Simple web.config changes that address the most common IIS penetration test findings — and take less than 30 minutes to implement.
When a security scanner or penetration tester hits a default IIS server, it finds a lot to report. Not because the server is compromised — but because IIS ships with configuration that actively broadcasts what it is, what version it's running, and what technology stack it sits on. Attackers use that information to target known vulnerabilities.
The changes below remove those signals. None of them affect application functionality. All of them improve your security posture and your pentest score.
These modifications live in the outboundRules section inside system.webServer in your web.config file.
By default, IIS includes a Server response header that identifies the web server and its version number. This tells attackers exactly which CVEs to check. Remove it.
<rule name="outbound-rule-1">
<match serverVariable="RESPONSE_SERVER" pattern=".*" />
<action type="Rewrite" />
</rule>
The X-Powered-By header typically reveals that the application runs on ASP.NET. Combined with the Server header, it gives attackers a clear picture of your stack. Strip it.
<rule name="outbound-rule-2">
<match serverVariable="RESPONSE_X-POWERED-BY" pattern=".*" />
<action type="Rewrite" />
</rule>
The X-AspNet-Version header exposes the exact framework version your application is running on. Remove it the same way.
<rule name="outbound-rule-3">
<match serverVariable="RESPONSE_X-ASPNET-VERSION" pattern=".*" />
<action type="Rewrite" />
</rule>
HSTS tells browsers to only communicate with your server over HTTPS — even if a user types a plain HTTP URL. Without it, man-in-the-middle attacks can intercept the initial request and downgrade the connection before the server has a chance to redirect. Add the STS header to all HTTPS responses.
<rule name="Add STS header in HTTPS responses">
<match serverVariable="RESPONSE_Strict-Transport-Security"
pattern=".*" />
<conditions>
<add input="{HTTPS}" pattern="on" />
</conditions>
<action type="Rewrite"
value="max-age=31536000; includeSubDomains; preload" />
</rule>
All four rules live inside the same <outboundRules> block within <system.webServer>. Note that the URL Rewrite module must be installed on the server for outbound rules to function.
These four changes represent a minimal baseline for IIS security hygiene. They won't make your server impenetrable, but they eliminate some of the easiest reconnaissance signals an attacker or scanner can pick up — and they come up on nearly every IIS pentest report we've seen.