Saturday, February 5, 2011

Auditing IIS 7

I want to thank the anonymous commenter on my previous post regarding IIS 7.  I was out testing this past week on a very long engagement when our team came across two IIS 7 servers.  After learning of the servers existence, I went to the Center for Internet Security's benchmark tools, and downloaded their IIS 7 Benchmark, which is at version 1.0.  (I would hard link to it, but you need to fill out a form first - and the link is wonky after filling out the form.)

I used the guide to go through the IIS servers, and I have to say it's pretty easy and straightforward.  Of course, the guide is not as in-depth as a typical DISA STIG/Checklist, but it covered much of the low hanging fruit.  The guide was easy to read, easy to follow, and even gave remediation advice.  I wholeheartedly recommend the guide for auditing IIS 7 servers until DISA puts out an official checklist.


  1. When you run these tools, are you running them from your hosts, or installing them on the actual target? The reason I ask is, how are you getting around these tools not being DADMS compliant? No, I'm being a smarty, having to do a lot of this myself, I want to know if there is a legitimate way of using those tools. After all, I can't gig someone for using unauthorized tools if I'm using them myself. Oh yeah, I love this site, you can look for a lot more questions and comments from me; thanks!

  2. Frank, Thanks for the comment. Bear in mind that this post was written in February of 2011. At that time, there was no guidance on IIS 7. As I check DISA's site, I see that the STIG actually came out the end of October. The guidance I have always been given is to use "best practice" when there is not a STIG for a given technology. So, for this test, I used the CIS benchmark. (I printed the benchmark out and went through it like a checklist.)