IRONSMITHINTEL
HIGH
|Auth: n/a|Reboot: not required|Est. 30–60 minutes|Manual only

IIS Security Updates Require Both Windows Update and Manual Configuration Review

IIS receives security updates through Windows cumulative updates, but many IIS vulnerabilities are configuration-based and not resolved by patches alone — both patching and configuration hardening are required.

Published May 7, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

Attackers targeting IIS can exploit unpatched vulnerabilities for remote code execution, authentication bypass, or directory traversal, or exploit configuration weaknesses like directory listing, HTTP TRACE, or old TLS versions to gather information and escalate access.

How the attack works

Microsoft IIS is a web server bundled with Windows Server and used by ASP.NET applications, internal web portals, and legacy Line-of-Business applications. IIS security vulnerabilities fall into two categories: those patched by Windows cumulative updates, and configuration weaknesses that must be addressed manually. Servers running IIS that are behind on patches or using default configurations are commonly exploited.

Am I affected?Quick check

Probably yes if any of these apply:

All Windows Servers with IIS installed
Internal web servers
Application servers running ASP.NET
Running IIS on any unpatched or default-configured Windows Server

Affected OS versions

Windows Server 2016Windows Server 2019Windows Server 2022
Fixed inLatest Windows cumulative update + IIS hardening
Real-world incidentsWhat we've seen

Many organisations run IIS for internal intranet sites or legacy applications and apply less scrutiny to these than internet-facing services. Internal IIS servers with default configurations are common lateral movement targets after an attacker gains initial network access.

How to patch

Manual remediation steps

30–60 minutes

Step 1 — Check IIS Installation and Version

Get-WindowsFeature Web-Server | Select-Object Name, InstallState
(Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\InetStp').VersionString

Step 2 — Apply Windows Updates (Patches IIS)

Apply the latest Windows cumulative update via Windows Update or WSUS.

Step 3 — IIS Configuration Hardening

# Check for directory listing (should be disabled)
Get-WebConfigurationProperty -PSPath 'IIS:\Sites' -Filter 'system.webServer/directoryBrowse' -Name enabled

# Disable directory browsing
Set-WebConfigurationProperty -PSPath 'IIS:\' -Filter 'system.webServer/directoryBrowse' -Name enabled -Value $false

# Check custom headers
Get-WebConfigurationProperty -PSPath 'IIS:\' -Filter 'system.webServer/httpProtocol/customHeaders' -Name '.' |
    Select-Object -ExpandProperty Collection

# Remove X-Powered-By header (information disclosure)
Remove-WebConfigurationProperty -PSPath 'IIS:\' -Filter 'system.webServer/httpProtocol/customHeaders' -Name '.' -AtElement @{name='X-Powered-By'}

Step 4 — TLS Configuration

# Check TLS versions — SSLv3 and TLS 1.0 should be disabled
Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols' -ErrorAction SilentlyContinue

Verification

# Verify IIS is running latest configuration
iisreset /status
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.