How to Configure CrowdStrike Exclusions for IIS (Internet Information Services)

Last Updated: February 2025

Overview

Internet Information Services (IIS) is Microsoft’s web server platform that hosts critical web applications, APIs, and services. Antivirus scanning can significantly impact IIS performance and cause operational issues if not properly configured. Since Microsoft doesn’t provide a single comprehensive guide for IIS antivirus exclusions, requirements vary based on the applications hosted on IIS.

This guide provides recommended exclusion configurations for CrowdStrike Falcon when protecting IIS servers, compiled from Microsoft’s various application-specific guidelines and IIS best practices.

⚠️ Important Security Notice: These exclusions reduce CrowdStrike’s security coverage on your IIS servers. Each exclusion creates a potential attack vector that could be exploited by malicious actors. Carefully evaluate the security implications and implement compensating controls based on your specific applications and threat model.

Common Issues Without Proper Exclusions

Without appropriate exclusions, you may experience:

Slow response times and timeouts
Failed file uploads and downloads
Application pool crashes and recycling
Session state corruption
Temporary file lock conflicts
Log file access denied errors
Compilation errors for ASP.NET applications
SSL certificate loading failures
Failed health checks and monitoring
Web deploy and publishing failures
Configuration file corruption
Module loading errors

Supported IIS Versions

This guide applies to:

IIS 10.0 (Windows Server 2019/2016, Windows 10)
IIS 8.5 (Windows Server 2012 R2)
IIS 8.0 (Windows Server 2012)
IIS 7.5 (Windows Server 2008 R2)
IIS 7.0 (Windows Server 2008)
IIS Express (Development environments)

Prerequisites

CrowdStrike Falcon administrative access
Access to the Falcon Console: https://falcon.crowdstrike.com or https://falcon.us-2.crowdstrike.com/ (varies by tenant)
IIS Manager access
Administrative access to the IIS server
Understanding of hosted applications and their requirements
List of all application pools and sites
PowerShell administrative access

Step 1: Access CrowdStrike Falcon Console

Open your browser and navigate to your Falcon Console:
- Primary: https://falcon.crowdstrike.com
- US-2: https://falcon.us-2.crowdstrike.com/
- (Contact your CrowdStrike administrator if unsure of your tenant location)
Sign in using your admin credentials
Navigate to Endpoint Security > Configure > Exclusions

Step 2: Identify IIS Installation and Application Paths

Before configuring exclusions, identify all IIS-related paths:

# Get IIS installation directory
$iisPath = $env:windir + "\System32\inetsrv"
Write-Host "IIS Path: $iisPath"

# List all IIS sites and their physical paths
Import-Module WebAdministration
Get-IISSite | Select-Object Name, @{N='PhysicalPath';E={(Get-WebApplication -Site $_.Name).PhysicalPath}}

# Get application pool information
Get-IISAppPool | Select-Object Name, State, ManagedRuntimeVersion

# Get IIS log file directory
(Get-WebConfigurationProperty -Filter system.applicationHost/sites/siteDefaults/logFile -Name directory).Value

# Get temporary ASP.NET files location
Get-ChildItem "$env:windir\Microsoft.NET\Framework*\v*\Temporary ASP.NET Files" -ErrorAction SilentlyContinue

Step 3: Configure Core IIS Exclusions

Microsoft Defender Automatic Exclusions

Note: On Windows Server 2016 and later, Microsoft Defender automatically excludes certain Web Server role paths and processes. However, CrowdStrike does not inherit these exclusions automatically.

Based on Microsoft’s automatic Web Server exclusions, configure these in CrowdStrike:

IIS System Directories

Add these folder exclusions:

%SystemRoot%\IIS Temporary Compressed Files\*
%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files\*
%SystemDrive%\inetpub\temp\ASP Compiled Templates\*
%SystemDrive%\inetpub\logs\*
%SystemDrive%\inetpub\wwwroot\*
%SystemRoot%\System32\inetsrv\*
%SystemRoot%\SysWOW64\inetsrv\*
%SystemDrive%\inetpub\history\*

Default Website Locations

%SystemDrive%\inetpub\wwwroot\*
%SystemDrive%\inetpub\ftproot\*
%SystemDrive%\inetpub\mailroot\*

IIS Configuration

%SystemRoot%\System32\inetsrv\config\*
%SystemRoot%\System32\inetsrv\MetaBack\*
%SystemRoot%\System32\inetsrv\History\*

PHP Support (if applicable)

For PHP installations:

%SystemDrive%\PHP5433\php-cgi.exe

Step 4: Configure ASP.NET Specific Exclusions

Temporary ASP.NET Files

These directories contain compiled assemblies and must be excluded:

%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\*
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\*
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files\*
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\*

ASP.NET Core Directories

For ASP.NET Core applications:

%TEMP%\ASP.NET\*
%LOCALAPPDATA%\Temp\*
%ProgramFiles%\dotnet\*
%ProgramFiles(x86)%\dotnet\*

Compilation Directories

%SystemDrive%\Windows\Microsoft.NET\Framework*\v*\Temporary ASP.NET Files\*
%SystemDrive%\Windows\Temp\*

Step 5: Configure Application-Specific Exclusions

SharePoint Applications

If hosting SharePoint sites:

%SystemDrive%\inetpub\wwwroot\wss\VirtualDirectories\*
%CommonProgramFiles%\Microsoft Shared\Web Server Extensions\*

Exchange Web Services

For Exchange OWA and web services:

%ExchangeInstallPath%\FrontEnd\HttpProxy\*
%ExchangeInstallPath%\ClientAccess\*
%ExchangeInstallPath%\FIP-FS\*

Custom Application Directories

Add exclusions for your specific applications:

[CustomPath]\YourApplication\*
[CustomPath]\App_Data\*
[CustomPath]\bin\*
[CustomPath]\temp\*

Step 6: Configure Process Exclusions

Core IIS Processes

Add these processes to CrowdStrike process exclusions:

%SystemRoot%\System32\inetsrv\w3wp.exe          # IIS Worker Process
%SystemRoot%\SysWOW64\inetsrv\w3wp.exe          # IIS Worker Process (32-bit)
%SystemRoot%\System32\inetsrv\iissvcs.exe       # IIS Service
%SystemRoot%\System32\inetsrv\inetinfo.exe      # IIS Admin Service
%SystemRoot%\System32\dllhost.exe               # COM+ Applications
%SystemRoot%\System32\inetsrv\aspnet_state.exe  # ASP.NET State Service
%SystemRoot%\System32\inetsrv\appcmd.exe        # IIS Management
%SystemDrive%\PHP5433\php-cgi.exe               # PHP CGI Process (if applicable)

Note: The w3wp.exe process is automatically excluded by Microsoft Defender on Windows Server 2016+ when the Web Server role is installed.

ASP.NET Processes

aspnet_wp.exe        # ASP.NET Worker Process (older versions)
WebDev.WebServer.exe # Visual Studio Development Server
WebDev.WebServer40.exe # VS Development Server (.NET 4.0)
iisexpress.exe       # IIS Express

Process Descriptions

Process	Function	IIS Version
w3wp.exe	Handles HTTP requests	All
iissvcs.exe	Windows Process Activation Service	IIS 7.0+
inetinfo.exe	IIS Admin Service	All
dllhost.exe	Out-of-process COM+ apps	All
aspnet_state.exe	Session state management	All

Step 7: Configure Log File Exclusions

IIS Log Directories

%SystemDrive%\inetpub\logs\LogFiles\*
%SystemDrive%\inetpub\logs\FailedReqLogFiles\*
%SystemDrive%\Windows\System32\LogFiles\HTTPERR\*

Custom Log Locations

If using custom log paths:

# Get custom log directories for all sites
Import-Module WebAdministration
Get-Website | ForEach-Object {
    $logPath = (Get-ItemProperty "IIS:\Sites\$($_.Name)" -Name logFile.directory).Value
    Write-Host "$($_.Name): $logPath"
}

Step 8: Configure File Type Exclusions

Web Content Files

These are typically read-only and lower risk:

*.html
*.htm
*.css
*.js
*.jpg
*.jpeg
*.png
*.gif
*.svg
*.ico

Compiled and Binary Files

Higher risk but may need exclusion for performance:

*.dll     # .NET assemblies
*.pdb     # Debug symbols
*.compiled # Precompiled pages
*.resources # Resource files

Data and Configuration Files

Evaluate risk carefully:

*.config  # Configuration files
*.mdf     # SQL Server database files
*.ldf     # SQL Server log files
*.sdf     # SQL Server Compact files

Step 9: Configure Application Pool Identity Exclusions

Default Application Pool Identities

Add user-specific exclusions:

%SystemDrive%\Windows\Temp\IIS Temporary Compressed Files\*
%USERPROFILE%\AppData\Local\Temp\*  # For each app pool identity

Service Account Directories

For custom application pool identities:

C:\Users\[AppPoolIdentity]\AppData\Local\Temp\*
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\*
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\*

Step 10: Apply and Test Exclusions

Save Configuration: Click Save in the CrowdStrike Console
Policy Propagation: Allow 5-10 minutes for policies to propagate
Verification Steps:

# Test IIS functionality
Import-Module WebAdministration

# Check application pool status
Get-IISAppPool | Select-Object Name, State

# Test website availability
Get-Website | ForEach-Object {
    $status = (Invoke-WebRequest -Uri "http://localhost:$($_.Bindings.Collection.bindingInformation.Split(':')[1])" -UseBasicParsing -ErrorAction SilentlyContinue).StatusCode
    Write-Host "$($_.Name): $status"
}

# Check IIS service status
Get-Service W3SVC, WAS, IISADMIN | Select-Object Name, Status

# Review recent IIS errors
Get-EventLog -LogName System -Source "Microsoft-Windows-IIS-*" -Newest 20

Performance Testing:
- Monitor response times
- Check application pool recycling frequency
- Test file upload/download operations
- Verify session state persistence
- Monitor CPU and memory usage

Security Best Practices

Compensating Controls for IIS

Web Application Security:
- Enable and configure Windows Firewall with Advanced Security
- Implement Web Application Firewall (WAF)
- Use Request Filtering to block malicious requests
- Enable Dynamic IP Restrictions
- Configure URL Authorization rules
Authentication and Authorization:
- Disable anonymous authentication where possible
- Use Windows Authentication for internal sites
- Implement forms-based authentication securely
- Enable SSL/TLS for all sites
- Use strong SSL/TLS configurations
Application Pool Security:
- Use separate application pools for each application
- Configure application pool identities with least privilege
- Enable application pool recycling
- Set appropriate idle timeouts
- Configure rapid-fail protection
File System Security:
- Use NTFS permissions appropriately
- Remove unnecessary HTTP handlers
- Disable directory browsing
- Configure proper file extension restrictions
- Implement content security policies
Monitoring and Logging:
- Enable IIS logging for all sites
- Configure Failed Request Tracing
- Monitor application event logs
- Set up performance monitoring
- Implement centralized log collection

Risk Assessment Matrix

Component	Performance Impact if Scanned	Security Risk if Excluded	Recommendation
Temp ASP.NET files	Critical – Compilation failures	Medium	Required exclusion
W3wp.exe process	Critical – Performance degradation	High	Required with monitoring
IIS logs	Low – Write delays	Low	Recommended exclusion
Application binaries	High – Load delays	High	Evaluate per application
Static content	Low	Low	Optional exclusion
Config files	Medium – Lock issues	High	Exclude with strict access control
Upload directories	High – User experience	High	Exclude with validation

Application-Specific Configurations

WordPress on IIS

[WordPressPath]\wp-content\uploads\*
[WordPressPath]\wp-content\cache\*
[WordPressPath]\wp-content\temp\*

PHP Applications

%ProgramFiles%\PHP\*
%SystemDrive%\php\tmp\*
%TEMP%\php\*

Node.js Applications

%ProgramFiles%\nodejs\*
%AppData%\npm-cache\*
[ApplicationPath]\node_modules\*

Python Applications

%ProgramFiles%\Python*\*
[ApplicationPath]\venv\*
[ApplicationPath]\__pycache__\*

Troubleshooting

Common Issues and Solutions

503 Service Unavailable:
- Verify w3wp.exe process exclusion
- Check application pool identity permissions
- Review temp directory exclusions
Compilation errors in ASP.NET:
- Confirm Temporary ASP.NET Files excluded
- Check shadow copy directories
- Verify bin folder exclusions
File upload failures:
- Ensure upload directory excluded
- Check temp directory permissions
- Verify request filtering settings
Session state loss:
- Confirm state service exclusions
- Check temp directory access
- Review application pool recycling
Slow page loads:
- Verify compiled assembly exclusions
- Check static content caching
- Monitor w3wp.exe CPU usage

Diagnostic PowerShell Commands

# Check for locked files
Handle.exe -a -u w3wp.exe

# Monitor IIS worker processes
Get-Process w3wp | Select-Object Id, CPU, WS, Handles

# Review application pool failures
Get-EventLog -LogName System -Source WAS -EntryType Error -Newest 10

# Check IIS configuration issues
& "$env:windir\system32\inetsrv\appcmd.exe" list config /section:system.applicationHost/sites

# Test application response times
Measure-Command {
    Invoke-WebRequest -Uri "http://localhost" -UseBasicParsing
}

# Review HTTP error logs
Get-Content "$env:windir\System32\LogFiles\HTTPERR\httperr*.log" -Tail 50

Maintenance and Review

Regular Tasks

Daily: Monitor IIS performance metrics and error logs
Weekly: Review application pool health and recycling events
Monthly: Analyze exclusion effectiveness and security events
Quarterly: Audit exclusion list and update documentation
After Updates:
- Windows updates
- IIS feature updates
- Application deployments
- CrowdStrike sensor updates
- .NET Framework updates

Documentation Requirements

Maintain records of:

All IIS sites and their physical paths
Application pool configurations
Custom exclusion requirements per application
Performance baselines
Security incident history
Change management records

Special Considerations

URL Rewrite Module

If using URL Rewrite:

%SystemRoot%\System32\inetsrv\rewrite.dll
%SystemRoot%\SysWOW64\inetsrv\rewrite.dll

Application Request Routing (ARR)

For reverse proxy configurations:

%SystemDrive%\inetpub\temp\AppPools\*
%ProgramFiles%\IIS\Application Request Routing\*

Web Deploy

For deployment operations:

%ProgramFiles%\IIS\Microsoft Web Deploy V3\*
%SystemDrive%\Windows\Temp\WebDeploy\*

FTP Publishing

If using FTP services:

%SystemDrive%\inetpub\ftproot\*
%SystemDrive%\inetpub\logs\LogFiles\FTPSVC*\*

Performance Optimization

Best Practices

Application Pool Configuration:
- Set appropriate recycling schedules
- Configure maximum worker processes
- Set proper memory limits
- Enable 32-bit applications only when needed
Compression Settings:
- Enable static content compression
- Configure dynamic compression carefully
- Exclude already-compressed file types
Caching Configuration:
- Enable output caching for static content
- Configure browser caching headers
- Use kernel-mode caching where appropriate
Connection Limits:
- Set appropriate connection timeouts
- Configure queue lengths
- Adjust concurrent connection limits

Additional Resources

Disclaimer

⚠️ Security Warning: Implementing these exclusions reduces CrowdStrike Falcon’s ability to detect and prevent threats in excluded locations. Web servers are high-value targets for attackers, and IIS servers hosting public-facing applications are particularly vulnerable.

Organizations should:

Implement defense-in-depth security strategies
Deploy Web Application Firewall (WAF) solutions
Enable comprehensive logging and monitoring
Perform regular security assessments and penetration testing
Keep all software components updated and patched
Use secure coding practices for all applications
Implement proper network segmentation
Consider application-level security solutions

Since Microsoft doesn’t provide unified IIS antivirus guidance, these recommendations are compiled from various sources and best practices. Your specific applications may require additional exclusions. Always test thoroughly in a non-production environment before implementing in production. The security implications vary significantly based on whether the IIS server hosts internal or external-facing applications.

Last reviewed: February 2025
Applies to: IIS 10.0, 8.5, 8.0, 7.5, 7.0, IIS Express, CrowdStrike Falcon