15 tips for protection (IIS) web server
Author: Unknown
Typically, most Web sites are designed to provide immediate information access to visitors with the most easy acceptable way. In the past few years, more and more security problems brought by hackers, viruses and worms have seriously affected website accessibility, although Apache servers are often an attacker's goal, however Microsoft Internet Information Services (IIS The web server is the true meaning of the true meaning.
Advanced educational institutions often find balance between building full of vitality, interface-friendly websites or build high security websites. In addition, they must now be committed to improving website security to face the technology budget in the reduction (in fact, many of their private sectors are also facing similar situations).
Because of this, I will provide some techniques for the university IT manager of the budget and headache to help them protect their IIS servers. Although mainly in the university IT professionals, these techniques are basically applicable to IIS managers who want to improve security through a small amount of budget. In fact, some of this techniques are also very useful for IIS managers with powerful budgets.
First, develop a security strategy
The first step in protecting the web server is to ensure that the network administrator knows each system in the security policy. If the company's high-rise does not regard the safety of the server as an asset that must be protected, then the protection work is completely meaningless. This work needs long effort. If the budget does not support or it is not part of a long-term IT strategy, it takes a lot of time to protect the server security administrator will not receive important support from management.
What is the direct result of network administrators to establish security for all parties? Some users who especially adventure will be closed. Those users will then complain that the company's management, management personnel will ask questions about the network administrator. Then, the network administrator has no way to establish a document that supports their safety work, so the conflict has occurred.
By labeting a security policy for Web Server Security Levels and Availability, network administrators will be able to deploy a variety of software tools to different operating systems.
IIS security skills
Microsoft's products have always been as directed, so IIS servers are particularly easy to become an attacker's target. After you know this, the network administrator must prepare a large amount of security measures. I will provide you with a list, the server operator may find that this is very useful.
1. Keep Windows upgrade:
You must update all upgrades in a timely manner, and make all the patches for the system. Consider downloading all updates to a dedicated server on your network, and publish files in the form of the machine. With these work, you can prevent your web server from accepting direct Internet access.
2. Use IIS Prevent Tools:
This tool has many practical advantages, however, please use this tool with caution. If your web server is interacting, first test the tools to determine it has been properly configured to ensure that it does not affect the communication between the web server and other servers.
3. Remove the default Web site:
Many attackers aim at the INETPUB folder and place some sneak attack tools inside, thus causing the server's paralysis. The easiest way to prevent this attack is to disable the default site in IIS. Then, because the ambiguity is accessing your website through the IP address (they may have to access thousands of IP addresses one day), their requests may have trouble. Point your true Web site to a folder of a back section and must contain secure NTFS permissions (which will be described in detail in the following NTFS).
4. If you don't need FTP and SMTP services, please uninstall them:
The easiest way to enter your computer is to access by FTP. The FTP itself is designed to meet simple read / write access. If you perform an authentication, you will find that your username and password are spread on the network through the form of a plaintext. SMTP is another service that allows write access to folders. By disabling these two services, you can avoid more hackers attacks. 5. Check your administrators and services in regularly:
One day I entered our classroom and found more users in the administrator group. This means that someone has successfully entered your system, he or she might throw the bomb into your system, which will suddenly destroy your entire system, or take up a lot of bandwidth so that hacker is used. Hackers also tend to leave a helper service, once this happens, take any measures to be too late, you can only reformat your disk, recover your daily backup from the backup server. Therefore, check the list of services on the IIS server and keep as little service must be your daily task. You should remember which service should exist, which service should not exist. Windows 2000 Resource Kit brings us a useful program called TList.exe, which can list the services under Svchost under each situation. Running this program can find some hidden services you want to know. Give you a prompt: Any service containing several words with Daemon may not be the service contained in Windows itself, and should not exist on the IIS server. Want to get a list of Windows services and know what role they have, please click here.
6. Strictly control the write access of the server:
This sounds easy, however, in the university campus, a web server actually has a lot of "author". Personnel want to make their classroom information can be accessed by remote students. Staff hopes to share their work information with other staff. The folder on the server may have an extremely dangerous access. One way to share this information or propagate is to install the second server to provide specialized shared and storage purposes, and then configure your web server to point to the shared server. This step allows network administrators to limit the write authority of the web server itself to the administrator group.
7. Set complex password:
I have recently entered the classroom and discovered a lot of possible hackers from the incident view. He or she entered the laboratory's domain structure is deep enough to run password crack tools for any user. If a user uses a weak password (for example, "Password" or CHANGEME "or any dictionary word), the hacker can quickly invade these users' accounts.
8. Reduce / exclude sharing on the web server:
If the network administrator is a single person who has a Web server write permission, there is no reason to make any sharing. Sharing is the biggest temptation for hackers. In addition, by running a simple cyclic batch file, hackers can check a list of IP addresses, using // command to look for the sharing of Everyone / fully controlled permissions.
9. Disable NetBIOS in the TCP / IP protocol:
This is cruel. Many users want to access the web server through the UNC pathname. As the NetBIOS is disabled, they can't do this. On the other hand, as NetBIOs are disabled, hackers cannot see resources on your local area. This is a double-edged sword. If the network administrator deploys this tool, the next step is how to issue information in the case of NetBIOS failure.
10. Use TCP port to block:
This is another cruel tool. If you are familiar with each TCP port of your server through legitimate reasons, you can enter your network interface card attribute tab, select the binded TCP / IP protocol, block all the port you don't need. You have to use this tool carefully because you don't want to lock yourself outside the web server, especially when you need to log in the server. To get the detailed details of the TCP port, click here.
11. Carefully check * .bat and * .exe file: Search once a week * .bat
And * .exe files, check if there is a hacker on the server, and will be an executable of a nightmare. In these destructive files, there may be some * .reg files. If you right click and select Edit, you can find that hackers have manufactured and allow them to enter your system's registry file. You can delete these without any meaning but will bring convenient primary keys to intruders.
12. Manage IIS directory security:
IIS directory security allows you to reject specific IP addresses, and subnets are even domain names. As a choice, I chose a software called Whoson, which allows me to know which IP addresses are trying to access specific files on the server. Whoson lists a series of exceptions. If you find a guy is trying to access your cmd.exe, you can choose to reject this user to access the web server. Of course, in a busy Web site, this may need a full-time staff! However, in the internal network, this is really a very useful tool. You can provide resources for users within all LAN, or provide specific users.
13. Use NTFS security:
By default, your NTFS driver uses Everyone / full control, unless you are handle. The key is to lock yourself, different people need different privileges, the administrator needs full control, and the background management account also needs full control, system and services each need a level of access, depending on the different files. The most important folder is System32, the smaller the access permissions of this folder. Using NTFS permissions on the web server can help you protect important files and applications.
14. Manage User Accounts: If you have already installed IIS, you may have a TSINTERNETUSER account. Unless you really need this account, you should disable it. This user is easily penetrated and is a significant goal of hackers. To help manage user accounts, you have no problem with your local security policy. IUSR users' permissions should also be as small as possible.
15. Audit your web server:
The audit has a big impact on your computer's performance, so if you don't see it often, don't do audit. If you can really use it, please audit the system event and join the audit tool when you need it. If you are using the Whoson tool mentioned earlier, the audit is not so important. By default, IIS is always recorded. Whoson will place these records in a very easy-to-read database, you can open it via Access or Excel. If you often look at the abnormal database, you can find the fragile point of the server at any time.
to sum up
All of the above IIS techniques and tools (except for Whoson) are Windows comes with. Don't forget to use these techniques and tools before testing your website. If they are deployed together, the result may make you lose weight, you may need to restart, thus lost access.
Last tip: Log in to your web server and run netstat -an on the command line. How many IP addresses are trying to establish a connection with your port, then you will have a lot of investigations and research to do.
