IIS Settings for OWASP
This section provides recommendations to address issues that may be identified if you choose to scan your web server for Open Web Application Security Project (OWASP) security concerns.
For some of the issues listed here, you will need to install the URL Rewrite tool, available at http://www.iis.net/downloads/microsoft/url-rewrite.
- The tasks performed in the IIS Manager should be done at the default website level (i.e., in the Connections pane, open the Sites node under the server name and click Default Web Site).
- Alternatively, the model web.config code summarizes the changes made in the IIS Manager (see Default web.config Changes).
Note: If you make these changes directly in the web.config file in the root folder for your SEP website, you can skip the steps shown below in italics.
Web Server Default Welcome Page
From the wwwroot directory, remove iisstart.htm, welcome.png and the asp_client folder.
Clickjacking: X-Frame-Options Header Missing
- In the IIS Manager Home page, double-click HTTP Response Headers.
- In the Actions area, click Add. Enter X-Frame-Options as the name and SAMEORIGIN as the value.
OPTIONS Method Is Enabled
- In the IIS Manager Home page, double-click Request Filtering.
- On the HTTP Verbs tab, click Allow Verb in the Actions area and enter Options in the Deny Verb window.
Microsoft IIS Version Disclosure
- In the following Registry key, create a dWORD entry, DisableServerHeader, and set its value to 1: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
- In the IIS Manager Home page, double-click URL Rewrite.
- In the Actions area, click View Server Variables, then click Add and enter RESPONSE_SERVER in the text box.
- Add an outbound rule to rewrite the RESPONSE_SERVER server variable as blank.
- In the Actions area, click Back to Rules and then click Add Rule(s).
- In the Add Rule(s) window, click Blank rule in the Outbound rules category and click OK.
- Create the outbound rule using the following settings:
- Name: Response Server
- Precondition: None
- Matching scope: Server Variable
- Variable name: RESPONSE_SERVER
- Variable value: Matches the Pattern
- Using: Regular Expressions
- Pattern: .+
- Action type: Rewrite
- Action Properties:
- Value: <leave this field empty>
- Replace existing server variable value: Selected
ASP .NET Version Disclosure
- In the IIS Manager Home page, double-click URL Rewrite.
- In the Actions area, click View Server Variables, then click Add and enter RESPONSE_X-ASPNET-VERSION in the text box.
- Add an outbound rule to rewrite the RESPONSE_X-ASPNET-VERSION server variable as blank.
- In the Actions area, click Back to Rules and then click Add Rule(s).
- In the Add Rule(s) window, click Blank rule in the Outbound rules category and click OK.
- Create the outbound rule using the following settings:
- Name: x-ASPNet
- Precondition: None
- Matching scope: Server Variable
- Variable name: RESPONSE_X-ASPNET-VERSION
- Variable value: Matches the Pattern
- Using: Regular Expressions
- Pattern: .+
- Action type: Rewrite
- Action Properties:
- Value: <leave this field empty>
- Replace existing server variable value: Selected
X-Powered-By Header
- In the IIS Manager Home page, double-click HTTP Response Headers.
- Select the X-Powered-By header and click Remove.
- In the IIS Manager Home page, double-click URL Rewrite.
- In the Actions area, click View Server Variables, then click Add and enter RESPONSE_X-POWERED-BY in the text box.
- Add an outbound rule to rewrite the RESPONSE_X-POWERED-BY server variable as blank.
- In the Actions area, click Back to Rules and then click Add Rule(s).
- In the Add Rule(s) window, click Blank rule in the Outbound rules category and click OK.
- Create the outbound rule using the following settings:
- Name: X-Powered
- Precondition: None
- Matching scope: Server Variable
- Variable name: RESPONSE_X-POWERED-BY
- Variable value: Matches the Pattern
- Using: Regular Expressions
- Pattern: .+
- Action type: Rewrite
- Action Properties:
- Value: <leave this field empty>
- Replace existing server variable value: Selected
Custom Errors
- In the IIS Manager, open the Configuration Editor.
- In the Section drop-down list, choose system.web/customErrors.
- Set Mode to RemoteOnly.