8/13/2019 Security-24-7.Com-Hardening Guide for IIS 75 on Windows 2008 R2 Server Core Platform

1/3

security-24-7.com

http://security-24-7.com/hardening-guide-for-iis-7-5-on-windows-2008-r2-server-core-platform/?pfstyle=wp

Hardening guide for IIS 7.5 on Windows 2008 R2 server core

platform

OS installation phase

1. Boot the server using Windows 2008 R2 boo table DVD.

2. Specif y the product ID -> click Next.

3. From the installation option, choo se Windows Server 2008 R2 (Server Core Installation) -> click

Next.

4. Accept the license agreement -> click Next.

5. Choose Custom (Advanced) installation type -> specif y the hard drive to install the operating

system -> click Next.

6. Allow the installation phase to continue and restart the server automatically.

7. To login to the server for the f irst t ime, press CTRL+ALT+DELETE

8. Choose Administ rato r account -> click OK to replace the account password -> specif y complex

password and conf irm it -> press Enter -> Press OK.

9. From the command prompt window, run the command bellow:

sconfig.cmd

10. Press 2 to replace the computer name -> specif y new computer name -> click Yes to res tart the

server.

11. To login to the server, press CTRL+ALT+DELETE -> specif y the Administrator account credentials.

12. From the command prompt window, run the command bellow:

sconfig.cmd

13. Press 5 to conf igure Windows Update Sett ings - > select A f or automatic -> click OK.

14. Press 6 to download and install Windows Updates -> choose A to search for all updates - >

Choose A to download and install all updates -> click Yes to restart the server.

15. To login to the server, press CTRL+ALT+DELETE -> specif y the Administ rato r account credentials.

16. From the command prompt window, run the command bellow:

sconfig.cmd17. In-case you need to use RDP to access and manage the server, press 7 to enable Remote

Desktop -> choose E to enable -> choo se either 1 or 2 according to your client sett ings ->

Press OK.

18. Press 8 to conf igure Network sett ings -> select the network adapter by its Index number -> press

1 to conf igure the IP settings -> choose S for s tat ic IP address -> specif y the IP address, subnet

mask and default gateway -> press 2 to conf igure the DNS servers - > click OK -> press 4 to

return to the main menu.

19. Press 9 to conf igure Date and Time -> choose the correct date/time and time zone -> click OK

20. Press 11 to restart the server to make sure all sett ings take ef f ect -> click Yes to restart theserver.

Web server installation phase

http://security-24-7.com/http://security-24-7.com/hardening-guide-for-iis-7-5-on-windows-2008-r2-server-core-platform/?pfstyle=wphttp://security-24-7.com/

8/13/2019 Security-24-7.Com-Hardening Guide for IIS 75 on Windows 2008 R2 Server Core Platform

2/3

1. To login to the server, press CTRL+ALT+DELETE -> specif y the Administ rato r account credentials.

2. For minimal installation o f IIS7.5 features , run the command bellow f rom command prompt:

start /w pkgmgr /l:log.etw /iu:IIS-WebServerRole;WAS-WindowsActivationService;WAS-ProcessModel;WAS-NetFxEnvironment;WAS-ConfigurationAPI

3. For full installation of IIS7.5 (not recommended on production environments), run the command

bellow f rom command prompt:

start /w PKGMGR.EXE /l:log.etw /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASP;IIS-CGI;IIS-ISAPIExtensions;IIS-ISAPIFilter;IIS-ServerSideIncludes;IIS-HealthAndDiagnost ics;IIS-HttpLogging;IIS-LoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-CustomLogging;IIS-ODBCLogging;IIS-Security;IIS-BasicAuthentication;IIS-WindowsAuthentication;IIS-DigestAuthentication;IIS-ClientCertificateMappingAuthentication;IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;IIS-RequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic;IIS-HttpCompressionDynamic;IIS-WebServerManagementTools;IIS-ManagementScriptingTools;IIS-IIS6ManagementCompatibility;IIS-Metabase;IIS-WMICompatibility;IIS-LegacyScripts;WAS-WindowsActivationService;WAS-ProcessModel;IIS-FTPServer;IIS-FTPSvc;IIS-FTPExtensibility;IIS-WebDAV;IIS-ASPNET;IIS-NetFxExtensibility;WAS-NetFxEnvironment;WAS-ConfigurationAPI;IIS-ManagementService;MicrosoftWindowsPowerShell

4. For f ull installation of IIS7.5, including .NET f ramework (not recommended on productionenvironments), run the command bellow f rom command prompt:

start /w PKGMGR.EXE /l:log.etw /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASP;IIS-CGI;IIS-ISAPIExtensions;IIS-ISAPIFilter;IIS-ServerSideIncludes;IIS-HealthAndDiagnost ics;IIS-HttpLogging;IIS-LoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-CustomLogging;IIS-ODBCLogging;IIS-Security;IIS-BasicAuthentication;IIS-WindowsAuthentication;IIS-DigestAuthentication;IIS-ClientCertificateMappingAuthentication;IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;IIS-RequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic;IIS-HttpCompressionDynamic;IIS-WebServerManagementTools;IIS-ManagementScriptingTools;IIS-IIS6ManagementCompatibility;IIS-Metabase;IIS-

WMICompatibility;IIS-LegacyScripts;WAS-WindowsActivationService;WAS-ProcessModel;IIS-FTPServer;IIS-FTPSvc;IIS-FTPExtensibility;IIS-WebDAV;IIS-ASPNET;IIS-NetFxExtensibility;WAS-NetFxEnvironment;WAS-ConfigurationAPI;IIS-ManagementService;MicrosoftWindowsPowerShell;NetFx2-ServerCore;NetFx2-ServerCore-WOW64

5. Create a new f older for the WWW content, in a dif f erent partit ion then the operating system, f or

example:

md D:\WWW

6. Copy the content of the web site to the newly created folder.

7. Use the Cacls.exe command to conf igure the required NTFS permissions f or the new WWW fo lder

(according to the principle of least privilege).

8. Run the command bellow to conf igure IIS metadata to use the new folder:

%windir%\system32\inetsrv\appcmd set vdir "Default Web Site/" -physicalPath:D:\WWW

9. Create a new f older for the LogFiles content, in a dif f erent partit ion then the operating system, for

example:

md D:\LogFiles

10. Use the Cacls.exe command to conf igure the required NTFS permissions f or the new LogFiles f older

(according to the principle of least privilege).

11. Run the commands bellow to conf igure IIS metadata to use the new f older:

8/13/2019 Security-24-7.Com-Hardening Guide for IIS 75 on Windows 2008 R2 Server Core Platform

3/3

%windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/sites -siteDefaults.logfile.directory:"D:\LogFiles"%windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/log -centralBinaryLogFile.direct ory:"D:\LogFiles"%windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/log -centralW3CLogFile.directory:"D:\LogFiles"

12. Run the command bellow to conf igure the newly created WWW fo lder for service packs and o ther

installers:

reg add HKLM\Software\Microsoft\inetstp /v PathWWWRoot /t REG_SZ /d D:\WWW