Entra ID CIS Assessment with SmartProfiler-SecID
About SmartProfiler SmartProfiler for Entra ID is designed to mitigate security risks in the Azure
Read MoreAlmost all CIS tests for Microsoft IIS Servers are automated with SmartProfiler for IIS Server.
Detailed reporting includes information about each CIS Test and Step-By-Step Recommendations to fix the issues.
Checks to make sure all Microsoft IIS Server recommended tests by CIS are configured on Microsoft IIS Servers.
SmartProfiler for IIS CIS Assessment supports multiple IIS Servers. The tool connects to all IIS Servers and provides a summary of components that are not configured correctly.
The Microsoft IIS CIS Benchmark is a set of security best practices and configuration guidelines designed to help administrators secure Internet Information Services (IIS), Microsoft's web server platform. The Microsoft IIS CIS Benchmark Assessment tool can be used to perform CIS Benchmark assessment for multiple IIS Servers. The Center for Internet Security (CIS) publishes these benchmarks to provide actionable recommendations for securing IIS environments, reducing vulnerabilities, and ensuring compliance with industry standards.
IIS Server Configuration: The benchmark covers fundamental security settings for IIS, including disabling unnecessary modules, enforcing strong authentication, and ensuring that security features such as SSL/TLS are properly configured.
Access Control: Guidelines include securing access to IIS servers by enforcing least privilege principles, ensuring proper user permissions, and restricting administrative access to trusted personnel.
Logging and Monitoring: The benchmark emphasizes the importance of enabling and configuring IIS logging for auditing and troubleshooting. It also recommends integrating IIS with centralized logging and monitoring solutions to detect suspicious activity.
Patching and Updates: The CIS Benchmark encourages the regular application of security patches and updates to IIS and its underlying components to mitigate known vulnerabilities.
Security Headers and Features: Recommendations include enforcing secure HTTP headers, such as Strict-Transport-Security, and disabling insecure features like Directory Browsing and HTTP TRACE to reduce attack surfaces.
Encryption and Data Protection: The benchmark advises enabling strong SSL/TLS encryption and securing sensitive data through mechanisms such as file encryption and password policies.
By following these guidelines, administrators can harden their IIS servers and reduce the risk of exploitation from cyber threats.
The Center for Internet Security is a nonprofit entity whose mission is to ‘identify, develop, validate, promote, and sustain best practice solutions for cyberdefense.’ It draws on the expertise of cybersecurity and IT professionals from government, business, and academia from around the world. To develop standards and best practices, including CIS benchmarks, controls, and hardened images, they follow a consensus decision-making model. SmartProfiler is designed to support CIS Standards designed for Microsoft 365 and Azure Assessments.
SmartProfiler for IIS CIS Server Assessment requires connectivity to IIS Server and ability to execute PowerShell commands remotely.
SmartProfiler requires a domain user account to connect to remote IIS Servers and be able to execute PowerShell scripts to check status of each test.
SmartProfiler utilizes Microsoft PowerShell Modules for IIS Server to perform assessment for multiple IIS Servers.
SmartProfiler is a read-only product, and no write operation is ever made to the target while it is being assessed.
SmartProfiler for IIS Server CIS Assessment is simple to use and execute in four-steps.
It depends on the number of resources in the Tenant. It typically takes 1 hour to perform Windows 10/11 InTune CIS Assessment for a Tenant having 30 GPOs.
SmartProfiler for Azure CIS Assessment is a read-only product.
Since SmartProfiler generates reports in Microsoft Word format, you can re-brand reports.
SmartProfiler is designed to support multiple Microsoft Azure Tenants. You can add unlimited Azure Tenants in the tool. However, each Azure Tenant requires a license before the assessment can be done.
Here is the list of tests included with SmartProfiler for IIS CIS Server Assessment
| Category | CIS Version | Test |
| Basic Configurations | CIS v1.2.1 | Ensure Web content is on non-system partition |
| Basic Configurations | CIS v1.2.1 | Ensure Host headers are on all sites |
| Basic Configurations | CIS v1.2.1 | Ensure Directory browsing is set to Disabled |
| Basic Configurations | CIS v1.2.1 | Ensure application pool identity is configured for all application pools |
| Basic Configurations | CIS v1.2.1 | Ensure unique application pools is set for sites |
| Basic Configurations | CIS v1.2.1 | Ensure application pool identity is configured for anonymous user identity |
| Basic Configurations | CIS v1.2.1 | Ensure WebDav feature is disabled |
| Configure Authentication and Authorization | CIS v1.2.1 | Ensure global authorization rule is set to restrict access |
| Configure Authentication and Authorization | CIS v1.2.1 | Ensure access to sensitive site features is restricted to authenticated principals only |
| Configure Authentication and Authorization | CIS v1.2.1 | Ensure forms authentication require SSL |
| Configure Authentication and Authorization | CIS v1.2.1 | Ensure forms authentication is set to use cookies |
| Configure Authentication and Authorization | CIS v1.2.1 | Ensure cookie protection mode is configured for forms authentication |
| Configure Authentication and Authorization | CIS v1.2.1 | Ensure transport layer security for basic authentication is configured |
| Configure Authentication and Authorization | CIS v1.2.1 | Ensure passwordFormat is not set to clear |
| Configure Authentication and Authorization | CIS v1.2.1 | Ensure credentials are not stored in configuration files |
| ASPNET Configuration Recommendations | CIS v1.2.1 | Ensure deployment method retail is set |
| ASPNET Configuration Recommendations | CIS v1.2.1 | Ensure debug is turned off |
| ASPNET Configuration Recommendations | CIS v1.2.1 | Ensure custom error messages are not off |
| ASPNET Configuration Recommendations | CIS v1.2.1 | Ensure IIS HTTP detailed errors are hidden from displaying remotely |
| ASPNET Configuration Recommendations | CIS v1.2.1 | Ensure ASPNET stack tracing is not enabled |
| ASPNET Configuration Recommendations | CIS v1.2.1 | Ensure httpcookie mode is configured for session state |
| ASPNET Configuration Recommendations | CIS v1.2.1 | Ensure cookies are set with HttpOnly attribute |
| ASPNET Configuration Recommendations | CIS v1.2.1 | Ensure MachineKey validation method – Net 3.5 is configured |
| ASPNET Configuration Recommendations | CIS v1.2.1 | Ensure MachineKey validation method – Net 4.5 is configured |
| ASPNET Configuration Recommendations | CIS v1.2.1 | Ensure global NET trust level is configured |
| ASPNET Configuration Recommendations | CIS v1.2.1 | Ensure X-Powered-By Header is removed |
| ASPNET Configuration Recommendations | CIS v1.2.1 | Ensure Server Header is removed |
| Request Filtering and Other Restriction Modules | CIS v1.2.1 | Ensure maxAllowedContentLength is configured |
| Request Filtering and Other Restriction Modules | CIS v1.2.1 | Ensure maxURL request filter is configured |
| Request Filtering and Other Restriction Modules | CIS v1.2.1 | Ensure MaxQueryString request filter is configured |
| Request Filtering and Other Restriction Modules | CIS v1.2.1 | Ensure non-ASCII characters in URLs are not allowed |
| Request Filtering and Other Restriction Modules | CIS v1.2.1 | Ensure Double-Encoded requests will be rejected |
| Request Filtering and Other Restriction Modules | CIS v1.2.1 | Ensure HTTP Trace Method is disabled |
| Request Filtering and Other Restriction Modules | CIS v1.2.1 | Ensure Unlisted File Extensions are not allowed |
| Request Filtering and Other Restriction Modules | CIS v1.2.1 | Ensure Handler is not granted Write and Script-Execute |
| Request Filtering and Other Restriction Modules | CIS v1.2.1 | Ensure notListedIsapisAllowed is set to false |
| Request Filtering and Other Restriction Modules | CIS v1.2.1 | Ensure notListedCgisAllowed is set to false |
| Request Filtering and Other Restriction Modules | CIS v1.2.1 | Ensure Dynamic IP Address Restrictions is enabled |
| IIS Logging Recommendations | CIS v1.2.1 | Ensure Default IIS web log location is moved |
| IIS Logging Recommendations | CIS v1.2.1 | Ensure Advanced IIS logging is enabled |
| IIS Logging Recommendations | CIS v1.2.1 | Ensure ETW Logging is enabled |
| FTP Requests | CIS v1.2.1 | Ensure FTP requests are encrypted |
| FTP Requests | CIS v1.2.1 | Ensure FTP Logon attempt restrictions is enabled |
| Transport Encryption | CIS v1.2.1 | Ensure HSTS Header is set |
| Transport Encryption | CIS v1.2.1 | Ensure SSLv2 is Disabled |
| Transport Encryption | CIS v1.2.1 | Ensure SSLv3 is Disabled |
| Transport Encryption | CIS v1.2.1 | Ensure TLS 1.0 is Disabled |
| Transport Encryption | CIS v1.2.1 | Ensure TLS 1.1 is Disabled |
| Transport Encryption | CIS v1.2.1 | Ensure TLS 1.2 is Enabled |
| Transport Encryption | CIS v1.2.1 | Ensure NULL Cipher Suites is Disabled |
| Transport Encryption | CIS v1.2.1 | Ensure DES Cipher Suites is Disabled |
| Transport Encryption | CIS v1.2.1 | Ensure RC4 Cipher Suites is Disabled |
| Transport Encryption | CIS v1.2.1 | Ensure AES 128-128 Cipher Suite is Disabled |
| Transport Encryption | CIS v1.2.1 | Ensure AES 256-256 Cipher Suite is Enabled |
| Transport Encryption | CIS v1.2.1 | Ensure TLS Cipher Suite ordering is Configured |
Instead of manually checking IIS CIS Tests on Microsoft IIS Servers, which could take a significant amount of time, SmartProfiler Assessment has automated all the tests to ensure that the assessment is completed in a matter of hours.
If you’re really looking for an Active Directory security assessment tool, download SmartProfiler and perform an assessment. This will assist you in identifying security, health, and configuration problems.
The health and misconfiguration assessment feature of SmartProfiler can be very useful in demonstrating that your environment does not use Microsoft’s suggested settings.
The best feature of SmartProfiler is that it can perform the assessment without a Global Admin account and without needing the registration of an Azure AD application. Because it only required a Global Reader Account, we were able to use the tool effectively for our clients and clients could allow us to conduct the assessment!
SmartProfiler's advanced assessment parameters really gives you insights about your Active Directory environment and make sure every risk is mitigated.
About SmartProfiler SmartProfiler for Entra ID is designed to mitigate security risks in the Azure
Read MoreAbout SmartProfiler SmartProfiler for Active Directory and ACTIVE DIRECTORY is designed to mitigate security risks
Read MoreOrganizations are increasingly reliant on cloud-based services to enhance productivity and collaboration. Microsoft 365, with
Read More