Best Practices Analyzer for Internet Information Services: Security
Security rules are applied to measure a role’s relative risk for exposure to threats such as unauthorized or malicious users, or loss or theft of confidential or proprietary data. Examples of conditions that can affect whether violations of security rules are found by a Best Practices Analyzer scan include computers on which Windows automatic updating is turned off, or computers that are using nondefault port settings.
For more information about Best Practices Analyzer and scans, see Best Practices Analyzer.
IIS Security Best Practices
- IIS: Grant a handler execute/script or write permissions, but not both
- IIS: Make sure that your certificates are current
- IIS: The configuration attribute notListedIsapisAllowed should be false
- IIS: The configuration attribute notListedCgisAllowed should be false
- IIS: Application pools should be set to run as application pool identities
- IIS: Hide Custom Errors from displaying remotely
- IIS: Use SSL when you use Basic authentication
For more details visit http://technet.microsoft.com/en-us/library/dd391934(WS.10).aspx?WT.mc_id=aff-n-in-loc—aa