1 Introduction
The website is the base point of the network service. It is the top edge position of the network system. It is more likely to become an attack, and its security is self-evident. Many websites use a relatively simple structure of NT (Windows NT / 2000/2003) IIS (Internet Information Server) of various factors, and there is a big gap between the technical strength and management level of each site, The security is also uneven, and only a few IIS websites have high security. Although IIS has configured a security control and management mechanism by default, there is still a considerable security issue, so it is necessary to further analyze its analysis, more optimized, more reasonable configuration and management.
2 unsafe factor
IIS itself has a lot of innate shortcomings and security vulnerabilities, although new IIS versions and patches improve or repair the discovered problems, but the new vulnerability has emerged over time, new vulnerabilities have emerged, new and safe hidden dangers It is also produced. Since NT and IIS have more complex, familiar and masterpiece requires a lot of time and effort, and the average person is difficult to configure and safely manage. Normally, many of IIS are just dangerous, and it is prone to facilitating users, but eventually may lead to security disasters. The main forms and influencing factors that cause IIS insecurity are:
Unicode vulnerability. Unicode security issues are present in many systems, when IIS decodes a character containing Unicode, will cause errors or illegal operations. Such as: NT is not very strict, this and UNIX only support "/" is different, and attackers can use this directory browsing or illegal control. The decoding of Unicode is completed by the system kernel, but now many Unicode vulnerability patches do not really resolve problems, but simply filtering some dangerous character encodings, so IIS's Unicode security hazard still exists.
Application mapping problem. There is a considerable security issue in many applications maps in IIS, such as source code leaks, buffers overflow, DOS denial, illegal execution scripts, and the like are basically thus triggered. This is where many IIS websites are unsafe.
ISAPI buffer overflow vulnerability. This issue exists in mapshtr, .printer and other mappings. Attackers can get local access rights of the host, if using random data, the IIS service crash or host automatically restarts. If the attack data is carefully constructed, the attacker can give the attacker to get the system administrator. The red code (Code Red) virus successfully utilizes this vulnerability of IIS Components Index Server to spread and attack.
IIS RDS (Remote Data Service) Vulnerability. RDS is MDAC component, IIS 4 system with MSADC virtual directory is most vulnerable to attack, which can cause illegal users to access ODBC databases, access restricted files or remote execution commands.
HTTP non-standard data problem. The attacker sends a large number of special malformed HTTP request head packets that can cause all memory of the server consumption system, only the service termination or host restarts, IIS can return to normal.
IIS verification vulnerability. This can lead to leak system information and accounts to be crackdown in remote violent. If the server supports basic authentication, the attacker will return the Host header domain, the web server will return information that contains its internal address; if the server supports NTLM authentication, an attacker can get the server's NetBIOS name and the information of the domain.
Device file problem. NT is for compatibility, supporting device file names such as "PRN", "CON", although some security prevention is made compared with 9X, many programs still have problems, IIS will be refused in some special cases service. For example, the service will cause the service to stop responding when using an FSO object in an ASP program.
System design error. There are many design errors in the NT system. If the account lock and IIS security include conflicts, once the account lock policy is enabled, IUser_ and IWAM_ These two accounts can be locked, at this time, anyone will not be able to access IIS, so that the destroyer It is easy to achieve IIS's denial service attack.
Application problem. The website's application undertakes and implements specific network services and features, but due to the different programming levels, the application security is very different, which is also very easy to cause attacks on IIS. Common application security issues include: unchecked client data input, fault tolerance ability; unscrupulous errors, resulting in service accidents; database connection source leakage; application environment hypothesis errors; reference processing modules are improper.
Subjective people are factors. Refers to the impact of the website's designer, manager, and user consciousness, quality, morality, responsibility, technical and other subjective aspects. Mainly manifested in: safe awareness, insufficient attention, emphasis on performance, and neglect safety; dedication is not enough, the sense of responsibility is not strong, and it is loosened; set configuration error or improper operation; Insufficient investment, and there is only emphasis on hardware input Ignore the phenomenon of supporting safe soft environment; there is no comprehensive in-depth study, there is no corresponding countermeasure, many websites do not have a risk assessment and security argument; the management is weak, the responsibility is unknown, the implementation is not strong; the education learning is not enough, the team construction lags behind There is a considerable proportion of site management and technicians lack sufficient training, lack of emergencies; the technical means is backward, many sites are not used by the corresponding prevention equipment and tools due to funding; some work related to this Do fine, such as developing emergency programs, system backup recovery, loopholes continue repair, etc., there is a problem when there is a problem.
3 security solution
3.1 Installation
Safety should be built from the installation, but this is often ignored by many network management. Note when installing IIS:
NTFS format and partition selection. All partitions of the host are preferably NTFS formats because NTFS security can set different access to different files and directories, even if other partitions use FAT format, at least IIS is located NTFS. It is recommended to install IIS to non-system partitions, and IIS generally exist for source code leakage and buffer overflow. If the NT system and IIS may cause important information leaks, system authority is remotely acquired.
Install the directory selection. IIS's installation directory recommends not to use the default / inetpub, you should create a new name complex installation directory on a separate partition other than the system partition, which reduces a lot of attacks in the default.
Install the appropriate service as needed. According to safety principles, the maximum security = least service minimum permissions, so we should try not to install content that is not related to site network services. Many security hidden dangers are caused by some uncommon features and imperfect services. If only a simple Web site is established, only the WWW server is installed, which can reduce the opportunity to be attacked. The minimum component selection of typical web services is: only Install Internet Service Manager, WWW server, and public files. If you really need to install other components, you should be careful, especially FrontPage Server Extensions, Internet Service Manager (HTML), sample document, etc., HTML remote management ports are random, but it is easy to be scanned, thus leaving hidden dangers It turns out that there is a lot of security issues in the sample document. FTP is recommended, IIS's FTP function is not strong, easy to erode, and more vulnerabilities, the default is clear when it transmits passwords, easy to intercept, if you need FTP, you can consider using third-party tools. SMTP mail services lack the necessary and valid authentication mechanisms, and it is not appropriate to install. Install system security patches. Many of these patches are for IIS, IIS's HotFix is stopped, and it is possible to change their configuration. Patching Patch should be the final step of the installation, because the patches tend to replace or modify certain important system files, such as the first installation patch can result in no need. Need to note: In accordance with the logical order of the patch, the order of the error may result in an error; after installing the patch in NT 4, if you install a new program from the NT installation disc, you need to reform patch; 2000 system can be directly Access http://v4.windowsUpdate.microsoft.com Automatic detection and update to all patches.
3.2 Configuration
IIS security configuration is closely related to the operating system, and reasonable configuration is an important part of ensuring IIS security.
Account policy. The account used to maintain management should be as small as possible, the more the account is, the larger the danger of attack; the account authority should strictly control, master the power balance, not easily give more special permissions; management account should be renamed Guess the name, this can add an obstacle to the attack; the system's guest, the TSINTERNETUSER account should be disabled, and it is changed to a complex name, add a password, deleted from the guest group to prevent hackers; account password should be improved Safety and strengthen management, password is the key to security certification, causing enough attention, many intrusion is caused by the password. The password length should be at least 8 or more, try to use irregular, low-frequency usage characters to perform complex combination, do not select obvious information (such as birthday, annihilation, name, word, etc.) as passwords, passwords should be updated and modified. When a certain account is discovered, the name and password of this account should be changed immediately, and the number of locks is set in the account property to prevent the crack of violence.
access permission. In order to control user rights and possible invasion, you must set access to files and files. All files under NTFS are fully controlled to Everyone. It is recommended to reset according to the application needs, and ordinary users only give read, list privileges, not Give full control, modification, write and other permissions. Note: Permissions are accumulated, if a user belongs to two groups, then the user has all the permissions allowed by these two groups; the denial of permissions are preferred to allow permission, file permission is preferred for directory permissions, should be cautious More use of group strategies to perform permission control; the permissions to users really need, and the permissions minimize the security.
Port is open. The port is the logical interface of the host and the external network. The port configuration correctly affects the security of the IIS host. By default, all ports of the host are open, hackers will use and invade, which is a serious threat to security, so only the necessary ports should be opened, and the remaining ports should be turned off. remote control. If you do not perform a website remote management, close the remote terminal service, turn off the dangerous NetBIOS, and remove all the system default sharing, including print sharing and hidden ICP $, Admin $, because these are potential intrusion ports.
Application mapping. Most of the attacks are due to unsafe or have erroneous mappings, .idc, .ida, .htr, .htw, .shtml, .shtm, etc., there is a large number of security hazards, should be deleted; Select "Check if there is existence" in the mapping that is reserved. It should be noted that after installing some new IIS patches, some mappings will be reset, but this is often more negligible in many network management.
virtical list. If there is a default virtual directory such as Scripts, Iissamp, Iishelp, Msadc, Printer, and other default virtual directories, because many vulnerabilities of IIS are related to this.
Custom error message. In IIS, an error message such as HTTP 404 Not Found should be redirected to a custom page via URL, which enhances the user interface's friendlyness, and the current most CGI vulnerability can be scanned. Because most such scans are just to determine if the vulnerability exists by viewing the return HTTP code.
Verify control. If the user access server does not require special authentication, it is recommended to turn off the basic verification of IIS and integrate Windows authentication.
FTP Anonymous Access. Anonymous access to the FTP service is likely to be utilized to get more information, so that hazards should be prohibited.
Turn off the service. The more service is available, the more hidden dangers, the service that does not have to be unnecessary or temporarily stop, such as SMTP, etc.
The SSL secure communication mechanism provided by IIS is enabled in the case of necessary cases to prevent data from being intercepted online.
3.3 Management
Separately place it. Conditional sites should be separated from the Web service to different hosts, and the data can be stored on a dedicated host, and the corresponding mechanism is extracted from the data host, that is, the web in the front desk, data is very A large extent preventing hazardous events and reduces the degree of hazard.
Monitor audit. Should be recorded, analyzed, tracked, and audit users using the process of using the website, regularly check the sensitive area and data, search the accumulated log information for analysis and research, and focused on tracking review, with a view to discovering potential dangers or providing incidents Powerful evidence. IIS comes with a role to aware of the tool for intrusion monitoring. In order but more influence response speed, IIS log suggests the W3C format record, which is easier to analyze with ODBC records, but the traffic is large, and the website performance will be affected. The amount of IIS log information is very large, you need to make an analysis with expertise, you can program it yourself. Through the extraction and analysis of the IIS log, there is awareness of adverse intention, understand the persistence and attacker where you can respond in time. But IIS logs are not universal, it will ignore some invasion in some special circumstances, in addition, attackers may also invade other services such as Telnet, so establish a complete monitoring audit mechanism is quite important. The security audit is closed when the system is installed, and it can be opened by the local security policy. The security log is recorded in detail, and the user login, privilege operations, etc .; In addition, the system log and application log are also a good auxiliary tool; for key Important directory and file (System32 directory, cmd.exe file, etc.) should also strengthen access records, so that even if an attacker invades it, it is difficult to leave a trace. When the log is reviewed, if the problem is found, it should be prevented and resolved in time, and it cannot be obtained. Need to note: Logging should only select the necessary projects, the project is too much, the amount of information is large, but it is not conducive to analysis, and has aggravated the system load, the project is too small, and the expected safety effect is not expected. Gao Ming intruders may process and modify it; log files do not store them in the default directory and set access to access. Backup recovery. This work is very important, this is the last position of network security. The core of the site is data and information, and it is unimaginable once it is destroyed. Most of the site's backup work is well, but there are still many problems: such as backups are not completely timely, backup does not have effective testing, backup no schedule, backup is not deployed. Complete backups should include a number of security configurations, data, user information, etc., and continuously adjust with the website's update. Conditional sites can install the corresponding monitoring recovery tools, for web services, configurable home page automatic recovery mechanisms, that is, if the home page is illegally documented, the system automatically identifies and returns it to the pre-set page.
Access control. For WWW services, you can reject some IP addresses or domains with attack intentions; for directory and files, depending on the specific application service needs, targeted is properly assigned scripts, write, browsing, and execute permissions; For FTP services, if you just manage use, you should qualify the logged in IP address to improve its security. It is recommended to do a test before changing access control to prevent accidents or new security issues.
Internal management. Network attacks come from internal, most of the network security incidents inspected in our country, because internal management, internal management, complete, and strict implementation rules and regulations should be strengthened. NMS Do not use hosts for personal purposes, try to use host browsers to browse web pages, send and receive emails, avoiding thus infecting viruses, Trojans or exposure information.
Prevention and treatment combination. It is necessary to establish a unaffiring awareness to solve unsafe factors before they have not occurred. This is a long-term job. To establish a mechanism for risk argumentation, analyze the possible weak links, through technical means such as regular safety scans, early discovery, measures; in this basis, be able to make practical safety Strategy, build a suitable security structure, determine the scope and method of management, planning level permissions for access control. The correct plan comes from the rational analysis of real conditions and practical needs, neither greetings, not only for a while, should adhere to safety first principles, rather than sacrifice certain performance, but also guarantee sufficient safety. The multiplicity and integrity of prevention are also important, and only each of the defense levels and means of each other can form an organic whole. In addition, using more advanced reliable technical means to enhance security is essential, installing IIS's firewall, IIS enhancement tool, etc., can a largely reduced attacks. Patch update. Site administrators should pay attention to the latest vulnerabilities and security information, see the relevant patch announcements, and hit the corresponding patches in time, which is the easiest way to maintain safety is also the most effective way. But the security is not absolute, the patch is that after the discovery, the fully trusted patch and firewall and other technical means are not advisable. Many network management believe that the system upgrade will not have problems, but in fact, it is often in it when the patch is updated. Shared components also upgraded, some programs may not support upgraded components, resulting in various security issues, so they should be tested on other machines before installing uncertain patches.
3.4 Application Services
At present, most applications such as ASP, PHP, CGI, and other application service programs running in IIS have such a security issue, so when writing and managing application service programs, it should cause sufficient attention to IIS and operating systems for security control. .
When programming and administering, numerous files should be used to categorize; reduce the frequency that the username and password appears in the program, the program involving important information is best packaged in the server; for important program pages, visitors should be tracked and verified Only the request from the legal path can continue; pay attention to the backup file problem of the program, because some editors will automatically back up the modified program files, which may be guessed by the attacker and illegally downloaded; There is a good understanding of errors and accidents that may occur at rules, and make corresponding fault tolerance processing.
When user data input, you should block HTML, JavaScript, VBScript, etc., etc., etc. Perform, you should also do at the server side.
The database connection portion should be more secure, and the data call method should not appear directly in the program. It is recommended to set the data source in the ODBC, then call the data source in the program; database access is only only to read the storage permission to the user, no Directly modify the deleted permissions; the database name should be complex combination with a routine character, and pay attention to the location; if necessary, the database can be encoded and encrypted to prevent the database to be downloaded directly, resulting in major security events.
4 Conclusion
IIS security configuration and management is more important than a technical problem, but also is quite important, because it is ultimately people in implementing settings and control, to establish good security awareness, strengthen various investment, strengthen training Learning is very important, only from the basis, start from the place to effectively safeguard safety.
