M365 CIS Benchmark and Microsoft Zero Trust Security Model
Organizations are increasingly reliant on cloud-based services to enhance productivity and collaboration. Microsoft 365, with
Read MoreAlmost all CIS tests for Microsoft IIS Servers are automated with SmartProfiler for IIS Server.
Detailed reporting includes information about each CIS Test and Step-By-Step Recommendations to fix the issues.
Checks to make sure all Microsoft IIS Server recommended tests by CIS are configured on Microsoft IIS Servers.
SmartProfiler for IIS CIS Assessment supports multiple IIS Servers. The tool connects to all IIS Servers and provides a summary of components that are not configured correctly.
The Microsoft IIS CIS Benchmark is a set of security best practices and configuration guidelines designed to help administrators secure Internet Information Services (IIS), Microsoft's web server platform. The Microsoft IIS CIS Benchmark Assessment tool can be used to perform CIS Benchmark assessment for multiple IIS Servers. The Center for Internet Security (CIS) publishes these benchmarks to provide actionable recommendations for securing IIS environments, reducing vulnerabilities, and ensuring compliance with industry standards.
IIS Server Configuration: The benchmark covers fundamental security settings for IIS, including disabling unnecessary modules, enforcing strong authentication, and ensuring that security features such as SSL/TLS are properly configured.
Access Control: Guidelines include securing access to IIS servers by enforcing least privilege principles, ensuring proper user permissions, and restricting administrative access to trusted personnel.
Logging and Monitoring: The benchmark emphasizes the importance of enabling and configuring IIS logging for auditing and troubleshooting. It also recommends integrating IIS with centralized logging and monitoring solutions to detect suspicious activity.
Patching and Updates: The CIS Benchmark encourages the regular application of security patches and updates to IIS and its underlying components to mitigate known vulnerabilities.
Security Headers and Features: Recommendations include enforcing secure HTTP headers, such as Strict-Transport-Security, and disabling insecure features like Directory Browsing and HTTP TRACE to reduce attack surfaces.
Encryption and Data Protection: The benchmark advises enabling strong SSL/TLS encryption and securing sensitive data through mechanisms such as file encryption and password policies.
By following these guidelines, administrators can harden their IIS servers and reduce the risk of exploitation from cyber threats.
The Center for Internet Security is a nonprofit entity whose mission is to ‘identify, develop, validate, promote, and sustain best practice solutions for cyberdefense.’ It draws on the expertise of cybersecurity and IT professionals from government, business, and academia from around the world. To develop standards and best practices, including CIS benchmarks, controls, and hardened images, they follow a consensus decision-making model. SmartProfiler is designed to support CIS Standards designed for Microsoft 365 and Azure Assessments.
SmartProfiler for IIS CIS Server Assessment requires connectivity to IIS Server and ability to execute PowerShell commands remotely.
SmartProfiler requires a domain user account to connect to remote IIS Servers and be able to execute PowerShell scripts to check status of each test.
SmartProfiler utilizes Microsoft PowerShell Modules for IIS Server to perform assessment for multiple IIS Servers.
SmartProfiler is a read-only product, and no write operation is ever made to the target while it is being assessed.
SmartProfiler for IIS Server CIS Assessment is simple to use and execute in four-steps.
It depends on the number of resources in the Tenant. It typically takes 1 hour to perform Windows 10/11 InTune CIS Assessment for a Tenant having 30 GPOs.
SmartProfiler for Azure CIS Assessment is a read-only product.
Since SmartProfiler generates reports in Microsoft Word format, you can re-brand reports.
SmartProfiler is designed to support multiple Microsoft Azure Tenants. You can add unlimited Azure Tenants in the tool. However, each Azure Tenant requires a license before the assessment can be done.
Here is the list of tests included with SmartProfiler for IIS CIS Server Assessment
| Category | CIS Version | Test |
| Basic Configurations | CIS v1.2.1 | Ensure Web content is on non-system partition |
| Basic Configurations | CIS v1.2.1 | Ensure Host headers are on all sites |
| Basic Configurations | CIS v1.2.1 | Ensure Directory browsing is set to Disabled |
| Basic Configurations | CIS v1.2.1 | Ensure application pool identity is configured for all application pools |
| Basic Configurations | CIS v1.2.1 | Ensure unique application pools is set for sites |
| Basic Configurations | CIS v1.2.1 | Ensure application pool identity is configured for anonymous user identity |
| Basic Configurations | CIS v1.2.1 | Ensure WebDav feature is disabled |
| Configure Authentication and Authorization | CIS v1.2.1 | Ensure global authorization rule is set to restrict access |
| Configure Authentication and Authorization | CIS v1.2.1 | Ensure access to sensitive site features is restricted to authenticated principals only |
| Configure Authentication and Authorization | CIS v1.2.1 | Ensure forms authentication require SSL |
| Configure Authentication and Authorization | CIS v1.2.1 | Ensure forms authentication is set to use cookies |
| Configure Authentication and Authorization | CIS v1.2.1 | Ensure cookie protection mode is configured for forms authentication |
| Configure Authentication and Authorization | CIS v1.2.1 | Ensure transport layer security for basic authentication is configured |
| Configure Authentication and Authorization | CIS v1.2.1 | Ensure passwordFormat is not set to clear |
| Configure Authentication and Authorization | CIS v1.2.1 | Ensure credentials are not stored in configuration files |
| ASPNET Configuration Recommendations | CIS v1.2.1 | Ensure deployment method retail is set |
| ASPNET Configuration Recommendations | CIS v1.2.1 | Ensure debug is turned off |
| ASPNET Configuration Recommendations | CIS v1.2.1 | Ensure custom error messages are not off |
| ASPNET Configuration Recommendations | CIS v1.2.1 | Ensure IIS HTTP detailed errors are hidden from displaying remotely |
| ASPNET Configuration Recommendations | CIS v1.2.1 | Ensure ASPNET stack tracing is not enabled |
| ASPNET Configuration Recommendations | CIS v1.2.1 | Ensure httpcookie mode is configured for session state |
| ASPNET Configuration Recommendations | CIS v1.2.1 | Ensure cookies are set with HttpOnly attribute |
| ASPNET Configuration Recommendations | CIS v1.2.1 | Ensure MachineKey validation method – Net 3.5 is configured |
| ASPNET Configuration Recommendations | CIS v1.2.1 | Ensure MachineKey validation method – Net 4.5 is configured |
| ASPNET Configuration Recommendations | CIS v1.2.1 | Ensure global NET trust level is configured |
| ASPNET Configuration Recommendations | CIS v1.2.1 | Ensure X-Powered-By Header is removed |
| ASPNET Configuration Recommendations | CIS v1.2.1 | Ensure Server Header is removed |
| Request Filtering and Other Restriction Modules | CIS v1.2.1 | Ensure maxAllowedContentLength is configured |
| Request Filtering and Other Restriction Modules | CIS v1.2.1 | Ensure maxURL request filter is configured |
| Request Filtering and Other Restriction Modules | CIS v1.2.1 | Ensure MaxQueryString request filter is configured |
| Request Filtering and Other Restriction Modules | CIS v1.2.1 | Ensure non-ASCII characters in URLs are not allowed |
| Request Filtering and Other Restriction Modules | CIS v1.2.1 | Ensure Double-Encoded requests will be rejected |
| Request Filtering and Other Restriction Modules | CIS v1.2.1 | Ensure HTTP Trace Method is disabled |
| Request Filtering and Other Restriction Modules | CIS v1.2.1 | Ensure Unlisted File Extensions are not allowed |
| Request Filtering and Other Restriction Modules | CIS v1.2.1 | Ensure Handler is not granted Write and Script-Execute |
| Request Filtering and Other Restriction Modules | CIS v1.2.1 | Ensure notListedIsapisAllowed is set to false |
| Request Filtering and Other Restriction Modules | CIS v1.2.1 | Ensure notListedCgisAllowed is set to false |
| Request Filtering and Other Restriction Modules | CIS v1.2.1 | Ensure Dynamic IP Address Restrictions is enabled |
| IIS Logging Recommendations | CIS v1.2.1 | Ensure Default IIS web log location is moved |
| IIS Logging Recommendations | CIS v1.2.1 | Ensure Advanced IIS logging is enabled |
| IIS Logging Recommendations | CIS v1.2.1 | Ensure ETW Logging is enabled |
| FTP Requests | CIS v1.2.1 | Ensure FTP requests are encrypted |
| FTP Requests | CIS v1.2.1 | Ensure FTP Logon attempt restrictions is enabled |
| Transport Encryption | CIS v1.2.1 | Ensure HSTS Header is set |
| Transport Encryption | CIS v1.2.1 | Ensure SSLv2 is Disabled |
| Transport Encryption | CIS v1.2.1 | Ensure SSLv3 is Disabled |
| Transport Encryption | CIS v1.2.1 | Ensure TLS 1.0 is Disabled |
| Transport Encryption | CIS v1.2.1 | Ensure TLS 1.1 is Disabled |
| Transport Encryption | CIS v1.2.1 | Ensure TLS 1.2 is Enabled |
| Transport Encryption | CIS v1.2.1 | Ensure NULL Cipher Suites is Disabled |
| Transport Encryption | CIS v1.2.1 | Ensure DES Cipher Suites is Disabled |
| Transport Encryption | CIS v1.2.1 | Ensure RC4 Cipher Suites is Disabled |
| Transport Encryption | CIS v1.2.1 | Ensure AES 128-128 Cipher Suite is Disabled |
| Transport Encryption | CIS v1.2.1 | Ensure AES 256-256 Cipher Suite is Enabled |
| Transport Encryption | CIS v1.2.1 | Ensure TLS Cipher Suite ordering is Configured |
Below tests, as recommended by Microsoft Azure globally, are not included in the Azure CIS Version 2.1.0 tests list. We recommend executing below tests as part of Microsoft Azure security & Compliance Assessment.
| Azure-Infra | SP v1.0 | Ensure On-Prem AD Users are not Privileged Users in Azure Entra ID |
| Azure-Infra | SP v1.0 | Ensure Azure Administrative Units are used |
| Azure-Infra | SP v1.0 | Ensure Azure Guests cannot invite other Guests |
| Azure-Infra | SP v1.0 | Ensure privileged accounts have MFA Configured |
| Azure-Infra | SP v1.0 | Ensure non-Admins cannot register custom applications |
| Azure-Infra | SP v1.0 | Ensure no Guest Accounts in Azure Privileged groups |
| Azure-Infra | SP v1.0 | Ensure Security Defaults is enabled |
| Azure-Infra | SP v1.0 | Ensure Normal Azure Users do not have Permissions to provide unrestricted user Consent |
| Azure-Infra | SP v1.0 | Ensure Conditional Access Policy with signin user-risk location as Factor |
| Azure-Infra | SP v1.0 | Ensure no Guest accounts that are inactive for more than 45 days |
| Azure-Infra | SP v1.0 | Conditional Access policy with Continuous Access Evaluation disabled |
| Azure-Infra | SP v1.0 | AAD Connect sync account password reset |
| Azure-Infra | SP v1.0 | Ensure Guest users are restricted |
| Azure-Infra | SP v1.0 | Ensure user are configured with MFA |
| Azure-Infra | SP v1.0 | Conditional Access Policy that disables admin token persistence |
| Azure-Infra | SP v1.0 | Conditional Access Policy that does not require a password change from high risk users |
| Azure-Infra | SP v1.0 | Conditional Access Policy that does not require MFA when sign-in risk has been identified |
| Azure-Infra | SP v1.0 | Ensure Guest invites not accepted in last 30 days are identified |
| Azure-Infra | SP v1.0 | Ensure Synced AAD Users not privileged Users in Azure |
| Azure-Infra | SP v1.0 | Ensure No Private IP Addresses in Conditional Access policies |
| Azure-Infra | SP v1.0 | Ensure Number Matching enabled in MFA |
| Azure-Infra | SP v1.0 | Ensure AD privileged users are not synced to AAD |
| Azure-Infra | SP v1.0 | Ensure no more than 5 Global Administrators |
| Azure-Infra | SP v1.0 | Ensure SSO computer account with latest password |
| Azure-Infra | SP v1.0 | Ensure RBCD is not applied to AZUREADSSOACC account |
| Azure Entra ID | SP v1.0 | Ensure Policy exists to restrict non-administrator access to Azure Active Directory or Entra |
| Azure Entra ID | SP v1.0 | Ensure Phishing-resistant MFA strength is required for Administrators |
| Azure Entra ID | SP v1.0 | Ensure custom banned passwords lists are used |
| Azure Entra ID | SP v1.0 | Ensure Restrict non-admin users from creating tenants is set to Yes |
| Azure Entra ID | SP v1.0 | Ensure a dynamic group for guest users is created |
| Azure Entra ID | SP v1.0 | Ensure Microsoft Authenticator is configured to protect against MFA fatigue |
| Azure Entra ID | SP v1.0 | Ensure that password hash sync is enabled for hybrid deployments |
| Azure Entra ID | SP v1.0 | Ensure Privileged Identity Management is used to manage roles |
| Azure Entra ID | SP v1.0 | Ensure Security Defaults is disabled on Azure Active Directory |
| Azure Entra ID | SP v1.0 | Enable Azure AD Identity Protection user risk policies |
| Azure Entra ID | SP v1.0 | Ensure the admin consent workflow is enabled |
| Azure Entra ID | SP v1.0 | Ensure Microsoft Azure Management is limited to administrative roles |
| Azure Entra ID | SP v1.0 | Ensure LinkedIn account connections is disabled |
| Azure Entra ID | SP v1.0 | Ensure password protection is enabled for on-prem Active Directory |
| Azure Entra ID | SP v1.0 | Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users |
| Azure Entra ID | SP v1.0 | Ensure third party integrated applications are not allowed |
| Azure Entra ID | SP v1.0 | Ensure user consent to apps accessing company data on their behalf is not allowed |
| Azure Entra ID | SP v1.0 | Enable Conditional Access policies to block legacy authentication |
| Azure Entra ID | SP v1.0 | Ensure Self service password reset enabled is set to All |
| Azure Entra ID | SP v1.0 | Enable Azure AD Identity Protection sign-in risk policies |
| Azure Entra ID | SP v1.0 | Ensure multifactor authentication is enabled for all users in administrative roles |
| Azure Entra ID | SP v1.0 | Ensure multifactor authentication is enabled for all users |
| Database Services-SQL Server – MySQL Database | SP v1.0 | Ensure to Enable In-Transit Encryption for MySQL Servers |
| Virtual Machines | SP v1.0 | Approved Azure Machine Image in Use |
| Virtual Machines | SP v1.0 | Azure Disk Encryption for Boot Disk Volumes |
| Virtual Machines | SP v1.0 | Azure Disk Encryption for Non-Boot Disk Volumes |
| Virtual Machines | SP v1.0 | Ensure Associated Load Balancers are configured |
| Virtual Machines | SP v1.0 | Ensure Desired VM SKU Size are configured |
| Virtual Machines | SP v1.0 | Ensure Virtual Machine Scale Sets are not empty |
| Virtual Machines | SP v1.0 | Ensure Virtual Machines are configured with SSH Authentication Type |
| Virtual Machines | SP v1.0 | Ensure Sufficient Daily Backup Retention Period is configured for Virtual Machines |
| Virtual Machines | SP v1.0 | Ensure Sufficient Instant Restore Retention Period is configured for Virtual Machines |
| Virtual Machines | SP v1.0 | Ensure No Unused Load Balancers are identified to reduce cost |
| Virtual Machines | SP v1.0 | Ensure No Zone-Redundant Virtual Machine Scale Sets are present |
| Virtual Machines | SP v1.0 | Ensure Premium SSD are disabled to reduce cost |
| Virtual Machines | SP v1.0 | Ensure Accelerated Networking for Virtual Machines is enabled |
| Virtual Machines | SP v1.0 | Ensure Auto-Shutdown of Virtual Machine is enabled to reduce cost |
| Virtual Machines | SP v1.0 | Ensure Automatic Instance Repairs is enabled for Virtual Machines |
| Virtual Machines | SP v1.0 | Ensure Automatic OS Upgrades is enabled for Virtual Machines |
| Virtual Machines | SP v1.0 | Ensure Autoscale Notifications are configured for Virtual Machines |
| Virtual Machines | SP v1.0 | Ensure Backups for Azure Virtual Machines are configured |
| Virtual Machines | SP v1.0 | Ensure Encryption for App-Tier Disk Volumes are configured |
| Virtual Machines | SP v1.0 | Ensure Encryption for Web-Tier Disk Volumes are configured |
| Virtual Machines | SP v1.0 | Ensure Guest-Level Diagnostics for Virtual Machines is enabled |
| Virtual Machines | SP v1.0 | Ensure Instance Termination Notifications for Virtual Machine Scale Sets is configured |
| Virtual Machines | SP v1.0 | Ensure Just-In-Time Access for Virtual Machines is enabled |
| Virtual Machines | SP v1.0 | Ensure Performance Diagnostics for Azure Virtual Machines is enabled |
| Virtual Machines | SP v1.0 | Ensure System-Assigned Managed Identities are enabled |
| Virtual Machines | SP v1.0 | Ensure Virtual Machine Boot Diagnostics is enabled |
| Virtual Machines | SP v1.0 | Ensure Health Monitoring is configured for Virtual Machines |
| Virtual Machines | SP v1.0 | Ensure Old Virtual Machine Disk Snapshots are removed |
| Virtual Machines | SP v1.0 | Ensure Unattached Virtual Machine Disk Volumes are removed from Virtual Machines |
| Virtual Machines | SP v1.0 | Ensure BYOK for Disk Volumes Encryption is used |
| Virtual Machines | SP v1.0 | Enable Virtual Machine Access using Microsoft Entra ID Authentication |
| Azure Subscription | SP v1.0 | Ensure Basic and Consumption SKU Should are not Used in Production |
| Azure Subscription | SP v1.0 | Ensure Azure Cloud Budget Alerts are configured |
| Azure Subscription | SP v1.0 | Ensure more than one Subscription Owners are assigned |
| Azure Subscription | SP v1.0 | Ensure Not Allowed Resource Types Policy Assignment is in Use |
| Azure Subscription | SP v1.0 | Ensure Tags are configured on the Resources |
| Azure Subscription | SP v1.0 | Ensure to remove Custom Owner Roles from Subscriptions |
| Azure Subscription | SP v1.0 | Ensure Resource Locking Administrator Role is configured |
| Azure Subscription | SP v1.0 | Ensure no Subscription Administrator Custom Role are not configured |
Instead of manually checking IIS CIS Tests on Microsoft IIS Servers, which could take a significant amount of time, SmartProfiler Assessment has automated all the tests to ensure that the assessment is completed in a matter of hours.
If you’re really looking for an Active Directory security assessment tool, download SmartProfiler and perform an assessment. This will assist you in identifying security, health, and configuration problems.
The health and misconfiguration assessment feature of SmartProfiler can be very useful in demonstrating that your environment does not use Microsoft’s suggested settings.
The best feature of SmartProfiler is that it can perform the assessment without a Global Admin account and without needing the registration of an Azure AD application. Because it only required a Global Reader Account, we were able to use the tool effectively for our clients and clients could allow us to conduct the assessment!
SmartProfiler's advanced assessment parameters really gives you insights about your Active Directory environment and make sure every risk is mitigated.
Organizations are increasingly reliant on cloud-based services to enhance productivity and collaboration. Microsoft 365, with
Read MoreAD Smart Queries ship as part of the Active Directory Assessment License. The AD Smart
Read MoreBefore you can start performing Active Directory security assessment you are required to perform an
Read More