1) Don't use default location c: to host application
2) disable default page
3) disable directory browsing
4) Disable the Http OPTIONS Method
5) Enable Dynamic IP Address Restrictions
The Dynamic IP to prevent DoS attacks.
6) Ensure that you keep up to date with the latest updates and security patches. The majority of hacks affecting the web server occur on unpatched servers.
7) Disabling-IIS-Web-Banner-And-Other-IIS-Headers
Please make sure following IIS security settings should be configured at your public hosting customer facing application.
Remove the default page or stop/disable from the IIS server
Open IIS Manager
Click the server name
Double click on Default Document
On the right side, click “Disable”
Or redirect default page to application login page
Using the Web site redirect function build in IIS Manager.
1. Start IIS Manager from Administrator Tools.
2. Expand the ServerName, and then expand the Sites
3. Double Click on the Default Web Site to open up the Default Web Site properties.
4. Under section"IIS", double click on "HTTP Redirect".
5. Check "Redirect requests to this destination", and fill in the Web Application link in the box. For example "Https://abc.com/ldclientlevelH"
6. Check Only redirect requests to content in this directory (not subdirectories)"
7. On the right side pan, click Apply.
8. Since the you Websites are under Default Web Sites, this change will be applied to any websites that's under Default Websites. Please go to each website and do the HTTP Redirect, make sure None of the box is checked.
9. Reset IIS.
Disabling IIS Directory Browsing or Listing
The attacker can display the whole list of files in the directories. These directories include sensitive files such as password files, database files, FTP logs etc. It is obvious that this information was not intended for public view.
1. Go to RUN
2. Type inetmgr and click Enter to open IIS console
3. Select Application Directory under Default website or other Website.
4. In the right hand side panel double click on the "Directory Browsing" option.
5. Click on the Disable button
How do you stop users directly accessing files on a website in IIS in that directory
Directory is not accessible now after disabling directory browsing but if hacker knows the file name then file can be accessed.
URL Rewrite
Or
If anyone directly come to any page it should be redirect to authentication page
Disabling-IIS-Web-Banner-And-Other-IIS-Headers
For security purposes, it may be desirable to disable the X-ASPNET-VERSION and X-Powered-By HTTP Headers.
The HTTP header "X-Powered-By" reveals the version of IIS being used on the server. This can be disabled by:
1. Open the IIS Manager
2. Select the website that website Server is running under.
3. Select "HTTP Response Headers"
4. Select the "X-Powered-By" HTTP Header and select "Remove"
The Http Header "X-ASPNET-VERSION" reveals the version of ASP.NET being used by the website Server application pool. This can be disabled by:
1. Open the web.config file for website Server (located in the root directory for the website).
2. Just after the <system.web> tag add this: <httpRuntime enableVersionHeader="false" />
3. Save the file.
Note: The SERVER header variable should not be removed as it will cause certain functionality within website Server to break.
Disable the OPTIONS Method
The OPTIONS method provides a list of methods that are supported by the web server. Although this might seem beneficial, it also provides useful information to the attacker at the reconnaissance stage. Therefore, we recommend that you disable the OPTIONS method completely. This can be done by denying the OPTIONS verb in HTTP verb request filtering rules in IIS.
Open the IIS Manager
Select the name of the machine to configure this globally (or change to the specific web site for which you need to configure this)
Double click on Request Filtering
Change to the HTTP Verbs tab
From the Actions pane, select Deny Verb
Insert OPTIONS in the Verb field and click on OK to save changes
Enable Dynamic IP Address Restrictions
The Dynamic IP Restrictions module helps to block access to IP addresses that exceed a specified number of requests and thus helps prevent denial-of-service (DoS) attacks. This module will inspect the IP address of each request sent to the web server and will filter these requests in order to temporarily deny IP addresses that follow a particular attack pattern.
The Dynamic IP Restrictions module can be configured to block IP addresses after a number of concurrent requests or to block IP addresses that perform a number of requests over a period of time. Depending on your IIS version you will need to enable either the IP Security feature or the IP and Domain Restrictions
To set or modify dynamic IP restrictions:
Open the IIS Manager
Select the name of the machine to configure this globally (or change to the specific web site for which you need to configure this)
Double click on IP Address and Domain Restrictions
From the Actions pane, select Edit Dynamic Restriction Settings
Modify and set the dynamic IP restriction settings as needed and click on OK to save changes
