Because IIS (ie Internet Information Server) is convenient and easy to use, it becomes one of the most popular Web server software. However, IIS security has always worrying. How to use IIS to create a secure web server, which is a topic that many people care.
Constructing a safety system
To create a secure and reliable web server, you must implement both Windows 2000 and IIS's dual security, because IIS users are also users of Windows 2000, and the IIS directory permissions relies on the permission control of the Windows NTFS file system, so protection IIS security The first step is to ensure the security of the Windows 2000 operating system:
1. Use the NTFS file system to manage files and directories.
2. Close the default sharing
Open the Registry Editor, expand the HKEY_LOCAL_MACHINE / System / CurrentControlSet / Services / LanmanServer / Parameters item, add key value autoshareserver, type REG_DWORD, value of 0. This will completely close "default sharing".
3. Modify share permissions
Immediately modify the default permissions of Everyone immediately after establishing new sharing, not allowing web server accessers to get unnecessary permissions.
4. Make a name for the system administrator account to avoid illegal user attacks.
Right-click [My Computer] → [Administrative] → Start "Computer Management" program, in "local users and group", the mouse right click on "Administrator" → select "Rename" and will administrators The account is modified to a very ordinary username.
5. Disable NetBIOS on TCP / IP
To right click on [Network Neighbor] → [Properties] → [Local Connection] → [Properties] to open the "Local Connection Properties" dialog box. Select [Internet Protocol (TCP / IP)] → [Properties] → [Advanced] → [WINS], select a NetBIOS on the "Disable TCP / IP" on the lower side.
6. Control the in-station connection on TCP / IP
To right click on [Network Neighbor] → [Properties] → [Local Connection] → [Properties] to open the "Local Connection Properties" dialog box. Select [Internet Protocol (TCP / IP)] → [Properties] → [Advanced] → [Option] to click the "TCP / IP Filter" option in the list. Click the [Properties] button, select "Allow", then click the [Add] button, only fill in the 80 port.
7. Modify the registry to reduce the risk of denial of service attacks.
Open the registry: HKLM / System /
The value of the SYNATTACKPROTECT under CurrentControlSet / Services / TCPIP / Parameters is modified to 2, making the connection to the timeout response faster.
Guaranteed IIS own security
IIS safe installation
To build a secure IIS server, you must fully consider security issues from installation.
1. Do not install IIS on the system partition.
2. Modify the installation default path of IIS.
3. Play the latest patch of Windows and IIS.
IIS security configuration
1. Delete unnecessary virtual directories
After the IIS installation is completed, some directories have been generated by default in wwwroot, including Iishelp, Iisadmin, Iissamples, MSADC, etc., these directorys have no practical role, which can be deleted directly.
2. Remove dangerous IIS components
Some IIS components after the default installation may cause security threats, such as Internet Service Manager (HTML), SMTP Service, and NNTP Service, Sample pages, and scripts, you can decide whether to delete it according to your needs.
3. Set permissions for files in IIS
In addition to setting the necessary permissions for IIS files in the operating system, you must set permissions for them in the IIS Manager. A good setup policy is: Create a directory for different types of files on the Web site, and assign appropriate permissions to them. For example: Static file folder allows read, refused to write, ASP script folder allows execution, refusing to write and read, EXE and other executables allow execution, refusing to read and write. 4. Delete unnecessary application mappings
There are many app mappings in ISS, except for this program map of ASP, other files are rarely used on the website.
In the Internet Service Manager, right-click the website directory, select Properties, in the Home Directory page, click the [Configuration] button, pop up the Application Configuration dialog, in " Application Mapping page, delete useless programmaps. If you need this type of file, you must install the latest system patches, and select the appropriate programmap, then click the [Edit] button, check if the file is checked in the "Add / Edit App Extension Map" dialog box. There is an option. This way when the customer requests such a file, IIS will check if the file exists, and the file exists will then call the dynamic link library defined in the program map to resolve.
5. Protect log safety
The log is an important part of the system security policy to ensure that the log's security can effectively improve system overall security.
● Modify the storage path of the IIS log
By default, IIS's log is put in% windir% / system32 / logfiles, and hackers are of course very clear, so it is best to modify their storage path. In the Internet Service Manager, right-click the website directory, select "Properties", in the "Web Site" page of the Home Directory Properties dialog box, in the case of "Enable Logging", click Next [Properties] Button, in the General Properties page, click the [Browse] button or enter the log storage path directly in the input box.
● Modify log access rights and set up only administrators to access.
Through some of the above security settings, I believe that your web server will safely.
