Windows Server 2025 keeps the same IIS 10.0 core but tightens several default behaviors around TLS and request filtering. Administrators still need explicit configuration to reach a hardened state suitable for hosting ASP.NET Core applications.

The fastest way to achieve consistent results across multiple servers is through PowerShell rather than the IIS Manager GUI. The commands below apply the settings that matter most for security and Active Directory integration.

#Disable Legacy Protocols and Weak Ciphers

Start by removing support for TLS 1.0 and 1.1 at the server level. The following script targets the SCHANNEL registry keys that IIS reads on startup.

powershell 
Disable-TlsCipherSuite -Name TLS_RSA_WITH_AES_256_CBC_SHA
Disable-TlsCipherSuite -Name TLS_RSA_WITH_AES_128_CBC_SHA
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Name Enabled -Value 0

#Enforce Modern TLS and HSTS

Require TLS 1.3 where possible and add the Strict-Transport-Security header. Use the IISAdministration module to apply these settings to every site.

powershell 
Import-Module IISAdministration
Get-IISSite | ForEach-Object {
    Set-IISConfigSection -SectionPath 'system.webServer/httpProtocol' -ConfigProperty @{customHeaders=@{name='Strict-Transport-Security';value='max-age=31536000; includeSubDomains'}} -PSPath $_.PSPath
}

#Integrate with Active Directory Application Pools

Run application pools under domain service accounts instead of the default ApplicationPoolIdentity. This simplifies Kerberos authentication and centralized auditing.

  • Create a dedicated OU for hosting service accounts
  • Grant the accounts minimal rights on content folders only
  • Set the pool identity with Set-IISAppPool -Name DefaultAppPool -ProcessModel.IdentityType SpecificUser

#Request Filtering and Logging Adjustments

Increase the maximum allowed content length and enable failed-request tracing for quick diagnosis of 404 and 403 errors. Both changes are one-line PowerShell updates.

powershell 
Set-WebConfigurationProperty -Filter system.webServer/security/requestFiltering/requestLimits -Name maxAllowedContentLength -Value 30000000 -PSPath IIS:\
Enable-IISCentralizedLogging

Apply these scripts during server provisioning or via Group Policy scheduled tasks. The result is a repeatable, auditable IIS configuration that aligns with current Windows Server 2025 security baselines.