Penetration tools may raise an alarm if the default IIS page is still available in your server. This page comes by default when you install Web Server role.
Follow the steps below to disable it so this vulnerability don’t come up in the reports anymore.
Steps to disable default page:
- Open IIS Manager
- Click the server name
- Double click on Default Document
- On the right side, click “Disable”
Here is a list of known IIS vulnerabilities: List
If you see a vulnerability about older TLS versions, check this post out: Security Scan (Qualys SSL Labs) shows TLS 1.0 and 1.1 are enabled