Delete the virtual directory of the default established site, stop the default web site, delete the corresponding file directory c:inetpub, configure the common settings of all sites, set the relevant connection limit, bandwidth Other settings such as settings and performance settings. Configure application mapping, remove all unnecessary application extensions, and only keep asp, php, cgi, pl, aspx application extensions. For php and cgi, it is recommended to use isapi to parse, and exe parsing has an impact on security and performance. User program debug settings send text error messages to the user. For the database, try to use the mdb suffix, do not need to change to asp, you can set an extension mapping of mdb in IIS, use this map to use an unrelated dll file such as C:WINNTsystem32inetsrvssinc.dll to prevent the database from being downloaded. Set the IIS log save directory and adjust the log record information. Set to send text error messages. Modify the 403 error page and turn it to another page to prevent detection by some scanners. In addition, in order to hide system information, the system version information leaked from telnet to port 80 can be modified to modify the banner information of IIS. You can use winhex to manually modify or use related software such as banneredit to modify.
For the directory where the user site is located, here is a description of the three files in the user's FTP root directory, wwwroot, database, logfiles, which store the site files, database backups and logs of the site. If an intrusion event occurs, specific permissions can be set for the directory where the user site is located. The directory where the image is located only gives the permissions of the column directory. If the directory where the program is located does not need to generate a file (such as a program that generates html), no write permission is given. Because it is a virtual host usually has no way to make the script security meager, more can only be used in the method user to enhance the permissions from the script:
ASP security settings:
After the service, the anti-asp wooden horse needs to do the following work, run the following command in the cmd window:
regsvr32/u C:WINNTSystem32wshom.ocx
del C:WINNTSystem32wshom.ocx
regsvr32/u C:WINNTsystem32shell32.dll
del C:WINNTsystem32shell32.dll
Uninstall WScript.Shell, Shell.application, WScript.Network components, effectively prevent asp trojan Execute commands via wscript or shell.application and use the Trojan to view some system sensitive information. Another method: Can cancel the permissions of the users of the above files, restart IIS to take effect. However, this method is not recommended.
In addition, for FSO, because the user program needs to be used, the server can not log out of the component. Here, only the FSO prevention is mentioned, but it is not needed to be used on the virtual merchant server that automatically opens the space. Manually opened site. You can set two groups for sites that need FSO and do not need FSO. For the user group that needs FSO, give permission to execute c:winntsystem32scrrun.dll file. Restart the server to take effect.
For such a setting combined with the above permission settings, you will find that the Haiyang Trojan has lost its role here!
PHP security settings:
The default installation of php requires the following attention:
C:winntphp.ini only gives users read permission. In php.ini you need to do the following settings:
Safe_mode=on
register_globals = Off
allow_url_fopen = Off
display_errors = Off
magic_quotes_gpc = On [default is on, but check it out]
open_basedir =web directory
disable_functions =passthru, exec, shell_exec, system, phpinfo, get_cfg_var, popen, chmod
The default setting com.allow_dcom = true is changed to false [to cancel the previous one before modification;]
MySQL security settings:
If the MySQL database is enabled on the server, the MySQL database needs Note the security settings are:
Delete all default users in mysql, just keep the local root account and add a complex password to the root user. Give the ordinary user updatedeletealertcreatedrop permission, and limit to a specific database, especially to avoid the ordinary customer has permission to operate on the mysql database. Check the mysql.user table, cancel the unnecessary user's shutdown_priv, relo
ad_priv, process_priv and File_priv permissions. These permissions may leak more server information including non-mysql other information. You can set up a startup user for mysql, which has permissions only for the mysql directory. Set the permissions of the data database of the installation directory (this directory stores the data information of the mysql database). For the mysql installation directory, add reads, column directories, and execute permissions to users.
Serv-u Security Issues:
Try to use the latest version of the installer, avoid using the default installation directory, set the permissions of the serv-u directory, and set a complex administrator password. Modify the banner information of serv-u, set the passive mode port range (4001—4003) to make relevant security settings in the local server settings: check the anonymous password, disable the anti-timeout scheduling, intercept the “FTP bounce” attack and FXP, Users who have connected more than 3 times in 30 seconds intercept 10 minutes. The settings in the domain are: Require complex passwords, the directory uses only lowercase letters, and the Advanced setting cancels the date the file is allowed to be changed using the MDTM command.
Change the startup user of serv-u: create a new user in the system, set a complex password, does not belong to any group. Give the user the full control of the servu installation directory. To establish an FTP root directory, you need to give the user full control of the directory, because all ftp users upload, delete, and change files are inherited by the user, otherwise the file cannot be manipulated. In addition, you need to give the user the read permission of the upper directory above the directory, otherwise it will appear 530 Not logged in, home directory does not exist. For example, when testing, the ftp root directory is d:soft, you must give d disk the user's read permission, in order to safely cancel the inherited permissions of other folders on the d disk. The general use of the default system startup does not have these problems, because the system generally has these permissions
Port mapping is used to access specific port services from the Intern
Problem Description The R525 G2 machine serial port interface is in the form
ftp file transfer service, the rest are not mentioned, go directly to the topic.
. This is to help some rookie webmasters solve the problem that IIS does not have a net2.0 option ca
Getting started with DNS (network domain name) resolution failure
Wscript.shell run No permission solution
How to increase the maximum number of Apache connections? Details of
Detailed illustration of IIS6 installation and configuration of .net 2.0 process
Configuring Apache to disable the display of file lists
How to restore xml in IIS configuration
Server and client email address verification function
Thin provisioning technology solves the problem of wasted disk space
IIS7 configuration maximum upload attachment size needs to pay attention to the steps and steps
Some best practices for server backups
Guarantee Web Server Apache Security Five Measures
Server Security Settings Tutorial: Hard Disk Permission Settings
How to turn off Realtek high-definition audio manager icon
How to disable the disk protection function in the Win7 system
Win10 update download adopts BT mode. The more users download, the faster the download speed
The killing of the original PC version of the plot of the seventeenth mission Raiders
Windows Server Component Security Settings Policy
How to set up computer Win7 to automatically release memory space?
How to solve the damaged image of Winunder system Thunder Platform.exe?
How to open WinXP system resource manager? How to open the resource manager
How to set the size of Win10 recycle bin? Win10 method of setting the size of the recycle bin
Microsoft refutes Sopohs conclusion that Windows 7 insecurity is misleading