8/13/2019 Security-24-7.Com-Hardening Guide for IIS 75 on Windows 2008 R2 Server Core Platform
1/3
security-24-7.com
http://security-24-7.com/hardening-guide-for-iis-7-5-on-windows-2008-r2-server-core-platform/?pfstyle=wp
Hardening guide for IIS 7.5 on Windows 2008 R2 server core
platform
OS installation phase
1. Boot the server using Windows 2008 R2 boo table DVD.
2. Specif y the product ID -> click Next.
3. From the installation option, choo se Windows Server 2008 R2 (Server Core Installation) -> click
Next.
4. Accept the license agreement -> click Next.
5. Choose Custom (Advanced) installation type -> specif y the hard drive to install the operating
system -> click Next.
6. Allow the installation phase to continue and restart the server automatically.
7. To login to the server for the f irst t ime, press CTRL+ALT+DELETE
8. Choose Administ rato r account -> click OK to replace the account password -> specif y complex
password and conf irm it -> press Enter -> Press OK.
9. From the command prompt window, run the command bellow:
sconfig.cmd
10. Press 2 to replace the computer name -> specif y new computer name -> click Yes to res tart the
server.
11. To login to the server, press CTRL+ALT+DELETE -> specif y the Administrator account credentials.
12. From the command prompt window, run the command bellow:
sconfig.cmd
13. Press 5 to conf igure Windows Update Sett ings - > select A f or automatic -> click OK.
14. Press 6 to download and install Windows Updates -> choose A to search for all updates - >
Choose A to download and install all updates -> click Yes to restart the server.
15. To login to the server, press CTRL+ALT+DELETE -> specif y the Administ rato r account credentials.
16. From the command prompt window, run the command bellow:
sconfig.cmd17. In-case you need to use RDP to access and manage the server, press 7 to enable Remote
Desktop -> choose E to enable -> choo se either 1 or 2 according to your client sett ings ->
Press OK.
18. Press 8 to conf igure Network sett ings -> select the network adapter by its Index number -> press
1 to conf igure the IP settings -> choose S for s tat ic IP address -> specif y the IP address, subnet
mask and default gateway -> press 2 to conf igure the DNS servers - > click OK -> press 4 to
return to the main menu.
19. Press 9 to conf igure Date and Time -> choose the correct date/time and time zone -> click OK
20. Press 11 to restart the server to make sure all sett ings take ef f ect -> click Yes to restart theserver.
Web server installation phase
http://security-24-7.com/http://security-24-7.com/hardening-guide-for-iis-7-5-on-windows-2008-r2-server-core-platform/?pfstyle=wphttp://security-24-7.com/8/13/2019 Security-24-7.Com-Hardening Guide for IIS 75 on Windows 2008 R2 Server Core Platform
2/3
1. To login to the server, press CTRL+ALT+DELETE -> specif y the Administ rato r account credentials.
2. For minimal installation o f IIS7.5 features , run the command bellow f rom command prompt:
start /w pkgmgr /l:log.etw /iu:IIS-WebServerRole;WAS-WindowsActivationService;WAS-ProcessModel;WAS-NetFxEnvironment;WAS-ConfigurationAPI
3. For full installation of IIS7.5 (not recommended on production environments), run the command
bellow f rom command prompt:
start /w PKGMGR.EXE /l:log.etw /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASP;IIS-CGI;IIS-ISAPIExtensions;IIS-ISAPIFilter;IIS-ServerSideIncludes;IIS-HealthAndDiagnost ics;IIS-HttpLogging;IIS-LoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-CustomLogging;IIS-ODBCLogging;IIS-Security;IIS-BasicAuthentication;IIS-WindowsAuthentication;IIS-DigestAuthentication;IIS-ClientCertificateMappingAuthentication;IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;IIS-RequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic;IIS-HttpCompressionDynamic;IIS-WebServerManagementTools;IIS-ManagementScriptingTools;IIS-IIS6ManagementCompatibility;IIS-Metabase;IIS-WMICompatibility;IIS-LegacyScripts;WAS-WindowsActivationService;WAS-ProcessModel;IIS-FTPServer;IIS-FTPSvc;IIS-FTPExtensibility;IIS-WebDAV;IIS-ASPNET;IIS-NetFxExtensibility;WAS-NetFxEnvironment;WAS-ConfigurationAPI;IIS-ManagementService;MicrosoftWindowsPowerShell
4. For f ull installation of IIS7.5, including .NET f ramework (not recommended on productionenvironments), run the command bellow f rom command prompt:
start /w PKGMGR.EXE /l:log.etw /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASP;IIS-CGI;IIS-ISAPIExtensions;IIS-ISAPIFilter;IIS-ServerSideIncludes;IIS-HealthAndDiagnost ics;IIS-HttpLogging;IIS-LoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-CustomLogging;IIS-ODBCLogging;IIS-Security;IIS-BasicAuthentication;IIS-WindowsAuthentication;IIS-DigestAuthentication;IIS-ClientCertificateMappingAuthentication;IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;IIS-RequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic;IIS-HttpCompressionDynamic;IIS-WebServerManagementTools;IIS-ManagementScriptingTools;IIS-IIS6ManagementCompatibility;IIS-Metabase;IIS-
WMICompatibility;IIS-LegacyScripts;WAS-WindowsActivationService;WAS-ProcessModel;IIS-FTPServer;IIS-FTPSvc;IIS-FTPExtensibility;IIS-WebDAV;IIS-ASPNET;IIS-NetFxExtensibility;WAS-NetFxEnvironment;WAS-ConfigurationAPI;IIS-ManagementService;MicrosoftWindowsPowerShell;NetFx2-ServerCore;NetFx2-ServerCore-WOW64
5. Create a new f older for the WWW content, in a dif f erent partit ion then the operating system, f or
example:
md D:\WWW
6. Copy the content of the web site to the newly created folder.
7. Use the Cacls.exe command to conf igure the required NTFS permissions f or the new WWW fo lder
(according to the principle of least privilege).
8. Run the command bellow to conf igure IIS metadata to use the new folder:
%windir%\system32\inetsrv\appcmd set vdir "Default Web Site/" -physicalPath:D:\WWW
9. Create a new f older for the LogFiles content, in a dif f erent partit ion then the operating system, for
example:
md D:\LogFiles
10. Use the Cacls.exe command to conf igure the required NTFS permissions f or the new LogFiles f older
(according to the principle of least privilege).
11. Run the commands bellow to conf igure IIS metadata to use the new f older:
8/13/2019 Security-24-7.Com-Hardening Guide for IIS 75 on Windows 2008 R2 Server Core Platform
3/3
%windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/sites -siteDefaults.logfile.directory:"D:\LogFiles"%windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/log -centralBinaryLogFile.direct ory:"D:\LogFiles"%windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/log -centralW3CLogFile.directory:"D:\LogFiles"
12. Run the command bellow to conf igure the newly created WWW fo lder for service packs and o ther
installers:
reg add HKLM\Software\Microsoft\inetstp /v PathWWWRoot /t REG_SZ /d D:\WWW
Top Related