Securing IIS and Web
Uploaded by
Tariq AliSecuring IIS and Web
Uploaded by
Tariq AliSecuring IIS and Web.
config Against Improper Error Handling Vulnerabilities
1. Configure Custom Error Pages in web.config
Proper error handling ensures that users do not see detailed error messages, which can expose
sensitive information. To configure this:
Steps:
1. Open your web.config file.
2. Locate or add the <system.web> and <system.webServer> sections.
3. Add the following configuration to handle errors securely:
<configuration>
<system.web>
<!-- Disable detailed errors -->
<customErrors mode="On" defaultRedirect="~/Error.html">
<error statusCode="404" redirect="~/Errors/404.html" />
<error statusCode="500" redirect="~/Errors/500.html" />
</customErrors>
</system.web>
<system.webServer>
<httpErrors errorMode="Custom">
<remove statusCode="404" subStatusCode="-1" />
<error statusCode="404" prefixLanguageFilePath=""
path="/Errors/404.html" responseMode="ExecuteURL" />
<remove statusCode="500" subStatusCode="-1" />
<error statusCode="500" prefixLanguageFilePath=""
path="/Errors/500.html" responseMode="ExecuteURL" />
</httpErrors>
</system.webServer>
</configuration>
2. Disable Detailed Errors in IIS
Detailed errors should not be displayed publicly. Disable them in IIS by following these steps:
Steps:
1. Open IIS Manager.
2. Select your website.
3. Click on Error Pages.
4. Click Edit Feature Settings on the right.
5. Choose Custom error pages instead of detailed errors.
6. Click OK to save changes.
3. Disable Remote Debugging
Debugging should be disabled in production environments to prevent security risks.
Steps:
1. Open IIS Manager.
2. Select your website.
3. Navigate to Configuration Editor (under the Management section).
4. Expand system.web and go to compilation.
5. Set <compilation debug="false" />.
6. Click Apply to save changes.
4. Remove Stack Traces & Exception Details
Error messages should not expose stack traces or exception details.
Steps:
1. Open web.config.
2. Ensure the following settings are applied:
<system.web>
<customErrors mode="On" />
<compilation debug="false" />
</system.web>
3. Save the web.config file and restart IIS if necessary.
5. Restrict Access to web.config
The web.config file contains sensitive configuration settings and should be protected from
unauthorized access.
Steps:
1. Open IIS Manager.
2. Click on Request Filtering.
3. Go to the Hidden Segments tab.
4. Ensure web.config is listed.
5. Alternatively, add the following rule in web.config:
<location path="web.config">
<system.webServer>
<security>
<authorization>
<deny users="?" />
</authorization>
</security>
</system.webServer>
</location>
6. Set Proper Response Headers
Security headers can prevent certain attacks, such as clickjacking and content sniffing.
Steps:
1. Open web.config.
2. Add the following headers inside <system.webServer>:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Content-Type-Options" value="nosniff" />
<add name="X-Frame-Options" value="SAMEORIGIN" />
<add name="X-XSS-Protection" value="1; mode=block" />
</customHeaders>
</httpProtocol>
</system.webServer>
3. Save changes and restart IIS if necessary.
Final Notes:
These configurations will enhance security by preventing detailed error messages and
restricting access to sensitive files.
Always test the settings in a staging environment before applying them to production.
Regularly review IIS and web.config settings to ensure compliance with security best
practices.
