Because IIS (ie Internet Information Server) is convenient and easy to use, it becomes one of the most popular Web server software. However, IIS security has always worrying. How to use IIS to create a secure web server, which is a topic that many people care. Constructing a secure system To create a secure and reliable web server, you must implement both Windows 2000 and IIS's dual security, because IIS users are also users of Windows 2000, and IIS directory permissions depend on the permission control of Windows NTFS file system, So the first step of protecting IIS security is to ensure the security of the Windows 2000 operating system: 1. Use the NTFS file system to manage files and directories. 2. Turn off the default sharing Open Registry Editor, expand the "HKEY_LOCAL_MACHINE / System / CurrentControlSet / Services" item, add key value autoshareserver, type REG_DWORD, value of 0. This will completely close "default sharing". 3. Modify the shared permission to establish a new share, modify the default permissions of Everyone, and do not allow web server accessers to get unnecessary permissions. 4. Make a name for the system administrator account to avoid illegal user attacks. Right-click [My Computer] → [Administrative] → Start "Computer Management" program, in "local users and group", the mouse right click on "Administrator" → select "Rename" and will administrators The account is modified to a very ordinary username. 5. Disable the NetBIOS mouse on TCP / IP to click [Network Neighbor] → [Properties] → [Local Connection] → [Properties] to open the "Local Connection Properties" dialog box. Select [Internet Protocol (TCP / IP)] → [Properties] → [Advanced] → [WINS], select a NetBIOS on the "Disable TCP / IP" on the lower side. 6. TCP / IP controls the mouse to the right click on [Network Neighbor] → [Properties] → [Local Connection] → [Properties] to open the Local Connection Properties dialog box. Select [Internet Protocol (TCP / IP)] → [Properties] → [Advanced] → [Option] to click the "TCP / IP Filter" option in the list. Click the [Properties] button, select "Allow", then click the [Add] button, only fill in the 80 port. 7. Modify the registry to reduce the risk of denial of service attacks. Open the registry: Modify the value of the SYNATTACKPROTECT under HKLM / SYSTEM / CURRENTCONTROLSET / Services / TCPIP / Parameters to 2 to make the connection to the timeout response faster. Ensure that IIS own security IIS security installation To build a secure IIS server, you must fully consider security issues from the installation. 1. Do not install IIS on the system partition. 2. Modify the installation default path of IIS. 3. Play the latest patch of Windows and IIS. IIS security configuration 1. Remove unnecessary virtual directory IIS installation After completion of the Wwwroot, some directories are generated by default, including Iishelp, Iisadmin, Iissamples, MSADC, etc., these directorys have no practical role, which can be deleted directly. 2. Deleting Danger IIS Components The default installation Some IIS components may cause security threats, such as Internet Service Manager (HTML), SMTP Service, and NNTP Service, Sample Pages, and Scripts, you can decide whether to delete it according to your needs. 3. Classification settings for files in IIS In addition to setting the necessary permissions for the IIS file settings in the operating system, they will set permissions in the IIS Manager.
