Make your IIS impeccable

If your computer has nt4/win2000 installed, it is not a direct use for Internet servers. Although Microsoft's patch has been a lot of bugs, there are still some loopholes. Now let's talk briefly about how to use IIS to build a server with high security performance.

First, based on the security mechanism of Windows NT

1) NT hit SP6 patch, 2K hit SP2 patch. Convert the disk's file system to NTFS (the partition of the installation system can be converted when the system is installed, or it can be converted by tools after the system is installed). At the same time, the permissions for writing and modifying Everyone in the usage rights are removed. The key directories: such as WinntRepair read permission are also removed.

2) Modification of sharing permissions. Under NT, go to Start Menu --> Programs --> Administrative Tools --> System Policy Editor, and then open the registry in the File menu of the system policy to modify the Windows NT network to remove it. Under 2K, you can write a net share c$ /delete bat file, put it into the machine's startup task.

3) Rename the system administrator account. At the same time, change the password of the system administrator to strong encryption: the password length is more than 10 digits, and the password should include numbers, letters, and! Wait for various characters.

4) Abolish NetBIOS over TCP/IP. The binding between NetBIOS and TCP/IP is aborted by the binding option of the network attribute.

5) Install other services. You should try not to install other services of the database on the same server. If installed, the main point is that the database password cannot be the same as the login password of the system.

Second, set the security mechanism of IIS

1) Resolve IIS4 and previous versions will be stopped by D.O.S attacks. Run Regedt32.exe at: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesw3svcparameters Add a value: Value Name: MaxClientRequestBuffer Data Type: REG_DWORD Set to decimal The specific value is set to the maximum length of the URL that IIS is allowed to accept. The CNNS setting is 256.

2) Delete the HTR script map.

3) Set the /_vti_bin directory under the IIS web server to disable remote access.

4) In the IIS management console, point to the web site, properties, select the home directory, configure (start point), application mapping, delete the mapping between htw and webhits.dll.

5) If the installed system is 2K, install Q256888_W2K_SP1_x86_en.EXE.

6) Delete: crogram FilesCommon FilesSystemMsadcmsadcs.dll.

7) If you do not need to use Index Server, disable or uninstall the service. If you are using Index Server, disable the "Index this resource" option for directories containing sensitive information.

8) Solve the unicode vulnerability: 2K install 2kunicode.exe, NT install ntunicode86.exe.

After the above settings, I still can't say that it is completely safe, you can't go back to sleep! But you can relax!

Microsoft products are good Use, but its vulnerability is the most vulnerable one compared with the same kind. As a network management, we must pay attention to the emergence of new vulnerabilities at all times, and take corresponding measures in time to be prepared!