Hardening guide for IIS 7.5 on Windows 2008 R2 server core platform
OS installation phase
- Boot the server using Windows 2008 R2 bootable DVD.
- Specify the product ID -> click Next.
- From the installation option, choose “Windows Server 2008 R2 (Server Core Installation)” -> click Next.
- Accept the license agreement -> click Next.
- Choose “Custom (Advanced)” installation type -> specify the hard drive to install the operating system -> click Next.
- Allow the installation phase to continue and restart the server automatically.
- To login to the server for the first time, press CTRL+ALT+DELETE
- Choose “Administrator” account -> click OK to replace the account password -> specify complex password and confirm it -> press Enter -> Press OK.
- From the command prompt window, run the command bellow:
sconfig.cmd
- Press “2” to replace the computer name -> specify new computer name -> click “Yes” to restart the server.
- To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
- From the command prompt window, run the command bellow:
sconfig.cmd
- Press “5” to configure “Windows Update Settings” -> select “A” for automatic -> click OK.
- Press “6” to download and install Windows Updates -> choose “A” to search for all updates -> Choose “A” to download and install all updates -> click “Yes” to restart the server.
- To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
- From the command prompt window, run the command bellow:
sconfig.cmd
- In-case you need to use RDP to access and manage the server, press “7” to enable “Remote Desktop” -> choose “E” to enable -> choose either “1” or “2” according to your client settings -> Press OK.
- Press “8” to configure “Network settings” -> select the network adapter by its Index number -> press “1” to configure the IP settings -> choose “S” for static IP address -> specify the IP address, subnet mask and default gateway -> press “2” to configure the DNS servers -> click OK -> press “4” to return to the main menu.
- Press “9” to configure “Date and Time” -> choose the correct “date/time” and “time zone” -> click OK
- Press “11” to restart the server to make sure all settings take effect -> click “Yes” to restart the server.
Web server installation phase
- To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
- For minimal installation of IIS7.5 features, run the command bellow from command prompt:
start /w pkgmgr /l:log.etw /iu:IIS-WebServerRole;WAS-WindowsActivationService;WAS-ProcessModel;WAS-NetFxEnvironment;WAS-ConfigurationAPI
- For full installation of IIS7.5 (not recommended on production environments), run the command bellow from command prompt:
start /w PKGMGR.EXE /l:log.etw /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASP;IIS-CGI;IIS-ISAPIExtensions;IIS-ISAPIFilter;IIS-ServerSideIncludes;IIS-HealthAndDiagnostics;IIS-HttpLogging;IIS-LoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-CustomLogging;IIS-ODBCLogging;IIS-Security;IIS-BasicAuthentication;IIS-WindowsAuthentication;IIS-DigestAuthentication;IIS-ClientCertificateMappingAuthentication;IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;IIS-RequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic;IIS-HttpCompressionDynamic;IIS-WebServerManagementTools;IIS-ManagementScriptingTools;IIS-IIS6ManagementCompatibility;IIS-Metabase;IIS-WMICompatibility;IIS-LegacyScripts;WAS-WindowsActivationService;WAS-ProcessModel;IIS-FTPServer;IIS-FTPSvc;IIS-FTPExtensibility;IIS-WebDAV;IIS-ASPNET;IIS-NetFxExtensibility;WAS-NetFxEnvironment;WAS-ConfigurationAPI;IIS-ManagementService;MicrosoftWindowsPowerShell
- For full installation of IIS7.5, including .NET framework (not recommended on production environments), run the command bellow from command prompt:
start /w PKGMGR.EXE /l:log.etw /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASP;IIS-CGI;IIS-ISAPIExtensions;IIS-ISAPIFilter;IIS-ServerSideIncludes;IIS-HealthAndDiagnostics;IIS-HttpLogging;IIS-LoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-CustomLogging;IIS-ODBCLogging;IIS-Security;IIS-BasicAuthentication;IIS-WindowsAuthentication;IIS-DigestAuthentication;IIS-ClientCertificateMappingAuthentication;IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;IIS-RequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic;IIS-HttpCompressionDynamic;IIS-WebServerManagementTools;IIS-ManagementScriptingTools;IIS-IIS6ManagementCompatibility;IIS-Metabase;IIS-WMICompatibility;IIS-LegacyScripts;WAS-WindowsActivationService;WAS-ProcessModel;IIS-FTPServer;IIS-FTPSvc;IIS-FTPExtensibility;IIS-WebDAV;IIS-ASPNET;IIS-NetFxExtensibility;WAS-NetFxEnvironment;WAS-ConfigurationAPI;IIS-ManagementService;MicrosoftWindowsPowerShell;NetFx2-ServerCore;NetFx2-ServerCore-WOW64
- Create a new folder for the WWW content, in a different partition then the operating system, for example:
md D:\WWW
- Copy the content of the web site to the newly created folder.
- Use the Cacls.exe command to configure the required NTFS permissions for the new WWW folder (according to the principle of least privilege).
- Run the command bellow to configure IIS metadata to use the new folder:
%windir%\system32\inetsrv\appcmd set vdir "Default Web Site/" -physicalPath:D:\WWW
- Create a new folder for the LogFiles content, in a different partition then the operating system, for example:
md D:\LogFiles
- Use the Cacls.exe command to configure the required NTFS permissions for the new LogFiles folder (according to the principle of least privilege).
- Run the commands bellow to configure IIS metadata to use the new folder:
%windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/sites -siteDefaults.logfile.directory:"D:\LogFiles"
%windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/log -centralBinaryLogFile.directory:"D:\LogFiles"
%windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/log -centralW3CLogFile.directory:"D:\LogFiles" - Run the command bellow to configure the newly created WWW folder for service packs and other installers:
reg add HKLM\Software\Microsoft\inetstp /v PathWWWRoot /t REG_SZ /d D:\WWW