CIS Microsoft IIS 10 benchmark

The Center for Internet Security (CIS) is a nonprofit entity with a mission to identify and develop best practice solutions for cyber defense. Cybersecurity and IT professionals from government, business, and academia from around the world follow a consensus decision-making model to develop standards and best practices, including CIS benchmarks, controls, and hardened images.

CIS benchmarks are configuration baselines and best practices for securely configuring a system.

The CIS Microsoft IIS 10 benchmark is a set of best practices that apply to the Microsoft Internet Information Services (IIS) version 10 running on Microsoft Windows Server 2016.

Controls that do not impact XProtect VMS functionality

Milestone has identified that only those controls listed in Controls that impact XProtect VMS functionality can impact the VMS functionality. Other controls will not impact the VMS functionality when applied properly.

Controls that impact XProtect VMS functionality

Some of the controls present on the CIS benchmark will affect the functionality of the XProtect VMS.

According to section 4.7 Ensure Unlisted File Extensions are not allowed (Scored) in the benchmark, it is recommended that all extensions be unallowed at the most global level possible, with only those necessary being allowed.

Following is a list of extensions that the IIS applications use:

  • htm
  • html
  • svc
  • png
  • css
  • js
  • gif
  • svg
  • ttf
  • jpg
  • xml
  • asmx
  • exe

    (Only the installation application uses .exe files. It can be disabled for all other applications.)

The benchmark suggests creating an extension whitelist to reduce the attack surface of the web application. Extension filtering can be applied to all applications except the Identity Provider application.

The Identity Provider application follows the OpenID specification and it defines URLs that do not end on any extension. Because of this, if the option Allow unlisted file name extensions is not enabled, the application will stop working and reply with the error code 404.7 for any request. The Identity Provider application is a central piece of the VMS services. It cannot be omitted and it must run for the VMS to work.

The installation application uses URLs that do not end with any extension for the purpose of redirection. But, if the option Allow unlisted file name extensions is not enabled, the user must enter the entire URL:

  • http://localhost/Installation/default-en-US.htm instead of http://localhost/Installation/

  • http://localhost/Installation/admin/default-en-US.htm instead of http://localhost/Installation/admin/

Learn more

The following links provide additional guidance: