IIS Security Mechanism IIS (Internet Information Server) is a powerful Internet and intranet service features as one of the popular web servers today. How to strengthen the security mechanism of IIS, establish a reliable web server with high security performance, has become an important part of network management.
Based on the security mechanism of Windows NT
1. Apply NTFS file system
The NTFS file system can manage files and directories. The FAT file system can only provide shared level security, and the security mechanism for Windows NT is above the NTFS file system, so it is best to use NTFS files when installing Windows NT. System, otherwise the security mechanism of NT will not be established.
2. Modification of shared permissions
By default, every new share is established, the Everyone users have "Full Control" shared permissions, so you should immediately modify the default permissions of Everyone immediately after establishing new shares.
3. Change the system administrator account
The domain user manager can limit the number of guess passwords, but the system administrator account is unable to limit, which may bring opportunities to illegal user attack administrator account passwords, renamed the administrator account through the domain user manager. It is a good way. The specific setting method is as follows:
Select "Start" → "Programs" → Start "Domain User Manager" → Select "Administrator Accrse" → Select "User" menu → "Rename" to modify it.
4. Cancel the NetBIOS binding on TCP / IP
The NT system administrator can manage the other servers on the Internet or intranet by constructing images between the target station NetBIOS name and its IP address, is managed on the other servers on the Internet or intranet, but illegal users can also find the machine. If this remote management is not required, you should immediately cancel (the binding option through the network attribute, cancel the binding between NetBIOS and TCP / IP).
Set IIS security mechanism
1. Security issues that should be paid attention to when installing
1) Avoid mounting on the main domain controller
After installing IIS, IUSR_Computername anonymous account will be generated on the installed computer. The account is added to the domain user group, providing access to domain user groups to each anonymous user accessing the web server, not only brings potential hazards to IIS, but also threatens the security of the entire domain resource. So avoid the installation of the IIS server on the domain controller, especially on the main domain controller.
2) Avoid installation on the system partition
To install IIS on the system partition, the system files are also implied by illegal access, which is easy to invade illegal users into the system partition, so you should avoid installing the IIS server on the system partition.
2. User's security
1) Control of anonymous user access
Anonymous User IUSR_ComputerName generated after installing IIS, with anonymous access to the web server to control the right to control it. If there is an anonymous access, you can cancel the anonymous access service of the Web. specific method:
Select "Start" → "Programs" → "Internet Service Manager" → Start Microsoft Internet Service Manager → Double-click "WWW" to launch the WWW service property page → Cancel your anonymous access service.
2) Control a general user access
The general user account can be managed by using long passwords (generally in 6 or more), frequently modified passwords, sealing failures, and other validity periods such as a password (generally in 6 or more), and the validity period of the setting account often modify the password, the validity period of the setting account. .
3. IIS three form certified security
1) Anonymous users Access: Allow anyone anonymous access, and the security is the lowest in these three.
2) Basic Certification: The username and password are transmitted on the network in a clear text, and the security performance is general.
3) Windows NT request / response method: The browser communicates with the IIS server via encryption, effectively preventing the eavesdropper, is a high security form (IE 3.0 or more version support).
4. Access rights control
1) Set access to folders and files: Place the folders and files on the NTFS file system, on the one hand, to control their privileges, set different permissions to different groups and users; in addition, you can use NTFS The audit function reviews a member of some specific groups, write documents, etc., and effectively discovers illegal users to illegally active precursors by monitoring "file access", "user object use", etc. stop. specific method:
Select "Start" Mengement → "Programs" → Start "Domain User Manager" → Select the "Audit" option under the Rules tab → Set the Audit Rules.
2) Set access to the WWW directory: The folder that has been set to the web directory, you can implement the control of the WWW directory access to the WWW directory access by operating the Web Site Properties page, and all files and subfolders in this directory will inherit these security mechanisms. . In addition to providing access to the NTFS file system, WWW services also provides read permissions - allows users to read or download files in the WWW directory; Permissions - Allow users to run the programs and scripts in the WWW directory. The specific setting method is as follows:
Select "Start" → "Microsoft Internet Server" → "Internet Service Manager" → Start Microsoft Internet Service Manager → Double-click "WWW" Start WWW Service Properties Page → Select "Directory" tab → select The WWW directory you need to edit → Select "Directory Properties" in Edit Properties for settings.
5. Control of IP address
IIS can set user access from a service request sent from a particular IP, and selectively allow user access to a particular node. You can block your web server from the network user outside the specified IP address. The specific setting method is as follows:
Select "Start" → "Programs" → "Internet Service Manager" → Start Microsoft Internet Service Manager → Double-click "WWW" Start WWW Service Properties Page → Start "Advanced" in the Web Properties page Tab; Control settings for IP addresses.
6. Implementation of port security
For IIS services, both WWW sites, FPT sites, or NNPT, SMPT services, etc. have their own TCP port numbers (POST), generally commonly used port numbers: WWW is 80, FPT is 21 SMPT is 25, you can improve the security of the IIS server by modifying the port number. If you modify port settings, only users who know port numbers can access, but users need to specify new port numbers when they are accessible.
7. IP Forwarding Security
The IIS service provides the forwarding function of the IP packet. At this time, the IIS server acting as a router role will forward the IP packet received from the Internet interface to the internal network, disable this feature will increase the security of the IIS service. The setting method is as follows:
Select "Start" → "Microsoft Internet Server" → "Internet Service Manager" → Start Microsoft Internet Service Manager → Double-click "WWW" Start WWW Service Properties Page → Select "Protocol" tab → in "Routing" is removed in the TCP / IP attribute. 8.SL security mechanism
The SSL (Encryption Socket Signal Layer) is located between the HTPT layer and the TCP layer, establishes encrypted communication between users and servers to ensure security of information transmission. SSL is based on the public key and private key. Any user can obtain a public key to encrypt data, but the decryption data must pass through the corresponding private key. When using the SSL security mechanism, firstally, the client is connected to the server, and the server sends its digital certificate to the client, the client randomly generates the session key, and uses the public key pair of public key from the server. The key is encrypted, and the session key is passed to the server on the network, and the session key can only decrypt the server side with a private key, so that the client and the server have established a unique secure channel. The specific setting method is as follows:
Select "Start" → "Programs" → "Internet Service Manager" → Start Microsoft Internet Service Manager → Double-click "WWW" Start WWW Service Properties Page → Select "Directory Security" tab → Click the Key Manager button → Generate a key file and request file through the Key Manager → Apply for a certificate from an identity authority → Install the certificate on the server by the Key Manager → Activate the SSL Security of the Web Site Sex.
After the SSL security mechanism is established, only the client allowed by SSL can communicate with the SSL allowed Web site, and when using the URL resource locator, pay attention to "htpts: //" instead of "htpt: //" .
The implementation of the SSL security mechanism will increase the system overhead, increase the additional burden of the server CPU, which will reduce system performance to a certain extent.