IIS Logs

To find out the IIS logs location of a site:

1. Open IIS Manager;

2. Click the Web Site;

3. Find the Logging icon and double click it;

4. Find the location of the logs in the Directory text box.

 

If you are using IIS Express of the Visual Studio, the logs location of  IIS Express is at %userprofile%\Documents\IISExpress\Logs

In C#, to add infomation to the IIS logs, use:

    Response.AppendToLog("your debug info");

or

    System.Web.HttpContext.Current.Response.AppendToLog("your debug info");

 

IIS Configuration: To reject an HTTP request with certain headers

For security, we want to reject HTTP requests with some headers, such as X-HTTP-Method, XHTTP-Method-Override, and X-Method-Override. One trick is to set their size limits to 0 in web.config:

<system.webServer>
   <security>
      <requestFiltering>
         <requestLimits>
            <headerLimits>
               <add header="X-HTTP-Method" sizeLimit="0" />
               <add header="X-HTTP-METHOD-OVERRIDE" sizeLimit="0" />
               <add header="X-Method-Override" sizeLimit="0" />
            </headerLimits>
         </requestLimits>
      </requestFiltering>
   </security>
</system.webServer>

IIS will return an default 404 page if a request contains any of these headers.

Sometimes you may not want to handle the 404 error in your application. Then you can add the <httpErrors> element:

<system.webServer>
   <security>
      <requestFiltering>
         <requestLimits>
            <headerLimits>
               <add header="X-HTTP-Method" sizeLimit="0" />
               <add header="X-HTTP-METHOD-OVERRIDE" sizeLimit="0" />
               <add header="X-Method-Override" sizeLimit="0" />
            </headerLimits>
         </requestLimits>
      </requestFiltering>
   </security>
   <httpErrors existingResponse="PassThrough" />
</system.webServer>

IIS web application to reject HTTP requests without a Host header

Step 1:

Download and install the URL Rewrite module (https://www.iis.net/downloads/microsoft/url-rewrite).

Step 2:

Add the rewrite rule in the web.config for the web application:

<system.webServer> 
......
    <rewrite>
            <rules>
              <rule name="RequestBlockingRule1" patternSyntax="Wildcard" stopProcessing="true">
                <match url="*" />
                    <conditions>
                        <add input="{HTTP_HOST}" pattern="*.*" negate="true" />
                    </conditions>
                    <action type="AbortRequest" />
                </rule>
            </rules>
    </rewrite>
</system.webServer>

Now, any HTTP requests without a "Host:..." header will get a connection reset.

To prevent IIS from showing IP in the Location header of HTTP response

Change web.config of the application to add a hostname to be shown in the Location header:

<system.webServer>
......
    <serverRuntime alternateHostName="myserver" />
......
</system.webserver>

This change may trigger an authentication error complaining about the locked section in the configuration. To fix it, run command:
> %windir%\system32\inetsrv\appcmd unlock config -section:system.webServer/serverRuntime

It unlocks section system.webServer/serverRuntime at configuration path "MACHINE/WEBROOT/APPHOST". What it actually does is changing the following file
        C:\Windows\System32\inetsrv\config\applicationHost.config
by adding
        <serverRuntime />
to the "Allow" sections:
<location path="" overrideMode="Allow">
    <system.webServer>
    ......
        <serverRuntime />
    </system.webServer>
</location>

However, "myserver" is only returned in the Location header when the request does not contain the Host header. If the request headers include the Host, the value of the Host header will be returned in the Location header.

IIS Web Server: where is the IIS logs of the web site

IIS logs the requests to your web site. To find out where those logs are:

1. Start the IIS Manager.
2. On the left side of the IIS Manager, under the Connections section, expand the Sites folder.
3. Find your web site and click on it.
4. Find the Logging icon in the center panel. Double click on it.
5. On the Logging page, find the location of the logging directory in the Directory box.

Encrypt connection string in web.config with aspnet_iisreg.exe

In the web.config file of the ASP.NET application, the Connection Strings may contain the user name and password that you want to hide from naked eyes. The ASP.NET IIS Registration Tool (aspnet_iisreg.exe) is a simple way of encrypting it or even the whole <appSettings> section in a web.config.

To encrypt the appSettings section of a web.config file, go to where web.config is located and run command:
aspnet_regiis -pef "appSettings" . -prov "DataProtectionConfigurationProvider"

To decrypt an encrypted appSettings section of a web.config file, go to where web.config is located and run command:
aspnet_regiis -pdf "appSettings" .

The encryption should be done on the same machine where the web site being served. If web.config is encrypted on a development machine and later uploaded to the production machine, the production machine wouldn't be able to decrypt the encrypted section in web.config because the keys for the encryption are specific to the development machine.