One: IIS LOCK DOWN TOOL, Quickly Set the IIS Security Properties IIS Lock Down Tool's launch, but also thanked the red code, because it is a large area of red code, causing Microsoft design to release this help administrator set IIS security. tool.
Iis Lock Tool has the following features and features:
The most basic functions, help administrators set IIS security;
This tool can be used on IIS4 and IIS5;
Even if the system does not install all patches in time, it can also effectively prevent the known vulnerabilities of IIS4 and IIS5;
Help administrators remove some of the services that do not have to be in this website, so that IIS runs the least service in the case of meeting this website;
With two usage modes: shortcut mode and advanced mode. The shortcut mode directly helps administrators set up IIS security. This mode is only suitable for websites using only HTML and HTM static webpages, because the ASP cannot be run after the setting is complete; the advanced mode allows administrators to set various properties, set proper There is no impact on any function of IIS system. Now let's take a look at the use of this tool.
(1) Software download and installation
IIS Lock Down Tool Downloads in Microsoft Website, Download Address:
http://www.microsoft.com/downloads/release.asp?releaseid=32362
It is very simple to install, it should be noted that after the installation, the program will not appear in the system [Program] menu, and will not appear in [Management Tool], you need the installer to find the program in the installation directory.
(2) the use of software
In the following introduction, we will introduce the meaning and recommended settings of each step, which is described in detail, is to understand what these settings mean, at the same time, with our original security settings, avoid setting up completion In the future, the system has an obstacle.
Run the software, first appear the following interface (Figure 1):
(Figure 1)
The above interface describes some basic conditions of IIS Lock Down Tool and where you need to pay attention to: 1) When using, you should choose the least service of this website, remove unnecessary services; 2) After the setting is complete, it is recommended to thoroughly Check to determine if the settings are appropriate to this website;
In the above interface, click the [Next] button, the following interface appears (Figure 2):
(Figure II)
The above interface selects shortcut mode or advanced mode to run software, here, software introduces the difference between the two modes:
Shortcut: This setting mode off some advanced service properties of IIS, including dynamic web properties (ASP);
So, we need to repeat again, choose shortcuts that only fit the site of static pages, of course, this model is relatively safe. Advanced mode: This mode runs the installer to customize the various properties while allowing the advanced properties to run;
Shortcut mode settings We don't have to introduce, click the [Next] button to set it. Let's choose [Advanced LockDown] (Advanced Settings), click the [Next] button, appears the following interface (Figure 3):
(Figure 3)
The above interface helps administrators set various script maps, what should we set up every image: 1)
Disable Support Active Server Pages (ASP), Select this setting that will make IIS do not support ASP functions; you can choose this item according to the specific situation of the website, because the website generally requires running the ASP program;
2)
Disable Support Index Server Web Interface (.idq, .htw, .ida), select this item will not support indexing services, which is not supported .idq, .htw, .ida. Let's take a look at what is an index service, and then decide to pay. Indexing services are the content index engine included in IIS4. You can call it ADO and search for your site, which provides you with a very good web search engine. If your website does not use index services to have a full-text search on the website, you can cancel this feature of the website, the benefits of canceling are:
(1) Redight system burden;
(2) Effectively prevent viruses and hackers that use index service vulnerabilities, because index server vulnerabilities may cause the attacker to control the website server, while exposing the physical location of the web file on the server (using .ida, .idq). Therefore, we generally recommend ticking in the front, that is, cancel the index service;
3)
Disable Support for Server Side Includes (.shtml, .shtm ,.STM), Cancellation server side contains; first, let's see what the server is included, SSI is an HTML file, you can call the command or pointer to the comment line. SSI has a powerful feature, as long as a simple SSI command can realize the content update, dynamic display time and date of the entire website, and perform complex features such as Shell and CGI scripts. In general, we don't use this feature, so it is recommended to cancel; cancellation can prevent some IIS potential vulnerabilities;
4)
Disable for Internet Data Connector (.IDC), cancel the Internet database connection; first look at the role of the Internet database connection, which allows the HTML page and the background database to connect to dynamically page. It should be noted that IIS4 and IIS5 are basically no IDC, so it is recommended to tick, cancel IDC in this item;
5)
Disable Support for Internet Printing (.printer), cancel the Internet printing; this feature we generally have not been used, suggestion cancellation; cancellation is to avoid .printer remote cache overflow vulnerability, this vulnerability allows attackers to use this vulnerability remote intrusion IIS Server and perform arbitrary commands as system administrators (System administrators;
6)
Disable support for .htr scripting (.htr), cancel HTR mapping; attacker constructs a special URL request via HTR, which may cause the site part of the file source code exposure (including ASP), it is recommended to tick, cancel mapping in front of this
After understanding the above settings, we can decide to pay according to this website. In addition to the ASP requirements, the usual website can be canceled, that is, the first front of the whole process, all other ticks, press [next step] 】 Button, the following interface appears (Figure 4) (Figure 4)
The above interface settings allow the administrator to choose some of the reservations for IIS default installation files, let's see how to choose:
1) Remove Sample Web Files, delete web examples; it is recommended to delete because we don't need to read these files on the server, and these files may allow attackers to read some web page source code (including ASP);
2) Remove The Scripts Vitual Directory, delete scripting virtual directory; recommended deletion;
3) Remove The MSDAC Virtual Directory, delete the MSDAC virtual directory, suggestion deletion;
4) Disable Distribauted Authoring and Versioning (WebDAV), Delete WebDAV, WebDAV mainly allows managers to write and modify pages remotely, usually, suggestion deletion, deleting benefits can avoid IIS5's WebDAV vulnerability, this vulnerability Leading the server to stop.
5) SET File Permous to Prevent The IIS Anouymous User from Executing System Utilities (Such as cmd.exe, tftp.exe), prevents anonymous users from running executables, such as cmd.exe and tftp.exe; suggestions to select this, because Red code and Nima have utilized the functionality of the above anonymous executable documents;
6) Set file permissions to prevent The IIS Anouymous User from Writing to Content Directories, prevent anonymous users from having write permissions on the directory, this don't explain, suggestions;
After setting the above option, press the [Next] button to appear the following interface (Figure 5):
(Figure 5)
Require confirmation to accept the above settings, select [Yes], the following interface (Figure 6) begins to perform settings to the system:
(Figure 6)
In the above interface, we can see the detailed setting of IIS. After the setting is complete, it is recommended to restart IIS.
Two: Urlscan Tool - Filter illegal URL Access
Carefully observe the vulnerability of IIS, and we can make such conclusions. All means that use these vulnerabilities to attack the website attacks are constructive special URLs to access websites, generally include the following types of URLs can take vulnerability:
1) Special long URL, such as the URL of the Red Code Attack Site:
Get / default.idaxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
% U9090% U6858% UCBD3% U7801% U9090% U6858% UCBD3% U7801% U9090% U6858% UCBD3% U7801% U
9090% U9090% U8190% U00C3% U0003% U8B00% U531B% U53FF% U0078% U0000% U00 = A200;
2) Special characters or string URLs, such as behind the URL: $ data can see the web page (ASP) source code;
3) The URL contains executable file name, the most common is CMD.exe;
Since these attacks use special URLs to achieve, Microsoft provides security tools that specialize in filtering illegal URLs, which can achieve the effect outside the country, this tool has the following features and functions:
1) Basic function: Filter the illegal URL request;
2) Setting rules, identify those URL requests are legal; this, you can develop a special URL request rule for this website; at the same time, when there is a new vulnerability, you can change this rule to achieve a new vulnerability effect. ;
3) The program provides a set of URL request rules, which contains the exploit utilization features that have been discovered to help administrator setting rules;
(1) Software download and installation URLScan can download on Microsoft's website, the address is as follows:
http://download.microsoft.com/download/iis50/UTILITY/1.0/NT45XP/EN-US/urlscan.exe
Install as usual software, however, this software cannot choose the installation path, after the installation is complete, we can find the following files in the System32 / IneTsvr / Urlscan directory:
Urlscan.dll: Dynamic connection library file;
Urlscan.inf: Install information file;
URLSCAN.TXT: Software Description File;
Urlscan.ini: Software profile, this file is as long as it is completed by all configurations of Urlscan.
(2) The configuration of the software configuration software is completed by the urlscan.ini file. We need to know some basic knowledge before configuring this file.
1) Urlscan configuration file constructor
Urlscan configuration file must follow the following rules:
(1) This file name must be urlscan.ini;
(2) The configuration file must be in the same directory with urlscan.dll;
(3) The configuration file must be a standard INI file structure, which is composed of section, string and value;
(4) After the configuration file is modified, IIS must be restarted to make the configuration take effect;
(5) The configuration file consists of the following sections:
[Option] section, main setting section;
[Allowverbs], configuration is determined as legal URL rule settings, this setting is related to the Option section;
[Denyverbs], the configuration is determined to be illegal URL rule settings, this setting is related to the Option section; [DenyHeaders], configuring the illegal header in setting up;
[AllowExtensions], configured as a legal file extension is set here, this setting is related to the Option section;
[DenyExtensions], configured to be illegal file extensions are set here, this setting is related to the Option section;
2) Specific configuration
(1) Let's first look at the configuration of the Option section, because the settings of the Option section directly affect the future configuration, so the settings of this section are particularly important. This section is primarily the setting of the following properties:
UseAllowverbs: Use the Allow Mode to check the URL request, if set to 1, all the requests that are not set in [AllowVerbs] are denied; if set to 0, all URL requests not set in [Denyverbs] are considered legal; default is 1 ;
UseAllowExtensions: Use the Allow mode to detect file extensions; if set to 1, all file extensions not set in [AllowExtensions] section is considered to be illegal requests; if set to 0, all extensions not set to [Denyextensions] section It is considered a legal request; the default is 0;
Enablelogging: Whether to use the log file, if 1, the same directory named urlscan.log is recorded all filtration;
ALLOWLATESCANNING: Allows other URL filters before urlscan filtering, the system defaults to not allow 0;
AlternateServerName: Use the service name instead; if this section exists, the [RemoveServerHeader] section is set to 0, IIS will replace the server name set here instead of the default "Server";
Normalizeurlbeforeescan: Specified URL before detecting the URL; if it is 1, urlscan will detect before the IIS encoding URL; need to be reminded, only the administrator can set it very familiar with the URL parsing; default 1;
VerifyNormalization: If set to 1, urlscan will verify the URL rule, default is 1; this section is set to NormalizeurlbeforeScan;
AllowHighBitCharacters: If set to 1, will allow the presence of all the bytes in the URL if it is 0, the URL contains a non-ASCII character will be rejected; default is 1;
AllowDotinPath: If set to 1, all URL requests containing multiple "." Will be rejected. Since the URL detects before the IIS parses the URL, the accuracy of this test cannot be guaranteed, and the default is 0;
RemoveServerHeader: If set to 1, clear all the answers of the service heads, default is 0;
(2) [ALOWVERBS] section configuration
If useAllowverbs is set to 1, all requests set in this section will be allowed, and the following requests are generally set:
GET, Head, POST
(3) [Denyverbs] section configuration
If Userlowverbs is set to 0, all requests set in this section will reject, generally set the following requests: PropFind, Proppatch, Mkcol, Delete, Put, Copy, Move, Lock, UNLOCK
(4) [AllowExtensions] section settings
All extensions set in this section will be allowed to be requested, and the following requests are generally set:
.txt, .jpg, .jpeg, .gif, if you need to provide file download service, you need to add .rar, .zip,
(5) [DenyExtensions] section settings
All extended name files set in this section will be rejected, according to the discovered vulnerabilities, we can add content in this section, generally the following settings:
.asa, executable, batch files, log files, rare extensions such as: SHTML, .printer, etc.
Three: Summary
The above two tools are powerful and can truly implement the protection of IIS. IIS LOCK TOOL is simple, but relatively speaking, only passive defense; Urlscan settings are more difficult, it is recommended to use administrators who are familiar with IIS, as long as the URLSCAN is more powerful. When using Urlscan, I don't want to set up a big matter. If you need to keep track of new vulnerabilities, modify the Urlscan profile.