Three minutes to ensure the security of IIS itself

IIS Security Installation
To build a secure IIS server, security issues must be considered from the time of installation.

1. Do not install IIS on the system partition.

2. Modify the default path for IIS installation.

3. Put the latest patches for Windows and IIS.

IIS Security Configuration

1. Delete unnecessary virtual directories

After IIS installation is completed, some directories are generated by default under wwwroot, including IISHelp, IISAdmin, IISamples, MSADC, etc., these directories have no practical effect and can be deleted directly.

2. Remove dangerous IIS components

Some IIS components after default installation may pose security threats such as Internet Service Manager (HTML), SMTP Service and NNTP Service, sample pages and Script, you can decide whether to delete according to your needs.

3. Set permissions for file classification in IIS

In addition to setting the necessary permissions for IIS files in the operating system, you also need to set permissions for them in IIS Manager. A good setup strategy is to create directories for different types of files on your Web site and then assign them the appropriate permissions. For example, the static file folder allows reading and rejecting writes, the ASP script folder allows execution, denial of writing and reading, and executable programs such as EXE allow execution and denial of reading and writing.

4. Delete unnecessary application mappings

There are many application mappings in ISS by default. Except for ASP's program mapping, other files are rarely used on websites.

In the "Internet Service Manager", right click on the website directory, select "Properties", in the "Home Directory" page of the Website Directory Properties dialog box, click the [Configure] button, and the "Application Configuration" pops up. Dialog box, on the "Application Mapping" page, delete the useless program map. If you need this type of file, you must install the latest system patch, and select the corresponding program map, then click the [Edit] button, in the "Add /Edit Application Extension Mapping" dialog box, check "Check whether the file is There is an option. In this way, when a client requests such a file, IIS will first check whether the file exists. After the file exists, it will not call the dynamic link library defined in the program map for parsing.

5. Protecting Log Security

Logging is an important part of the system security policy, ensuring that log security can effectively improve the overall security of the system.

● Modify the storage path of IIS logs

By default, IIS logs are stored in %WinDir%\\System32\\LogFiles. The hacker is of course very clear, so it is best to modify the storage path. In the "Internet Service Manager", right click on the website directory, select "Properties", in the "Web Site" page of the Website Directory Properties dialog box, in the case of "Enable Logging", click [Properties] next to it. Button, on the "General Properties" page, click the [Browse] button or enter the log storage path directly in the input box.

● Modify the log access permission, and only the administrator can access it.

With some of the above security settings, I believe that your web server will be much safer.