IIS Security and Secure Hardening Training

The Power Behind Industry Leaders

About Training

IIS Security and Secure Hardening Training is a corporate-level, lab-supported course focused on providing fundamental knowledge and skills for configuring and managing IIS environments.

Throughout the training, participants will gain practical skills to support web assets with a flexible, secure, and manageable web server, while also learning how to secure web applications and support other Microsoft services that rely on IIS—such as Exchange and SharePoint.

By the end of the course, participants will have acquired essential knowledge and competencies in identifying common web attack techniques, implementing appropriate countermeasures, applying hardening strategies, and securing IIS environments through comprehensive hardening practices.

The training is conducted online from 10:00 AM to 5:00 PM, scheduled on weekdays or weekends, and is completed over 2 days. Upon completion, participants receive a wet-signed Privia Security Certificate of Participation.

Training Content

1. Day

Fundamentals of Web Hacking Techniques

Web Hacking Techniques
- XSS (Cross-Site Scripting)
- SQL Injection
- CSRF (Cross-Site Request Forgery)
- File Inclusion
- RFI (Remote File Inclusion)
- LFI (Local File Inclusion)
- Command Execution
- Brute Force Attacks
- Web Shell – Backconnect Access
Windows & IIS Server Hardening Checklist
- General Security Practices
- Physical Security
- Basic Operating System Security
- IIS Installation Recommendations
- Configuration Security
- File System Permissions and Structure
- Machine.Config Security
- Debug Settings
- Trace Settings
- ISAPI Filters
- WebDAV Configuration and Security
- Application Pools
- Connections and Connection Restrictions

2. Day

Rights and Permissions

IIS Service Rights and Permissions
- Understanding Service-Level Privileges
- Managing IIS Process Identities and Permissions
Custom Error Pages and Their Importance
- Creating and Configuring Secure Error Pages
- Preventing Information Disclosure Through Error Responses
HTTP Header Information
- Configuring Secure HTTP Headers
  - X-Frame-Options
  - X-Content-Type-Options
  - Strict-Transport-Security
  - Content-Security-Policy
URL Rewrite
- Implementing Rewrite Rules for Security and Functionality
Upload Directory Permissions
- Managing Access Controls for File Upload Paths
Web Requests Management
- Defining Allowed Request Types
- Blocking Malicious or Unnecessary Requests
Directory Browsing
- Disabling Directory Listing to Prevent Reconnaissance
Secure Code Hosting
- Hosting Secure and Trusted Applications
User Accounts and Privileges
- Configuring Least Privilege for Service Accounts
- Managing Administrator Accounts
- Integration in Domain Environments
- Password Policies and Security
Unauthorized Access and Logging
- Monitoring and Logging Access Attempts
- Implementing Robust Access Controls
Directory Security
- Virtual Directories
  - Configuring Access Rights
- Local Directories
  - Managing Permissions
- Administrative Directories
  - Restricting Access and Enhancing Monitoring
Logging Practices
- W3C Extended Logging Configuration
- Log Archiving and Backup Strategies
Security Implementations
- Applying Security Best Practices and Tools Across the IIS Environment
- Regular Reviews, Updates, and Patch Management