This paper is designed to demonstrate the common IIS web server security specifications in the form of a checklist that aids web masters or penetration testers to implement a secure web server infrastructure swiftly. It is mandatory for a web application to be duly full proof from vicious attacks and for stopping damage which could be in any form. Security professionals and penetration testers are typically part of a web project to ensure the website is protected from various attacks by detecting loopholes which might be exploited later. But such a critical task is typically not followed in a proper manner, and web applications go live into the production environment with inherent vulnerabilities, or even without complying to security guidelines. It is so because developers and organizations are often in a hurry to launch the software into the production environment due to various unnamed pressures. Unfortunately, there is no single tool available which can claim comprehensive security of an application, because attacks can come in any form, in fact the horizon is so extensive that it is beyond assumption. So such summarized checklist snapshots have proven to be truly a savior for hardening or to improve our deployment workstation security precipitously. Virtual Directory Machine Configuration File Secure Communication Logging and Audit IIS Metabase and Filters Server Accounts Code Access Security System Configuration Server Updates Final Note In this article, we have seen how to harden the IIS web server to protect ASP.NET websites. This article in fact didn’t explain various attacks and their countermeasure. Instead, it is pinpointing major security guidelines in the form of checklists which can be applied swiftly over a web server, so that a developer can ensure himself that a particular security mechanism is applied and it is enabled. Because some critical bugs go unnoticed and remain in the final version of the software, which could get the application into trouble. Hence, such a synopsis reference eases the undertaking of developers or security professionals in terms of not overlooking or forgetting critical security configurations on the web server.
