Iis Lock Tool's use
1, software download and installation
IIS LOCK TOOL in Microsoft Website Download, Downloads: http://www.microsoft.com/downloads/...releaseId=32362
It is very simple to install, it should be noted that after the installation, the program will not appear in the system [Program] menu, and will not appear in [Management Tool], you need the installer to find the program in the installation directory.
2, the use of software
In the following introduction, we will introduce the meaning and recommended settings of each step, which is described in detail, is to understand what these settings mean, at the same time, with our original security settings, avoid setting up completion In the future, the system appears.
The above interface describes some basic conditions of IIS Lock Tool and where you need to pay attention to: 1) When you use the least service of this website, remove unnecessary services; 2) After the setting is complete, it is recommended to thoroughly check the website. To determine if the setting is appropriate to this website;
At the above, click the [Next] button
The above chooses shortcut or advanced mode to run the software, here, the software introduces the difference between the two modes:
Shortcut mode: This setting mode off some advanced service properties of IIS, including dynamic web attributes (ASP); so we need to repeat it again, choose shortcuts only suitable for providing static pages, of course, this mode is relative the safest.
Advanced Mode: This mode runs the installer to customize the various properties while allowing the advanced properties to run.
Shortcut mode settings We don't have to introduce, click the [Next] button to set it. We choose [Advanced LockDown] (Advanced Settings), click the [Next] button
The above help administrators set various script maps, let's see how each mapping should be set:
1) Disable Support Active Server Pages (ASP), Select this setting will make IIS do not support ASP functions; you can choose to choose from the specific situation of the website, because the website generally requires running ASP programs;
2) Disable support Index Server Web Interface (.idq, .htw, .ida), Select this will not support indexing services, which is not supported .idq, .htw, .ida files. Let's take a look at what is an index service, and then decide to pay. Indexing services are the content index engine included in IIS4. You can call it ADO and search for your site, which provides you with a very good web search engine. If your website does not use index services to retrieve the website, you can cancel this feature of the website, the benefits of cancellation are: 1) Reduce the system burden; 2) Effectively prevent viruses and hackers that use index service vulnerabilities, because index servers The vulnerability may cause the attacker to control the website server, while exposing the physical location of the web file on the server (using .ida, .idq). Therefore, we generally recommend ticking in the front, that is, cancel the index service;
3) Disable support for server side incdude (.shtml, .shtm ,.stm), Cancel server side contains; first, let's see what server is included, SSI is in an HTML file, you can call commands or pointers that are called by comment. SSI has a powerful feature, as long as a simple SSI command can realize the content update, dynamic display time and date of the entire website, and perform complex features such as Shell and CGI scripts. In general, we don't use this feature, so it is recommended to cancel some of the IIS potential vulnerability; 4) Disable for Internet Data Connector (.IDC), cancel the Internet database connection; first look at the role of Internet database connection, It allows HTML pages and background database to connect to dynamic pages. It should be noted that IIS4 and IIS5 are basically no IDC, so it is recommended to tick, cancel IDC in this item;
5) Disable support for Internet printing (.printer), cancel the Internet printing; this feature we generally have not been used, suggestion cancellation; cancellation is to avoid .printer remote cache overflow vulnerability, this vulnerability allows attackers to use this vulnerability remote Invading the IIS server and performs any command as system administrator (System administrator);
6) Disable support for .htr scripting (.htr), cancel HTR mapping; attacker constructs a special URL request via HTR, which may cause the website part of the file source code exposure (including ASP), it is recommended to tick, cancel mapping in front of this ;
After understanding the above settings, we can decide to pay according to this website. In addition to the ASP requirements, the usual website can be canceled, that is, the first front of the whole process, all other ticks, press [next step] 】 Button
The above settings allow the administrator to choose some of the reservations for IIS default installation files, how do we choose:
1) Remove Sample Web Files, delete web examples; it is recommended to delete because we don't need to read these files on the server, and these files may allow attackers to read some web page source code (including ASP);
2) Remove The Scripts Vitual Directory, delete scripting virtual directory; recommended deletion;
3) Remove The MSDAC Virtual Directory, delete the MSDAC virtual directory, suggestion deletion;
4) Disable Distribauted Authoring and Versioning (WebDAV), Delete WebDAV, WebDAV mainly allows managers to write and modify pages remotely, usually, suggestion deletion, deleting benefits can avoid IIS5's WebDAV vulnerability, this vulnerability Leading the server to stop.
5) SET File Permous to Prevent The IIS Anouymous User from Executing System Utilities (Such as cmd.exe, tftp.exe), prevents anonymous users from running executables, such as cmd.exe and tftp.exe; suggestions to select this, because The red code and Nima use the "SET File Permous" to Prevent The IIS Anouymous User from Writing to Content Directories, preventing anonymous users from having write permissions for the directory, this don't explain , Recommended selection;
After setting the above option, press the [Next] button
Requirements whether to accept the above settings, select [Yes], start setting up the system:
In the above, we can see the detailed setting of IIS. After the setting is complete, it is recommended to restart IIS.
