rewrite Module and Click on the Add Rules on the Top right corner the following window will appear as shown below:

Then Click on the Blank Rule:

Select the following tabs as shown in the below screenshot and make sure to select the RESPONSE_SERVER (the server variable we created) and pattern as  .* and then click OK:

The new rule has been created for Hiding the server banner in the response and now restart the server completely so that the changes could take place.

As we can see that the server banner is hidden in the response.

5.Asp version disclosure:

The below screenshot shows that the Asp version is disclosed:

Go to the IIS Manager and select your website and then select the HTTP Response

Select the X-Powered-By and Click on the Remove button as shown in the top right corner:

Now restart the HTTP response Module so that the changes could take place.

Note: Another Method is setting the value of the Header with no version number disclosure

The Asp version is not disclosed any further anymore.

6.HTTPs implementation:

The below screenshot shows that the website is running on HTTP:

Go to the IIS Manager and select the PC Name (In My case its MARK3-PC) above Application Pools where all server settings are managed and then click on the Server certificates.

Now click on the Create Self-Signed Certificates on the top right corner:

Give the certificate a name ex: www.domain.com as shown below and click OK:

The server certificate has been created now:

Now select your website and then select the BINDINGS on the top right corner

Then click on the Add and select the following screenshot and select the certificate we created.

We can see that the HTTPs is added and then click on Close and restart the server.

We can see the middle right corner that the HTTPs website has been created.

We can see that the website runs on HTTPs:

7.Strict-Transport-Policy

The below screenshot shows that the Strict-Transport-Policy has not set

Go to the IIS Manager and select your website and then select the HTTP Response:

Then click on Add on the top right corner

Set the name and value of the Header as shown below and click OK and then restart the HTTP Response Header server:

Now we can see that the Strict-Transport-Policy has been set:

8.X-XSS Protection

The below screenshot shows that the X-XSS Protection has not set:

Go to the IIS Manager and select your website and then select the HTTP Response:

Set the name and value of the Header as shown below and click OK and then restart the HTTP Response Header server:

Now we can see that the X-XSS Protection has been set:

9.Content-Security-Policy:

The below screenshot shows that the CSP has not set:

Add this to the web.config file and restart the server or else we can add the Header from the HTTP response module.

Note: If CSP is not properly configured the website can get crash or can face Login issues.

We can see that the CSP has been set:

10.Improper Error:

The below screenshot shows the error page and we can customize it.

Go to the IIS Manager and select your website and then select the Error Pages

We can see that each Status Code has a path associated with it which is the error page of the server.

For ex: Status Code 404 has its path and when we get 404 error the information is revealed according to the customized path

Here we can set the path of the designed error page or redirect to the new URL by selecting on of the following option:

Note: The customized error page should be kept in the folder of the website and proper path should be given to each Status Code.

The Error page is kept inside the website folder as shown below:

Another method is to open the web.config file and write the below code and restart the server this will redirect the particular status code to the customized error page.

The customized error page for 404 Status Code.

11.View State Unencrypted:

The below screenshot shows that the viewstate is unencrypted :

Go to the web.config file of the website change the below code highlighted below:

In the above highlighted code add the following as viewStateEncryptionMode=”Always” and restart the server.

12.Host-Header Injection

URL Rewrite rules can be used to find malicious host headers:

  • Click on the site in IIS  Manager
  • Go to “URL Rewrite
  • Click “Add Rule(s)
  • Select “Blank rule
  • For “Match URL” section, enter (.) into the “Pattern
  • In “Conditions” section, click “Add
  • Enter {HTTP_HOST} into “Condition input
  • Select “Does Not Match the Pattern” from “Check if input string” list
  • Enter ^([a-zA-Z0-9-_]+.)domain.com$ into “Pattern” field (change domain name with yours)
  • For the “Action” section, select “Redirect” from the “Action type” list
  • Enter your domain address (https://domain.com/) in the “Redirect URL
  • Select “Permanent (301)” from the “Redirect type” list
  • Click “Apply

For fixing the host header injection:

Click on the site in IIS Manager and then go to URL Rewrite:

Then click on Add rule and then on the Inbound Blank rule as shown below:

Give the Rule name as Host Header Validation and Pattern as .(Dot)

Then scroll down in the same rule and click on the Conditions and add a rule:

The rule in the condition is as follows:

After writing the rule, Select OK.

Now scroll down below in the same rule and select the following things as shown below:

Then apply these rule and restart the URL Rewrite Module and we can see the rule below as follows:

Alternate Method: Select the website and click on the Bindings on the top right corner and select Hostname as your website name as shown below and restart the server.

Note: This method doesn’t work sometimes it varies from Server to Server

13. Weak SSL/TLS ciphers

  • Click Start, click Run, type regedt32 or type regedit, and then click OK.
  • In Registry Editor, locate the following registry key:HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Server
  • On the Editmenu, click Add Value.
  • In the Data Typelist, click DWORD.
  • In the Value Namebox, type Enabled, and then click OK.
    Note If this value is present, double-click the value to edit its current value.
  • Type 00000000in Binary Editor to set the value of the new key equal to “0”.
  • Click OK. Restart the computer.

Go to the regedit and select the following Highlighted path and from there enable or disable the weak ciphers.

To enable the particular cipher Double click on it and set value as “Enable”

14.Cookie Attributes.

The main Attributes are secure, httponly and path attribute. Since my application doesn’t have cookies because it’s not an Asp.net application the following remediation will work on them.

A.Secure Attribute:

Add this to web.config file and restart the server:

<configuration>
<system.web>
<!– Force secure connections for all Cookies –>
<httpCookies requireSSL=”true” />
</system.web>
</configuration>

B. HttpOnly Attribute:

Add this to web.config file and restart the server:

<configuration>
<system.web>
<!– Prevent client script from reading Cookies –>
<httpCookies httpOnlyCookies=”true” />
</system.web>
</configuration>

C.Path Attribute:

Add this to web.config file and restart the server:

<configuration>
<appSettings>
<add key=”UserDefiniedCookiePathFilter”
value=”/VirtualDirectoryToFilter”
/>
</appSettings>
</configuration>

D.SameSite to avoid cross-site request forgery:

Conclusion:

Overall, the modular nature of the IIS allows the enterprises to have granular control over the security and the server resources. However, this can lead to a more secure web application or a very much vulnerable application depending on the person configuring the server. All the detailed security mechanisms discussed in the current blog require careful management and qSEAp offers such services for the enterprises and make the task easy for you. Want to secure your server? Contact us here https://qseap.com/contact-us/

Keywords: Microsoft IIS, IIS web server, IIS security, IIS vulnerabilities

Meta-Description: Though Microsoft has improved the security configuration in IIS over the years, it still presents various threats if not configured properly. Here we will discuss how we can fix vulnerabilities and secure various versions of IIS.

Share Blog
No Comments

Post a Comment

Comment
Name
Email
Website