Forum Widgets
Latest Discussions
IIS hardening with CIS standards - tools and options
Hello IIS experts. Please suggest on best strategy for hardening on-prem IIS farm to CIS standards. I'm also interested in recurring audit of the results. There is a number of commercial products allowing to scan IIS for CIS Benchmarks. The latest "CIS Benchmark for Microsoft IIS 10" available to download in PDF format free of charge at https://www.cisecurity.org/cis-benchmarks/. However in this instance CIS does not offer "Build kit". Depends on product to be hardened, CIS "build kit" can be set of scripts, GPO policy or similar to allow rapid hardening deployment. Since there is no Official build kit I'm looking for alternatives. Can you please share your experience on this subject? I found few blogs but those are quite old.
Disabling Certificate Revocation List (CRL) Caching on IIS 10.0
Background Hello, community members! I am trying to disable CRL caching on IIS 10.0 in order to be able to fetch updated version of CRL each time I make a request to my website. It is required for development purposes: I revoke or un-revoke client certificate, publish latest CRL on my CA and want IIS to check the latest information. Setup What I completed as a setup step: Exported root CA certificate and installed it on my computer by following these articles: HTTP Error 403.16 when you access a website - Internet Information Services | Microsoft Learn and Export Root Certification Authority Certificate - Windows Server | Microsoft Learn. Set "Accept" for client certificates on IIS. Checked following materials about IIS CRL settings: CRL checking by IIS - Microsoft Community Hub, HTTP_SERVICE_CONFIG_SSL_PARAM (http.h) - Win32 apps | Microsoft Learn, Disable Client Certificate Revocation (CRL) Check on IIS | Microsoft Learn. Actions What I am trying to do to disable CRL caching on IIS: Delete existing SSL binding for my website: netsh http delete sslcert ipport=0.0.0.0:3010. Add binding which tells IIS to download CRL each 10 seconds and not to cache it (see bold text): netsh http add sslcert ipport=0.0.0.0:3010 certhash=SOME_VALUE appid={SOME_VALUE} certstorename=My verifyclientcertrevocation=enable revocationfreshnesstime=10 urlretrievaltimeout=30000. Bold text parameters mean that we enable CRL checking, refresh CRL each 10 seconds and set HTTP timeout for CRL download to 30 seconds (30000 milliseconds). Verify that the information has been updated. If CertCheckMode is set to 4, certificate revocation verification will be done by downloading the remote CRL, even if we have the valid cached CRL on the server. It ignores the cached CRL completely. Restart IIS or reboot the machine: iisreset. Clear CRL cache: certutil -urlcache crl delete. Publish new CRL and verify that it doesn't contain our certificate. Send not revoked certificate: 403 status has been returned by IIS. This means that IIS uses cached CRL and above-mentioned settings for IIS doesn't work. If I disable CRL checking it works: verifyclientcertrevocation=disable. CRL is reachable. Question What settings should I change in order to disable CRL caching on IIS 10.0? I want IIS to download CRL each time I make a request to it.
Windows authentication with IIS
Can someone more familiar with IIS provide a link or a technical document that explains how to set up an IIS 10 server to reliably use Windows Authentication? I have two IIS servers, one which was set up by a previous admin, where I can open the site and my Windows credentials are recognized. The second site, where I've tried to duplicate the settings seen on the first, always presents the username/password challenge.using IIS URL Rewrite module for HTTP to HTTPS
I have installed the URL Rewrite module in IIS 10 to redirect HTTP calls to HTTPS, and I have attempted to set up the redirect but have not gotten it working on one server. Here is the issue: Server1 with IP 1.1.1.1 is running IIS with an https enabled website. An outside DNS has assigned gohere.com to IP 1.1.1.1. When users attempt to get to http://gohere.com the connection times out and it is not redirected to https://gohere.com Accessing https://gohere.com works without an issue. Here is the rewrite code from the web.config file. <rewrite> <rules> <rule name="HTTP to HTTPS" patternSyntax="Wildcard" stopProcessing="true"> <match url="http://gohere.com*" /> <conditions> <add input="{HTTPS}" pattern="^OFF$" /> </conditions> <action type="Redirect" url="https://gohere.com" appendQueryString="false" /> </rule> </rules> </rewrite> I have also tried using match url=".*" Any ideas on what might be causing the issue? Or something to try to get it working? Thanks! JimIIS Authentication Error
IIS is displaying Authentication status as retrieving status... for all the groups. when i tried to disable them, a pop up error (attached below) is displayed. i tried removing the authentication tag in web.config and it's not working. i tried removing the security tag and still not working. it was working two days back with the same config file
How to prevent Malicious HTTP Redirections on an Exchange server
Hello All! I am attempting to assist a customer who is trying to pass PCI scans. By default, their IP addresses redirects any HTTPS (443) requests to the Exchange server's OWA. This is fine, except the scan states that the server does not pass a couple of vulnerabilities, one of them being "Redirection via Arbitrary Host Header Manipulation". As a solution, they recommended whitelisting domains, only allow permitted domains to be included in the Host header. I (for the life of me) cannot figure out how to get this to work on a server who's default website is the Exchange OWA. Every time I try to implement a rule in IIS (see: https://techcommunity.microsoft.com/t5/iis-support-blog/host-header-vulnerability/ba-p/1031958) that would redirect any requests that don't match the supplied string to the desired domain name, the page won't load and I get "ERR_TOO_MANY_REDIRECTS" presumably because of Exchange's automatic OWA redirection. Is there a way I can prevent malicious HTTP redirections without breaking OWA? To clarify: there are two domain names on our DNS that lead to the IP address of the Exchange server: mail.domain.com and vpn.otherdomain.com, obviously one is meant for mail and the other one is meant for vpn access over port 8443. The main domain (domain.com) leads to a completely different IP address that hosts their public website. I would like to change the IIS settings on the Exchange server so that mail.domain.com is the only domain allowed to be requested through an HTTP request.
IIS : application fails when http redirect to https.
Hi guys, I don't know why but my C# ASP.NET ( .NET Framework 4.8 ) base application does a redirect to https. It calls another https C# ASP.NET ( .NET Core 3.1 ) application inside a IFRAME. It fails because the csrf token cookies cant be read when an ajax requests is sent from an http page. On code side no relevant issues found, but out it ops says that on our side is all ok. In the card I reported what I found in a wide-ranging search in the literature. The research I did revealed the following: SameSite should be as much as set to Lax. The ideal would be to make the site work by setting the authentication cookie to Strict even if there are cases that are difficult to manage. The ideal would be to run everything on https, but this does not mean solving the current problem we have. We do not recommend the use of iframes or otherwise doing everything possible so that the site can not be included in an iframe. Waiting for your replay. Thank's in advance. Simone
FTPS (FTP TLS) Using IIS on Windows server 2019 broken - Passive port connection or cert suspected?
Hi all I hope someone out there can help. I have an FTPS server set up using IIS explicit FTP over TLS. I don't use this a lot its mainly for getting files when I am out and about. Last time I tried to access the FTP site it had stopped working (a few months ago). I have had a bit of time to trouble shoot but am drawing a blank as to why it doesn't work. I believe it is something to do with he passive port range, or maybe a certificate issue? Just to be clear it was working and has now broken. There has been minimal changes on the server but nothing that should affect the FTP site. Updates etc. The FTP ports specified are open in the firewall. These ports are also forwarded in my router. The external IP address is specified for the FTP at site level. The passive post range (5000-5100) is specified at server level. SSL is set to required and a current certificate is selected. What I have tried: Created new firewall rules. Turned the firewall off. Made no difference. Set the SSL policy to allow SSL connections and I can connect without encryption, so the site still works. Upon setting back to required I can no longer connect. Used a port scanner on a mobile network and scanned the passive ports using both my ftp host name and external IP address with wireshark running on the server. Traffic is getting through on ports 5000-5100 as expected. When I try to connect from an external source I get traffic on port 21 on the server but nothing in the 5000-5100 range. My FTP client software (on my phone) hangs at 234AUTH command ok. Expecting TLS Negotiation. If I test the site using ftptest.net it connects and brings up the directory listing. There are a couple of warnings about IPv6 not implemented and MLSD. If I try to connect to the FTP site over the internal network using WinSCP or FileZilla it will connect but only in active mode (so not using passive ports). If I use my phone over the internal network it will connect using passive mode, but oddly only brings up the directory listing if I use the external IP address rather than the host name. Connecting using the host name on the phone gets stuck at LIST, 40 Opening ASCII mode data connection. FileZilla and WinSCP both work with hostname (active mode). This has left me scratching my head any ideas would be appreciated. ThanksIIS | APPCMD.exe nedir? (tr-TR)
AppCmd.exe, IIS 10.0 ve üstünde bulunan web sitelerini yönetmek için kullanılan komut satırı uygulama aracıdır. AppCmd, web sunucunuzu GUI kullanmadan kolayca kontrol etmenizi yönetmenizi kolaylaştıran komutlar bütünüdür. AppCmd başlıca kabiliyetleri aşağıdaki gibidir. Siteler, uygulamalar, uygulama havuzları ve sanal dizinler oluşturup yönetebilirsiniz. Siteleri, site havuzlarının işlemlerini başlatıp ve durdurabilirsiniz. Aktif işlemleri listeleyin ve anlık yürütülen işlemleri inceleyebilirsiniz. IIS yapılandırma ayarlarınızı import yada export edebilirsiniz. Appcmd.exe çalıştırmak için sisteminizde IIS 10.0 yüklü olması gerekmektedir. Ek bilgi olarak belirtmek isterim. IIS 7.0 ve sonrası web serverlarda appcmd.exe komutunu kullanabilirsiniz. Appcmd.exe komutunu çalıştırmak için CMD komut satırınızı yönetici olarak çalıştırınız ve "%windir%\system32\inetsrv\" dizinine gidiniz. Appcmd.exe yazıp enter basınız. C:\windows\System32\inetsrv>appcmd.exe General purpose IIS command line administration tool. APPCMD (command) (object-type) <identifier> </parameter1:value1 ...> Supported object types: SITE Administration of virtual sites APP Administration of applications VDIR Administration of virtual directories APPPOOL Administration of application pools CONFIG Administration of general configuration sections WP Administration of worker processes REQUEST Administration of HTTP requests MODULE Administration of server modules BACKUP Administration of server configuration backups TRACE Working with failed request trace logs BINDING Object for working with SSL bindings (To list commands supported by each object use /?, e.g. 'appcmd.exe site /?') General parameters: /? Display context-sensitive help message. /text<:value> Generate output in text format (default). /text:* shows all object properties in detail view. /text:<attribute> shows the value of the specified attribute for each object. /xml Generate output in XML format. Use this to produce output that can be sent to another command running in /in mode. /in or - Read and operate on XML input from standard input. Use this to operate on input produced by another command running in /xml mode. /config<:*> Show configuration for displayed objects. /config:* also includes inherited configuration. /metadata Show configuration metadata when displaying configuration. /commit Set config path where configuration changes are saved. Can specify either a specific configuration path, "site", "app", "parent", or "url" to save to the appropriate portion of the path being edited by the command, "apphost", "webroot", or "machine" for the corresponding configuration level. /apphostconfig Specify an alternate applicationHost.config file to edit. /debug Show debugging information for command execution. Use "!" to escape parameters that have same names as the general parameters, like "/!debug:value" to set a config property named "debug". C:\windows\System32\inetsrv> Appcmd komutu kullanımı sırasında parametre yada objelerle çalışırken yardım almak için tüm cmd komutlarında olduğu gibi appcmd.exe /? Yapmanız yeterli olacaktır. Örnek olarak en çok kullanılan appcmd site komutu ile başlayalım. appcmd site /? yaparak site komutu ile neler yapabilriz bakalım. C:\windows\System32\inetsrv>appcmd site /? Administration of virtual sites APPCMD (command) SITE <identifier> <-parameter1:value1 ...> Supported commands: list List virtual sites set Configure virtual site add Add new virtual site delete Delete virtual site start Start virtual site stop Stop virtual site (To get help for each command use /?, e.g. 'appcmd.exe add site /?'.) C:\windows\System32\inetsrv> Örneğimizi biraz dah geliştirip IIS10.0 üzerinde bulunan web sitelerimizin listesini alalım. appcmd list site komutu ile kontrol edelim. C:\windows\System32\inetsrv>appcmd list site SITE "Default Web Site" (id:1,bindings:http/*:80:,state:Started) SITE "Reporter" (id:2,bindings:https/:1239:,state:Started) SITE "ozan site" (id:7,bindings:http/*:80:ozantest.com,state:Unknown) C:\windows\System32\inetsrv> 3 adet web sitesi çalışmakta olduğunu görüntülüyorum. Web serverim üzerinde. Yeni bir tane site eklemek istediğimizde appcmd add site komutu ile bu işlemi gerçekleştirebilirsiniz. Ben bindings ve path yapılandırmasınıda bu komutuma ekleyeceğim sizlerinde bu şekilde yapmanızı tavsiye ederim. GUI üzerinde daha sonra hata almamanız için path ve bandings ayarlarınızı yapılandırmanız önemlidir. C:\windows\System32\inetsrv>AppCmd add site /name:ozan /id:18 /bindings:http/*:81: /physicalPath:C:\ozan SITE object "ozan" added APP object "ozan/" added VDIR object "ozan/" added C:\windows\System32\inetsrv> List komutu ile yeni web sitemi tekrar kontrol ediyorum. C:\windows\System32\inetsrv>appcmd list site SITE "Default Web Site" (id:1,bindings:http/*:80:,state:Started) SITE "VeeamReporter" (id:2,bindings:https/:1239:,state:Started) SITE "ozan site" (id:7,bindings:http/*:80:ozantest.com,state:Unknown) SITE "ozan" (id:18,bindings:http/*:81:,state:Started) C:\windows\System32\inetsrv> En son satırda eklediğimiz yeni web sitesini görebilirsiniz. Listeleme kapsamında çalışan durmuş olan yada bilinmeyen web uygulamalarını listeleyebilirsiniz. C:\windows\System32\inetsrv>appcmd list sites /state:started SITE "Default Web Site" (id:1,bindings:http/*:80:,state:Started) SITE "VeeamReporter" (id:2,bindings:https/:1239:,state:Started) SITE "ozan" (id:18,bindings:http/*:81:,state:Started) C:\windows\System32\inetsrv>appcmd list sites /state:stopped C:\windows\System32\inetsrv>appcmd list sites /state:unknown SITE "ozan site" (id:7,bindings:http/*:80:ozantest.com,state:Unknown) C:\windows\System32\inetsrv> Bir web sitenizin config görüntülemek için /config parametresini kullanabilrisiniz. C:\windows\System32\inetsrv>appcmd list sites "Default Web Site" /config <site name="Default Web Site" id="1"> <bindings> <binding protocol="http" bindingInformation="*:80:" /> </bindings> <limits /> <logFile> <customFields> </customFields> </logFile> <traceFailedRequestsLogging /> <hsts /> <applicationDefaults /> <virtualDirectoryDefaults /> <ftpServer> <connections /> <security> <dataChannelSecurity /> <commandFiltering> </commandFiltering> <ssl /> <sslClientCertificates /> <authentication> <anonymousAuthentication /> <basicAuthentication /> <clientCertAuthentication /> <customAuthentication> <providers> </providers> </customAuthentication> </authentication> <customAuthorization> <provider /> </customAuthorization> </security> <customFeatures> <providers> </providers> </customFeatures> <messages /> <fileHandling /> <firewallSupport /> <userIsolation> <activeDirectory /> </userIsolation> <directoryBrowse /> <logFile /> </ftpServer> <application path="/"> <virtualDirectoryDefaults /> <virtualDirectory path="/" physicalPath="C:\inetpub\wwwroot" /> </application> </site> C:\windows\System32\inetsrv>
