For a very long time, I have been asked for a document on IIS best practices. There are some blogs/articles on the Internet but I could not find a complete one. Actually, the main problem here is that there can not be “best practices” for a web server. A web server is just a hosting platform for applications, and, each and every application has its own needs. Therefore, in many cases, you will not have one universal best practice.

Having these said, I tried to gather a list of things one should check while configuring an IIS server (and an application on IIS). I should say that these are my own thoughts based on my own experience. It is very likely that you will find some resources mentioning just the opposite of what I say.

NOTE: Some of the links I provided below refer to content in Turkish because I usually blog in Turkish.

Application pool configuration




  • Configure "Request Filtering":
    • “Allow unlisted file name extensions": Uncheck (add only the extensions you will use)
    • “Allow unlisted verbs": Uncheck (add only the verbs you will use) 
    • Lower "request limits" if possible
  • Remove HTTP headers which identifies the server and application. These headers are believed to cause security vulnerability:
       Server ve ASP.NET başlıkları
  • Set NTLM permissions on the content folders as needed; do not give unnecessary permissions to unnecessary users. You should consider authentication and impersonation configurations to do this.
  • Remove any unused modules to reduce attack surface. For example, if you do not  specifically need WebDAV, do not install it.