Technical : How to secure the web server

Procedure

First, hide the IIS version. The HTTP header “X-Powered-By” reveals the version of IIS used on the server. To stop this, remove the header:

1. Open the IIS Manager.

2. In the Connections tree, select the website that COACH is running under.

3. Click the HTTP Response Headers button on the right. The HTTP Response Headers panel appears.

4. Click to select the X-Powered-By HTTP header.

5. Click the Remove button in the Actions panel. The header disappears.

Second, hide the ASP.NET version. The HTTP header “X-ASPNET-VERSION” reveals the version of ASP.NET being used by the application pool. To stop this, remove the header:

1. Open the web.config file for COACH, which is located in the root directory for the website.

2. Inside the <system.web> tag, add the tag <httpRuntime enableVersionHeader="false"/>.

3. Save the file.

Third, hide the server type. The HTTP header line Server: Microsoft-HTTPAPI/2.0 is added to the header by the .NET framework. To remove that information, you must update the Windows registry:

Important: Do not simply remove the Server header variable—it will cause parts of COACH to malfunction.

1. Open the Windows Registry Editor.

2. Navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters.

3. Change the DisableServerHeader (REG_DWORD type) registry key from 0 to 1.

Note: There are other ways to hide the server type. We strongly recommend this one.

Forth, change the c:\inetpub\wwwroot\iisstart.htm and iisstart.png and other files to FileName.Ext.bak

Fifth, add web.config configuration to the root IIS and COACH application

<?xml version="1.0" encoding="UTF-8"?>

<configuration>

<system.web>

<httpCookies httpOnlyCookies="true" sameSite="Strict" requireSSL="true" />

<pages viewStateEncryptionMode="Always" >

</pages>

<machineKey validation="SHA1" />

<httpRuntime enableVersionHeader="false" />

</system.web>

<system.webServer>

<httpProtocol>

<customHeaders>

<add name="X-Frame-Options" value="SAMEORIGIN" />

<remove name="Server" />

<remove name="X-Powered-By" />

<remove name="X-AspNet-Version" />

<add name="strict-transport-security" value="max-age=31536000; includeSubdomains" />

</customHeaders>

</httpProtocol>

<urlCompression doDynamicCompression="false" />

<security>

<requestFiltering removeServerHeader="true">

<requestLimits maxUrl="2048" maxQueryString="1024">

<headerLimits>

<add header="content-type" sizeLimit="100" />

</headerLimits>

</requestLimits>

</requestFiltering>

</security>

</system.webServer>

</configuration>

Tips:

Use URL Decoder to review encoding and decoding of URL malformity

https://www.urldecoder.org/

AWS WAF Configuration Guidance

Using AWS#AWSManagedRulesCommonRuleSet, the AWS will block request with AWS#AWSManagedRulesCommonRuleSet#SizeRestrictions_BODY. The size constraints within AWS Managed Rules will block requests that are atypically large. If you find that the rules are matching normal end user requests, or if you prefer not to use this kind of logic, the size rules can be disabled. You then have the option to write your own size constraints that suit your particular use case.

The exact contents of AWS Managed Rules are not public, but are available to AWS engineers. If you need any help with these rules, please open an AWS Support case under the "AWS WAF" service.