Center for Internet Security - Umbraco v8.5.4 would not function after applying recommendations.
I used this CISMicrosoftIIS10Benchmark_v1.1.1.pdf to create a test environment with IIS hardened, based on the recommendations. (Center for Internet Security)
I created a powershell script that checks and applies recommendations 1.1, 1.2, 1.3, 1.4, 1.5, 2.1, 3.9, 3.11, 3.12, 4.1 to 4.10, 4.11 (manually), 5.1, 7.2 to 7.12. I also ran a script that disables all protocols except TLS 1.2 on my machine (this may not be relevant but mentioned it).
My machine configuration is as follows:
Windows 10 Pro 64 bit with 16GB RAM
IIS 10
Anonymous Authentication - Enabled
ASP.NET Impersonation - Disabled
Forms Authentication - Disabled
No other auth.
No HTTPS. Site runs as HTTP.
Errors:
I saw errors related to Url length, query string length. This was because I had emptied the Umbraco.Core.ConfigurationStatus and umbracoDbDSN connection string. Relaxed these rules and saw the welcome screen with no images at all.
Request filtering - Allow File Name Extension. Had to allow "." as browser would not browse to localhost (ASP .NET MVC issue and not Umbraco v8)
Tried relaxing other rules but the Umbraco v8.5.4 would just not work.
As Umbraco v8 will not function when these CIS recommendations are applied then I would like to know which rules from the CIS document break Umbraco v8?
Center for Internet Security - Umbraco v8.5.4 would not function after applying recommendations.
I used this CISMicrosoftIIS10Benchmark_v1.1.1.pdf to create a test environment with IIS hardened, based on the recommendations. (Center for Internet Security)
I created a powershell script that checks and applies recommendations 1.1, 1.2, 1.3, 1.4, 1.5, 2.1, 3.9, 3.11, 3.12, 4.1 to 4.10, 4.11 (manually), 5.1, 7.2 to 7.12. I also ran a script that disables all protocols except TLS 1.2 on my machine (this may not be relevant but mentioned it).
My machine configuration is as follows:
Errors:
I saw errors related to Url length, query string length. This was because I had emptied the Umbraco.Core.ConfigurationStatus and umbracoDbDSN connection string. Relaxed these rules and saw the welcome screen with no images at all.
Request filtering - Allow File Name Extension. Had to allow "." as browser would not browse to localhost (ASP .NET MVC issue and not Umbraco v8)
Tried relaxing other rules but the Umbraco v8.5.4 would just not work.
As Umbraco v8 will not function when these CIS recommendations are applied then I would like to know which rules from the CIS document break Umbraco v8?
Tried out applying each recommendation, restarting iis, and testing the application and found that the following caused Umbraco to not function:
2.1 - (L1) Ensure 'global authorization rule' is set to restrict access
4.2 - (L2) Ensure 'maxURL request filter' is configured (Setting to 4096 causes issue. Observed when Umbraco starts to install.)
4.3 - (L2) Ensure 'MaxQueryString request filter' is configured (Setting to 2048 causes issue. Observed when Umbraco starts to install.)
4.7 - (L1) Ensure Unlisted File Extensions are not allowed - Ok but typing localhost fails - Locally configured hosts file domain name works.
What should I set for these recommendations?
4.11 (L1) Ensure 'Dynamic IP Address Restrictions' is enabled - Worked.
There are others like:
7.1 (L2) Ensure HSTS Header is set
3.1 (L1) Ensure 'deployment method retail' is set
1.7 (L1) Ensure WebDav feature is disabled - Get-WindowsFeature does not work on Windows 10 - Web DAV-Publishing was not installed on Windows 10.
that I have not tried yet.
is working on a reply...