Cleaning up IIS Express configuration

IIS Express stores its configuration settings in the %USERPROFILE%\Documents\IIS Express\config\applicationHost.config file which eliminates the need for administrative permissions for changing it. As a consequence when you uninstall Visual Studio, the webserver configuration remains in the user’s profile folder.

It may happen, that you uninstall VS 2012, install VS 2013 and then when you create a new web application it behaves very strange, for example it asks for Windows authentication every time. This may be caused because you have created a website with the same name earlier in IIS Express, and its settings are preserver in the configuration file.

If you often create new web applications in Visual Studio, it is a good practice to clean up IIS configuration once in a while. Because there is no GUI for IIS Express, you can edit the applicationHost.config file directly or you can use the command line.

You can find the appcmd.exe for IIS Express in the C:\Program Files (x86)\IIS Express folder. You can use it to list the websites:

C:\Program Files (x86)\IIS Express>appcmd list site
SITE "WebSite1" (id:1,bindings:http/:8080:localhost,state:Unknown)
SITE "MyProject" (id:2,bindings:http/*:44441:localhost,https/*:44300:localhost,state:Unknown)
SITE "WebSite1(1)" (id:3,bindings:http/*:44468:localhost,state:Unknown)
SITE "WebSite2" (id:4,bindings:http/*:44465:localhost,state:Unknown)

If the names of the websites do not tell too much, then you can list the virtual directories, because that list shows the physical paths as well:

C:\Program Files (x86)\IIS Express>appcmd list vdir
VDIR "WebSite1/" (physicalPath:%IIS_SITES_HOME%\WebSite1)
VDIR "MyProject/" (physicalPath:W:\Projektek\MyProject)
VDIR "WebSite1(1)/" (physicalPath:W:\Temp\WebSite1)
VDIR "WebSite2/" (physicalPath:W:\Desktop\WebSite2)

You can even give them meaningful names by renaming them:

C:\Program Files (x86)\IIS Express>appcmd set site WebSite1(1) -name:Master
SITE object "WebSite1(1)" changed

And you can delete the sites you don’t need any more:

C:\Program Files (x86)\IIS Express>appcmd delete site WebSite2
SITE object "WebSite2" deleted

 

Technorati-címkék: IIS,IIS Express,configuration

Removing chatty HTTP headers

If you look into the traffic of your ASP.NET application, you can notice the following headers in the HTTP response:

Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 5.0

These headers have no effect on your application in any way, they are just there to provide more information to the Bing bot about your website.

Unfortunately these response headers make the attackers’ jobs easier, because if they know what platform and what version do you use, they can try only those exploits that work in this special environment. Therefore for security reasons it is a good practice to change the defaults and remove these headers.

 

Server

Broadcasting the Server header is hardwired into IIS, I’m not aware of any configuration switch you could use to remove it. You can use UrlScan, but that tool was updated last time in 2008. If you have an ASP.NET application, you can remove this header in the global.asax, just before the response leaves the server:

protected void Application_PreSendRequestHeaders()
{
  this.Response.Headers.Remove( "Server" );
}

 

X-Powered-By

The X-Powered-By header is added by IIS to the HTTP response, so you can remove it even on server level via IIS Manager:

 

Or of course you can use web.config directly:

<system.webServer>
   <httpProtocol>
     <customHeaders>
       <remove name="X-Powered-By" />
     </customHeaders>
   </httpProtocol>
</system.webServer>

 

X-AspNet-Version

The ASP.NET runtime provides a configuration option to easily turn off the X-AspNet-Version header in web.config:

<httpRuntime enableVersionHeader="false" />

 

X-AspNetMvc-Version

To remove the X-AspNet-Version header, execute the following code when your application starts:

protected void Application_Start()
{
  MvcHandler.DisableMvcResponseHeader = true;
}

 

If you want to make security easier, you can rely on the NWebsec free project on CodePlex. This project besides simplifying configuration security, provides additional features for session hardening and specifically for MVC and Azure projects. These features are available independently in the form of NuGet packages as well.

 

Technorati-címkék: IIS,configuration,security

IIS configuration auditing

It is not difficult to find an IIS configuration setting that you can flip and make your webserver instantly insecure. For this reason it is very important to monitor and track the changes of the IIS configuration. Fortunately IIS provides this feature, but you cannot turn it on in IIS Manager.

Instead start Event Viewer, and navigate to the Application and Services Logs –> Microsoft –> Windows –> IIS Configuration –> Operational branch. Right click on this log and click Enable Log to turn on auditing:

From now on all IIS configuration changes appear in this log:

The General view doesn’t provide too much information beside the modified setting, the modification date and the user, but you can find more in the Details view:

It’s important to know that only those changes show up in the log that are done via IIS Manager, appcmd or the object model; if you use Notepad and edit the applicationHost.config directly it won’t be logged.

 

Technorati-címkék: IIS,configuration,audit,log