Securing your IIS Web Server from Evil

{{selected_post.author}} / {{selected_post.post_date}}
Hacker dog using his googley eyes for evil

The importance of keeping your web servers secure has become critical.  There is evil in the Internets trying to bring you down!  If you are running a web application or website utilizing IIS.  There are a few tools you may want to have at your disposal.

SSL Labs

Qualys does an excellent job at providing this fantastic tool for observing websites.  You can use this tool to determine a general grade for the web application.

Website SSL Test: https://www.ssllabs.com/ssltest/analyze.html

 

Nartac – IISCrypto

This is a great tool for locking down your server.  Do understand, that you need to know what you're doing before using this tool.   You can potentially lock yourself out of your own server if you are using an RDP connection.  This is typically more of an issue with Windows Server 2008, due to the magic you must perform to get RDP to work with higher TLS protocols such as TLS 1.2.

 

*ABSOLUTELY NO WARRANTIES OR GUARANTEES WHEN UTILIZING THIS TOOL. 

IIS Security Configuration Tool: https://www.nartac.com/Products/IISCrypto

 

Azure Storage Issue

If you are working with Azure Storage, we discovered we found as of 2/7/2018 is that if you disallow TLS 1.0 and 1.1 your IIS Application will not have permission to connect to the storage location for Azure Tables or Blob storage.  You will receive an authorization error.  This may correct in the near future, but I wanted to mention it in case you ran into this issue.

This is only some of the tools available to use if you are new hosting and securing IIS web applications or you may have just assumed you were doing everything right.  Make sure you understand what you are doing when configuring your server.  They typically don't just come secure out of the box.

 

Tags

Related News