Prevent directory traversal
Make sure that the short file name is not allowed on the server. This is achieved by editing the registry.
Search regedit in windows server
Go to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
Find key NtfsDisable8dot3NameCreation
Double click to set the value to 1
This will prohibit hackers to do directory traversal with short file name.
Set IIS URL filtering
Set up IIS to filter URLs on forbidden characters.
Open IIS- Double click request filtering.
Add deny sequence (eg. tilde, backslash etc) for the url
...
IIS error pages not to display error information
Go to the error pages - double click
For the error code click edit feature code and then check custom error pages instead of detail error page and select the custom error page location.
...
Note |
---|
Review Microsoft’s latest policies and recommendations for Windows Servers, IIS, Azure and ohter components and infrastructure used for an installation. |
Service account
Info |
---|
It is recommended to use a service account for IIS instead of LocalSystem. |
IIS settings
Child pages (Children Display) |
---|
Default passwords
Check and change default password of web viewer and webadmin page of web viewer
Check and change default passwords of api endpoints