Home
Instance and application configurations
Post-install or post-upgrade
Security configurations
Application Server
Application Server
Application server must be configured. See the relevant topics in this guide:
Side TOC
Side TOC
Instance and application configurations
Pre-install or pre-upgrade
Post-install or post-upgrade
Security configurations
Application Server
WhiteHat - Fixing the information leakage vulnerability
WhiteHat - Fixing the information leakage and the Insufficient Transport Layer security (HTSS)
CIS-CAT IIS hardening - Fixing the default allowed web extension-Disable directory browsing
CIS-CAT hardening - ASP.Net configuration recommendations
IIS Hardening - Configuring host headers on all sites
IIS - Setting the default application pool identity to least privilege principal
IIS - Configuring the anonymous user identity to use the Application Pool identity
IIS - Configuring the Require SSL option in the Forms authentication
IIS - Turning the Debug off in the IIS
IIS- Ensuring non-ASCII characters are not allowed in URLs
OS - Setting the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode to Prompt for consent for non-Windows binaries
OS - Setting the User Account Control: Switch to the secure desktop when prompting for elevation to Enabled
Adding X-Content-Type-Options
Disabling directory browsing feature of Certification Manager Site using IIS
Disabling the RC4 Cipher suites
Disabling the SSLv2 or SSLv3
Enabling Advanced IIS logging
Setting cookies with the HttpOnly attribute
Cookie security: cookie not sent over SSL
Setting forms authentication to use cookies
Double-Encoded requests
Ensure HTTP Trace Method is disabled
Ensure Handler is not granted the write and the script/execute permissions
Ensure notlistedisapisallowed option is set to false
Ensure notListedcgisallowed is set to false
Ensure TLS 1.2 is enabled
Ensure NULL Cipher Suites is disabled
Ensure DES Cipher Suites is disabled
Ensure rc2 cipher suites is disabled
Ensure AES 256/256 Cipher suite is enabled
Ensure MachineKey validation method - .Net 4.5 is configured
Ensure custom error messages are not off
Ensure IIS HTTP detailed errors are hidden from displaying remotely
Ensuring the maxURL request filter is configured
Ensuring the MaxQueryString request filter is configured
Ensure TLS 1.0 and TLS 1.1 are disabled
SQL Server