IIS Security setup

AdamF

Does anyone here use IIS for anything? I have one site, still on IIS server , (and it's not moving any time soon) and I would like to ensure the best SSL/encryption practices are followed. In searching for best practices, I have found a rather thorough PowerShell Script that sets up Perfect Forward Secrecy and TLS 1.2 (https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12) It's a long post and script, so I didn't want to post it on here. Its directly on the linked site however.

Does anyone have any other security best practices for IIS on Server 2012 R2?

travisdh1

@fuznutz04 said in IIS Security setup:

Does anyone here use IIS for anything? I have one site, still on IIS server , (and it's not moving any time soon) and I would like to ensure the best SSL/encryption practices are followed. In searching for best practices, I have found a rather thorough PowerShell Script that sets up Perfect Forward Secrecy and TLS 1.2 (https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12) It's a long post and script, so I didn't want to post it on here. Its directly on the linked site however.

Does anyone have any other security best practices for IIS on Server 2012 R2?

Other than smart aleck and flippant comments about running on old platforms, nope. I'd look at a report from https://www.ssllabs.com/ssltest/ if it's public facing.

AdamF

@travisdh1 said in IIS Security setup:

Other than smart aleck and flippant comments about running on old platforms, nope

I'm assuming you're talking about 2012 R2, and yes, that is on my list to upgrade.

WLS-ITGuy

@fuznutz04 said in IIS Security setup:

@travisdh1 said in IIS Security setup:

Other than smart aleck and flippant comments about running on old platforms, nope

I'm assuming you're talking about 2012 R2, and yes, that is on my list to upgrade.

At least it isn't 2003 or 2008

travisdh1

@fuznutz04 said in IIS Security setup:

@travisdh1 said in IIS Security setup:

Other than smart aleck and flippant comments about running on old platforms, nope

I'm assuming you're talking about 2012 R2, and yes, that is on my list to upgrade.

Yep. I have to decide weather to upgrade or jump ship myself soon. Realized the Church I work part time at is still on 2012 R2. It's only being used as a file server right now, so it's probably jump ship.

AdamF

@travisdh1 said in IIS Security setup:

@fuznutz04 said in IIS Security setup:

@travisdh1 said in IIS Security setup:

Other than smart aleck and flippant comments about running on old platforms, nope

I'm assuming you're talking about 2012 R2, and yes, that is on my list to upgrade.

Yep. I have to decide weather to upgrade or jump ship myself soon. Realized the Church I work part time at is still on 2012 R2. It's only being used as a file server right now, so it's probably jump ship.

Yep. I'll be doing a clean install as well when I'd ready. No way am I upgrading in place.

PSX_Defector

https://www.nartac.com/Products/IISCrypto

Use IIS Crypto. Set it to the level you are looking for. Has templates for the settings. Just apply and reboot.

PSX_Defector

@travisdh1 said in IIS Security setup:

Realized the Church I work part time at is still on 2012 R2. It's only being used as a file server right now, so it's probably jump ship.

Why?

2K12R2 is still fully supported by Microsoft. Has continuous updates, battle tested, and you are talking about a file server. There is little to no reason to change it out except because you want to get some feature in 2K16, which for file services, is nothing.

travisdh1

@psx_defector said in IIS Security setup:

@travisdh1 said in IIS Security setup:

Realized the Church I work part time at is still on 2012 R2. It's only being used as a file server right now, so it's probably jump ship.

Why?

2K12R2 is still fully supported by Microsoft. Has continuous updates, battle tested, and you are talking about a file server. There is little to no reason to change it out except because you want to get some feature in 2K16, which for file services, is nothing.

Who said I was going to 2K16? That's a lot of licensing money at a place so small for no benefit, imo. When the time comes for more CALs, I'll probably change it out to a KVM host and just remove the Windows Server entirely.

PSX_Defector

@travisdh1 said in IIS Security setup:

@psx_defector said in IIS Security setup:

@travisdh1 said in IIS Security setup:

Realized the Church I work part time at is still on 2012 R2. It's only being used as a file server right now, so it's probably jump ship.

Why?

2K12R2 is still fully supported by Microsoft. Has continuous updates, battle tested, and you are talking about a file server. There is little to no reason to change it out except because you want to get some feature in 2K16, which for file services, is nothing.

Who said I was going to 2K16? That's a lot of licensing money at a place so small for no benefit, imo. When the time comes for more CALs, I'll probably change it out to a KVM host and just remove the Windows Server entirely.

Apples and Chryslers.

Removing a Windows server because its out of date, that's one thing. But switching it to KVM is a completely different beast. One is for compliance issues, the other is to get higher density of compute.

You are calling 2K12 old. It's not. The only reason to switch would be because of shiny object syndrome.

scottalanmiller

@psx_defector said in IIS Security setup:

@travisdh1 said in IIS Security setup:

Realized the Church I work part time at is still on 2012 R2. It's only being used as a file server right now, so it's probably jump ship.

Why?

2K12R2 is still fully supported by Microsoft. Has continuous updates, battle tested, and you are talking about a file server. There is little to no reason to change it out except because you want to get some feature in 2K16, which for file services, is nothing.

Fully supported, but not current. It's fine, not a big deal. but some things, like patches, testing, etc. for that system actually show up in 2016, rather than 2012 R2. 2016 is the more mature, more battle tested product, because it is an extension of 2012 R2.

dbeato

@scottalanmiller said in IIS Security setup:

@psx_defector said in IIS Security setup:

@travisdh1 said in IIS Security setup:

Realized the Church I work part time at is still on 2012 R2. It's only being used as a file server right now, so it's probably jump ship.

Why?

2K12R2 is still fully supported by Microsoft. Has continuous updates, battle tested, and you are talking about a file server. There is little to no reason to change it out except because you want to get some feature in 2K16, which for file services, is nothing.

Fully supported, but not current. It's fine, not a big deal. but some things, like patches, testing, etc. for that system actually show up in 2016, rather than 2012 R2. 2016 is the more mature, more battle tested product, because it is an extension of 2012 R2.

Where are you basing that? Server 2016 getting updates of Server 2012 R2?

scottalanmiller

@dbeato said in IIS Security setup:

@scottalanmiller said in IIS Security setup:

@psx_defector said in IIS Security setup:

@travisdh1 said in IIS Security setup:

Realized the Church I work part time at is still on 2012 R2. It's only being used as a file server right now, so it's probably jump ship.

Why?

2K12R2 is still fully supported by Microsoft. Has continuous updates, battle tested, and you are talking about a file server. There is little to no reason to change it out except because you want to get some feature in 2K16, which for file services, is nothing.

Fully supported, but not current. It's fine, not a big deal. but some things, like patches, testing, etc. for that system actually show up in 2016, rather than 2012 R2. 2016 is the more mature, more battle tested product, because it is an extension of 2012 R2.

Where are you basing that? Server 2016 getting updates of Server 2012 R2?

Just basics of software. Server 2016 is the latest release of Windows NY. 2012 R2 is an older branch of the same product. That's what 2016 is. it's not a new product, it's the current version of the same one.

Think of one as a 2012 Ford Focus, and the other as a 2016 Ford Focus. Both get repairs, but one has years more research, knowledge, skill, technology, and updates. The other is just "repaired."

dbeato

@scottalanmiller said in IIS Security setup:

@dbeato said in IIS Security setup:

@scottalanmiller said in IIS Security setup:

@psx_defector said in IIS Security setup:

@travisdh1 said in IIS Security setup:

Realized the Church I work part time at is still on 2012 R2. It's only being used as a file server right now, so it's probably jump ship.

Why?

2K12R2 is still fully supported by Microsoft. Has continuous updates, battle tested, and you are talking about a file server. There is little to no reason to change it out except because you want to get some feature in 2K16, which for file services, is nothing.

Fully supported, but not current. It's fine, not a big deal. but some things, like patches, testing, etc. for that system actually show up in 2016, rather than 2012 R2. 2016 is the more mature, more battle tested product, because it is an extension of 2012 R2.

Where are you basing that? Server 2016 getting updates of Server 2012 R2?

Just basics of software. Server 2016 is the latest release of Windows NY. 2012 R2 is an older branch of the same product. That's what 2016 is. it's not a new product, it's the current version of the same one.

Think of one as a 2012 Ford Focus, and the other as a 2016 Ford Focus. Both get repairs, but one has years more research, knowledge, skill, technology, and updates. The other is just "repaired."

But that is not how I see it, they have both different kernels so they get different updates. Yes I understand the difference on maintenance and other as active development and maintenance. But saying Server 2016 is getting updates from Server 2012 R2 was kinda of strange for me as I took it literally.

AdamF

@psx_defector said in IIS Security setup:

https://www.nartac.com/Products/IISCrypto

That software works great. I used the "best practices" template, and re-scanned. Now I get a rating of A. Not A+. I'm assuming it is becuase of the weak cipher suites below in the results. I'm surprised they were not disabled when using the "best practices" template.

PSX_Defector

Best practice isn't up to date.

Set it to PCI 1.2, that disables TLS1.0, all the AES stuff, etc. etc. You can also disable them manually in the first screen.

AdamF

@psx_defector said in IIS Security setup:

Best practice isn't up to date.

Set it to PCI 1.2, that disables TLS1.0, all the AES stuff, etc. etc. You can also disable them manually in the first screen.

Great, thanks.