DX Unified Infrastructure Management

Our security Team has flagged out non-compliant rules for  NFA Console. The rules flagged out are based on CIS IIS Hardening Principles. Below are the queries for each rules.Any explanation on why this rules dont work on NFA Console

Disallow Unlisted File Extensions

Which file extensions are required for NFA Console ?

Configure Global .NET Trust Level

Harvester & Console Errors seen on System Status Page

Disallow non-ASCII Characters in URLs  

Harvester & Console Errors seen on System Status Page

Disable HTTP Trace Method

Harvester & Console Errors seen on System Status Page

Apart from this i have tested the below CIS IIS hardening rules & they work fine without any errors :-

Configure Anonymous User Identity to Use Application Pool Identity

Disable the SSL 2.0 protocol on SP2 and R2

Enable the TLS 1.2 protocol on R2

Enable AES 256/256

Configure Forms Authentication to Use Cookies 

Set Deployment Method to Retail 

Turn Debug Off 

Ensure Custom Error Messages are not Off 

Ensure Cookies Are Set With HttpOnly Attribute

Enable Advanced IIS Logging

ETW Logging

--Orwin

To answer one of the questions:

Disallow Unlisted File Extensions

Which file extensions are required for NFA Console 

We require at least the following file extensions asp, aspx, asa, asax, perhaps to function, but try at least these and see if it helps.

didnt help ...the page shows only text

Might also need, .xml, .config, .txt, xsl, csv, .js, ini, vbs, .bat.  Just looking through the \CA\NFA\Reporter\ sub directories, there are lots of different file types that IIS may call on.

Unfortunately we don't document every single file extension that is required by IIS.

below are the extensions added & NFA Console seems to work fine