0

People say that is a good practice deleting the Default Web Site in IIS Manager. I think that is because it is listening to any requesting no matter what host is in the http headers.

I am looking for a more formal answer and see what kind of attacks a webserver with Default Web Site might be victim.

Jamo
  • 494
  • 5
  • 24
  • My bad, it was a typo "formal". – Jamo Jan 26 '23 at 20:39
  • 1
    The sibling site is more suitable a place https://security.stackexchange.com/ People can say too much about mystery things without any good reasons, so if you try to confirm everything out there it is just a waste of time. Next time let them give you evidence when claiming something. – Lex Li Jan 26 '23 at 21:59
  • This has nothing to do with the Default Web Site, at least Microsoft has not declared that there is a security hole in the Default Web Site, you can consider strengthening its security through authentication. – samwu Jan 27 '23 at 08:13
  • @samwu, they are some post where they say don't use Default Web Site, https://social.msdn.microsoft.com/Forums/en-US/b9cf106e-5b1e-4bd5-803c-d298822abd87/how-to-disable-quot-microsoft-iis-default-installationwelcome-page-installedquot?forum=iis56general https://stackoverflow.com/questions/61791333/is-it-good-practice-to-delete-default-web-site-in-iis – Jamo Jan 27 '23 at 16:58
  • The link to the answer below has expired. In my understanding, the reason why the questioner said that the default website is risky is because it has not been configured. If you enable authentication, the security of your website will be guaranteed. – samwu Jan 30 '23 at 09:51

1 Answers1

0

Deleting or disabling the default website is a best practice, keeping your attack surfaces as small as possible. The benefits are debatable, but having your server response on port 80 with "Microsoft IIS" tells the attacker what they are dealing with. An attacker could also fill log folders with bogus requests. This is especially problematic if you haven't moved your default log folder path from the C drive. In the end it all depends on your security requirements. In my industry we are required to have it disabled by our clients. And they audit!

Adam J
  • 51
  • 5