How To Harden a Windows IIS Web Server

The article covers how to improve security in Windows Internet Information services by configuring authenticating process, client certificates, and IP address restriction. It targets IT professionals who are experts in Windows server configurations

A website cannot be secure enough unless security measures are taken to protect the web server from security breaches. Inbuilt features in IIS can be enabled to harden the IIS, and this is a continuous process.

You can learn more about web hosting security in HostAdvice’s guide to hosting security.

Special Note: If you are concerned about the security of your current IIS server based website, you should consider switching to a more secure and trusted windows web hosting provider. Visit HostAdvice’s list of the best windows hosting services of 2018 to learn more.


Securing your IIS server is one of the most important things you can do for your server. With all the new threats being discovered and occurring daily you cannot be too sure. Securing your web server means that your data is protected, the spread of viruses and participation in Denial of Service (DOS) attacks is prevented, among others. So we are going to delve into how you can add security features and how to secure your server if you have not done so already.

Hardening Windows IIS

Windows updates

Make sure that Windows Operating System is up to date with all security patches.

If you are using Microsoft Windows, make sure your system is regularly updated. Microsoft is doing very well in regards to supporting their clients’ security. They regularly keep on making their windows defender service more active and more powerful. So updating your O.S is the first step in your safety.

Disable unnecessary services

Reduce the possibility of a potential attack by disabling any features of IIS you are not using currently.

For instance, there’s no need for the FTP server to be turned on yet you are not using it.

Windows firewall

Using firewalls is another crucial thing that is underappreciated.

The purpose of a firewall is to make sure that your server is receiving valid packets only. It becomes the first point of defense whenever an attacker is trying to perform a malicious activity. If for any particular reason you cannot afford to get a dedicated firewall device, you can always take advantage of the inbuilt windows firewall in almost all versions of windows.

IP address restriction

With IIS7, you can now control which IP addresses and domains can access your web server.

Define an IP address or a range of IP addresses allowed to access the web server.

Request filtering

So that means you can grant access to your internal domain and add any other person to your access list. Then you can also use another feature called request filtering.

URL authorization

The feature allows you to apply rules for specific requests such as dealing with particular URLs.  URL authorization can be used to authorize different users. This means that the users have to authenticate themselves and based on their identities, will be allowed to view the requested page, or denied based on access granted.


Use logging to see visitors who have been accessing the web server.

Turn on this setting to help track whenever you suspect someone has been using your server behind your back. You can monitor these logs for events that may point to your server misbehaving.

Security Configuration wizard

Microsoft also provides tools besides the windows defender and firewall. They include the Security Compliance Manager (SCM) and the Security Configuration Wizard (SCW).

Use this tool to configure the security of your window server by the application installed on the server.


MIME prevents hidden files from being hosted by IIS and protects your data by shielding unauthorized people from downloading your data files.

Application pool

Application pool configuration is advantageous when a similar web application runs as the same identity. It means that when two web application pools are running, IIS prevents conflict by introducing a pool configuration. It allows complete isolation to ensure that any malicious site will not infect another site hosted in your server environment.


The ISAPI extension provides a faster way to retrieve files. When a client requests a file, processing is handed over to the ISAPI extension which may decide to do additional work on the file. It also logs and generates a 404.2 HTTP status for any disallowed extensions.

Error page information

Configure the error page to only display relevant information about the issue experienced. We are human, and sometimes the devices we make may encounter errors. Make sure that error pages do not display too much information like usernames, passwords, servers IP address among other information that hackers may use exploit the web server.


Configure a Secure Sockets Layer (SSL) between the users and the web server.

That means that if your server is in use publicly, you should request a certificate from a trusted certificate authority.


With all the new security measures, it is up to you to choose the most appropriate method for your server. Be proactive in ensuring your server is secure and rest assured that your data is kept away from prying eyes.

Securing systems is not a complete fix, but a continuous process as hackers keep improving on their tactics.


Check out the top 3 VPS services:

Was this article helpful?