Tips: Several tips for protecting web servers

  
                  

Today we are going to discuss with you a few tips for protecting web servers. Under normal circumstances, most Web sites are designed to provide instant access to visitors in the most acceptable way. Information access. In the past few years, the security problems brought by more and more hackers, viruses and worms have seriously affected the accessibility of websites.

Although Apache servers are often the target of attackers, Microsoft's Internet Information Services (IIS) Web server is truly a target.

Advanced education organizations often struggle to find a balance between building a vibrant, user-friendly website or building a highly secure website. In addition, they must now work to improve the security of their websites in the face of shrinking technology budgets (in fact, many of their private sectors are also facing similar situations).

Because of this, I am here to provide some tips for university IT managers who have a headache for the budget to help them protect their IIS servers. Although primarily for IT professionals at the university, these techniques are basically applicable to IIS managers who want to increase security with a small budget. In fact, some of the techniques are also very useful for IIS managers with strong budgets.

First, develop a security policy

The first step in protecting a web server is to ensure that the network administrator knows every system in the security policy. If the company's top management does not regard the security of the server as an asset that must be protected, then the protection work is completely meaningless. This work requires long-term efforts. If the budget is not supported or it is not part of a long-term IT strategy, administrators who spend a lot of time protecting server security will not receive significant management support.

What are the direct consequences of network administrators establishing security for all aspects of resources? Some users who are particularly adventurous will be kept out of the door. Those users will then complain about the company's management, and the management will ask the network administrator what happened. Then, network administrators can't create documents that support their secure work, so conflicts have occurred.

By labeling the security level of the web server and the security policy of availability, network administrators will be able to easily deploy various software tools on different operating systems.

IIS Security Tips

Microsoft's products have always been the target of criticism, so IIS server is particularly easy to become the target of the attacker. With this in mind, network administrators must be prepared to implement a number of security measures. What I am going to offer you is a list that server operators may find useful.

1. Keep Windows Upgrade:

You must update all upgrades in time and fix all patches for your system. Consider downloading all updates to a dedicated server on your network and publishing the files on the machine as a web. Through these tasks, you can prevent your web server from accepting direct Internet access.

2. Using IIS prevention tools:

This tool has many practical advantages, however, please use this tool with caution. If your web server interacts with other servers, first test the prevention tool to make sure it is properly configured to ensure that it does not affect the communication between the web server and other servers.

3. Remove the default Web site:

Many attackers target the inetpub folder and place some sneak attacks on it, causing the server to crash. The easiest way to prevent this kind of attack is to disable the default site in IIS. Then, because worms access your site through IP addresses (they may have access to thousands of IP addresses a day), their requests may be in trouble. Point your real Web site to a back-partitioned folder and must include secure NTFS permissions (described in more detail in the NTFS section below).

4. If you don't need FTP and SMTP services, please uninstall them:

The easiest way to get into your computer is through FTP. FTP itself is designed to handle simple read/write access. If you perform authentication, you will find that your username and password are transmitted over the network in clear text. SMTP is another service that allows write access to folders. By disabling these two services, you can avoid more hacking attacks.

5. Check your administrator groups and services regularly:

One day I entered our classroom and found that there was one more user in the administrator group. This means that someone has successfully entered your system at this time, he or she may throw the bomb into your system, which will suddenly destroy your entire system, or take up a lot of bandwidth for hackers. Hackers also tend to leave a help service. Once this happens, it may be too late to take any action. You can only reformat your disk and recover the files you back up every day from the backup server.

Therefore, checking the list of services on the IIS server and keeping as few services as possible must be your daily task. You should remember which service should exist and which service should not exist. The Windows 2000 Resource Kit brings us a useful program called tlist.exe, which lists the services that run under svchost in each case.

Running this program can find some hidden services you want to know. Give you a hint: Any service that contains a few words of daemon may not be a service that Windows itself contains, and should not exist on the IIS server. To get a list of Windows services and know what they do, click here.

6. Strictly control the write access of the server:

This sounds easy, however, on a university campus, a web server actually has a lot of "authors". Faculty members want to have their classroom information accessible to remote students. The staff would like to share their work information with other staff. Folders on the server can have extremely dangerous access rights.

One way to share or spread this information is to install a second server to provide dedicated sharing and storage purposes, then configure your web server to point to the shared server. This step allows the network administrator to limit the write access to the web server itself to the administrator group.

Copyright © Windows knowledge All Rights Reserved