How to build high security web servers with IIS
IIS (Internet Information Server) as one of the popular web servers today, provides powerful Internet and intranet service features, how to strengthen IIS security mechanisms, establish a high-security web server, which has become an important importance in IIS settings component.
This article will explain the way to strengthen the IIS safety mechanism by two aspects.
First, based on the security mechanism of Windows NT
As an IIS running in a Windows NT operating system environment, its security should also be built on Windows NT security.
1. Apply NTFS file system
NTFS can manage files and directories, and FAT (file allocation table) file system can only provide shared level security, it is recommended to use NTFS systems when installing Windows NT.
2. Modification of shared permissions
By default, every new share is established, its Everyone users have "full control" shared permissions, so improve the Everyone default permissions immediately after establishing a new share.
3. Change the system administrator account
The domain user manager can limit the number of guess passwords, but the system administrator account is not used, which may bring the opportunity to attack the administrator account password to illegal users, and pass the domain user manager to change the name of the administrator. A good way. The specific settings are as follows:
(1) Start "Domain User Manager";
(2) Select the administrator account;
(3) Start "Rename" under the "User" menu modifies it.
4. Waste NetBIOS on TCP / IP
The administrator can manage the other servers on the Internet by constructing images between the target station NetBIOS name and its IP address, and the other servers on the Internet can also find the Machine. If this remote management is not required, it should be abolished (through the network attribute binding option, the binding between NetBIOS and TCP / IP) will be abolished.
Second, set the security mechanism for IIS
1. Security issues that should be paid attention to when installing
(1) Avoid installed on the main domain controller
After installing IIS, a IUSR_Computername anonymous account will be generated on the installed computer, which is added to the domain user group, thereby providing access to domain users to each anonymous user accessing the web server, which is not only given IIS brings huge potential hazards, and it is also possible to implicate the safety of the entire domain resource, and avoid installing IIS on a domain controller, especially the primary domain controller.
(2) Avoid installation on the system partition
Place IIS on the system partition, which makes system files with IIS, and it is easy to access illegal access, easy to invade system partitions.
2. User control security
(1) Anonymous user
Anonymous User IUSR_ComputerName generated after installing IIS, with anonymous access to the web server to control the right to control it. If you do not have anonymous access, you can cancel the anonymous service of the Web. specific method:
1 Start ISM (Internet Server Manager);
2 Start the WWW service property page;
3 Cancel its anonymous access service.
(2) General users
By using a password combined with letters (including case), improve the frequency of the password, the login attempt to block the password, and the living life of the account, and the like.
3. Sign in and certified security
The IIS server provides identity authentication for users.
Anonymous Access: No need to interact with the user, allowing anyone anonymous access to the site, and security in these three identity authentication is the lowest. Basic Verification: In this mode, the username and password entered in this manner are transmitted on the network in a clear text. There is no encryption, and illegal users can intercept the packet through online, and obtain the username and password, the security performance is general. .
Windows NT Request / Response: The browser communicates with the IIS server via encryption, effectively preventing the eavesdropper, is a relatively high security form. The disadvantage of this method is that only IE3.0 and above are supported.
4. Access rights control
(1) Access to folders and files: All folders and files on the NTFS file system, on the one hand, to control their permissions, different permission settings for different user groups and users; in addition, it can be used NTFS audit function reviews an attempt of some particular user group members read files, effectively by monitoring the illegal users to illustrate illegal activities in the use of document access, user objects, and prevention in time. specific method:
1 Launch "Domain User Manager";
2 Start the "Audit" option under the Rules menu;
3 Set "Audit Rules".
(2) Access to the WWW directory: Folders that have been set to the web directory, you can implement the control of WWW directory access by operating the Web site property page, and all files and subfolders in this directory will inherit these security . In addition to providing the permissions provided by the NTFS file system, WWW services also provides read permissions, allowing users to read or download files in the WWW directory; execute permissions, allowing users to run programs and scripts in WWW directories. Specific setting method:
1 Start ISM (Internet Server Manager);
2 Start the web attribute page and select the "Directory" tab;
3 Select the WWW directory;
4 Select "Directory Properties" in Edit Properties for settings.
5. Control of IP address
IIS can set the service request sent from a particular IP, and selectively allow the user access service that allows specific nodes, you can block the entire network user except the entire network user outside of the IP address from accessing your web server. Specific setting:
(1) Start ISM (Internet Server Manager);
(2) Start the "Advanced" tab in the web property page;
(3) Perform a control setting of the specified IP address.
6. Implementation of port security
For IIS services, both WWW sites, FTP sites, or NNTP, SMTP services, etc. have their own TCP port numbers (POST), generally used port numbers: WWW is 80, FTP is 21, SMTP is 25, you can improve the security of the IIS server by modifying the port number. If you modify the port setting, only users know the port number can be accessed, but the user needs to specify a new port number when visiting.
7. IP Forwarding Security
The IIS service provides IP packet forwarding function. At this time, the IIS server acting as a router role will forward IP packets received from the Internet interface to the internal network, disable this feature is a good way to improve security. The specific settings are as follows:
(1) Start "Network Properties" and select the Protocol tab;
(2) Remove "Routing" in the TCP / IP attribute.
8.SL security mechanism
IIS identity authentication In addition to anonymous access, basic verification, and Windows NT request / response mode, there is also a more secure authentication: Digital certificates are used through SSL (Security Socket Layer) security mechanism. The SSL (Encryption Socket Signal Layer) is located between the HTTP layer and the TCP layer, establishes encrypted communication between the user and the server to ensure the security of the transmitted information. The SSL is based on the public key and private key. Any user can obtain a public key to encrypt data, but decrypt data must pass the corresponding private key. When using the SSL security mechanism, firstally, the client is connected to the server, and the server sends its digital certificate to the client, the client randomly generates the session key, and uses the public key pair of public key from the server. The key is encrypted, and the session key is passed to the server on the network, and the session key can only decrypt the server side with a private key, so that the client and server end have established a unique security channel. Specific steps are as follows:
(1) Start the ISM and open the property page of the web site;
(2) Select the "Directory Security" tab;
(3) Click the Key Manager button;
(4) Generate a key pair file and request file by the key manager;
(5) Apply from an identity authentication authority to a certificate;
(6) Install the certificate on the server through the key manager;
(7) Activate the SSL security of the web site.
After establishing an SSL security mechanism, only SSL allowed customers can communicate with the WEB site allowed by SSL, and when using the URL resource locator, enter https: // instead of http: //.
The implementation of the SSL security mechanism will increase the system overhead, increasing the additional burden of the server CPU, thereby reducing system performance, which is recommended to use only a high-sensitive web directory when planning. In addition, SSL clients need to use IE 3.0 and above to use.