Internet Information Services (IIS) for Windows Server is a flexible, secure and manageable web server for hosting anything on the Web. IIS 10 is the current release at the time of this writing.
Install a Wildcard SSL Certificate
Enable HTTP Strict Transport Security (HSTS)
Installation
Open Server Manager and click Manage > Add Roles and Features.
Click Next at the Before you begin window.
Select Role-based or feature-based installation and click Next.
Select the server where the IIS role will be installed and click Next.
Check the box next to Web Server (IIS).
Click the Add features button on the pop-up to install the IIS Management Console. Click Next to continue.
No other features are necessary. Click Next to continue.
Click Next.
The following screen shots are suggested role services to install. Please add or remove according to your requirements.
Install the features under Common HTTP Features
Install the features under Health and Diagnostics:
Install Dynamic and Static Content Compression under Performance, then install the features under Security:
Install the features under Application Development:
Install the features under Management Tools. Click Next when finished.
Confirm the installation selections and click Install to commence with installation.
Install a Wildcard SSL Certificate
Visit the SSL Cert Request Form to request a USGS wildcard certificate. Once your request is completed, you will receive an email from NatWeb with a link to download the certificate.
Review the readme file included in the bundle and make note of important details such as the expiration date. Keep the certificate and key safe in properly secured directories.
Logon to the web server as an Adminstrator and copy the .pfx file from the zip file to a local directory on the web server.
Launch IIS Manager and on the home page locate the IIS section in the center pane and double-click Server Certificates
On the Server Certificates pane, click Import under Actions at the far-right side of the window
Browse to the location of the .pfx file and select Web Hosting from the certificate store drop-down. No password is required. Click OK
The certificate will be added to the IIS Certificate Store
On the left side of IIS Manager, expand the Sites folder and click on the web site where you want to install the SSL certificate
Click Bindings under Actions at the far-right side of the window
Click Add on the Site Bindings pop-up
Set the Type to https, enter the IP address to bind to, and select the wildcard certificate from the drop-down, then click OK. Host name is not required if just binding a single website
The binding should now be listed. Click close to exit
Open a browser and access the site to test that it is working. Click on the certificate to verify the information is correct
HTTP Strict Transport Security (HSTS)
Enable HSTS on web servers to ensure only HTTPS connections are established. Enabling HSTS will also remediate Nessus Plugin ID 142960.
Launch IIS Manager, click on the website, then click HSTS… under the Configure section on the Actions pane.
Configure the settings as shown below:
- Enabled: Specifies whether HSTS is enabled (true) or disabled (false) for a site. If HSTS is enabled, the Strict-Transport-Security HTTP response header is added when IIS replies an HTTPS request to the web site.
- Max-Age: Specifies the max-age directive in the Strict-Transport-Security HTTP response header field value. Recommend at least 31536000 seconds (one year).
- IncludeSubDomains: Specifies whether the includeSubDomains directive is included in the Strict-Transport-Security HTTP response header field value. Enable this attribute only if all subdomains indeed offer HTTP-based service over TLS/SSL.
- Preload: Specifies whether the preload directive is included in the Strict-Transport-Security HTTP response header field value.
- Redirect Http to Https: Specifies whether HTTP to HTTPS redirection is enabled (true) or disabled (false) for a site. Enabling redirect Http To Https enforces the site-level HTTP to HTTPS redirection. When IIS redirects an HTTP request, it replaces the URI scheme with “https” and ignores the port component. Make sure that the redirection destination provides HTTP-based service over TLS/SSL on standard port 443.
Server Name Indication
Sites that have multiple websites hosted on a server may leverage Server Name Indication (SNI) to map multiple certificates to a single IP address. Refer to the instructions on the DigiCert website for configuration information.