How to use IIS to establish a high-security Web server

First, based on the security mechanism of Windows NT
As the IIS running under the Windows NT operating system environment, its security should also be based on Windows NT security. .
1. Application NTFS file system
NTFS can manage files and directories, while FAT (file allocation table) file system can only provide share-level security. It is recommended to use NTFS system when installing Windows NT.
2. Sharing permission modification
By default, each time a new share is created, all users can enjoy the share permission of “complete control”, so immediately after creating a new share Modify the default permissions of everyone.
3. Rename the system administrator account
The domain user manager can limit the number of guessing passwords, but it is not used for the system administrator account, which may bring the attacker administrator account password to the illegal user. Opportunity, it is a good idea to rename the administrator account through the domain user manager. The specific settings are as follows:
(1) Start “Domain User Manager>;
(2) Select the administrator account;
(3) Start “User"; & rdquo; modify it.
4. Abolish NetBIOS on TCP/IP
Administrators can manage other servers on the Internet by constructing an image between the target station NetBIOS name and its IP address, and illegal users can also find the available ones. machine. If such remote management is not required, it should be immediately revoked (by binding the network attribute, the binding between NetBIOS and TCP/IP is abolished).

Second, set the security mechanism of IIS

1. Security issues should be noted during installation
(1) Avoid installing on the primary domain controller
Installation After IIS, the IUSR_Computername anonymous account will be generated on the installed computer, and the account will be added to the domain user group, thereby providing the access rights applied to the domain user group to each anonymous user accessing the Web server, which not only brings IIS There is a huge potential danger, and it may also implicate the security of the entire domain resources, as much as possible to avoid installing IIS on the domain controller, especially the primary domain controller.
(2) Avoid installing on the system partition
Putting IIS on the system partition will make the system file and IIS also face illegal access, which is easy for illegal users to invade the system partition. (www.002pc.com)
2. User Controlled Security
(1)Anonymous User
Anonymous User IUSR_Computername (Private Password Generated) Generated After IIS Is Installed, Its Anonymous Access Brings to Web Server Potential security issues should be controlled by their authority. If there is no need for anonymous access, you can cancel the anonymous service of the web. Specific methods:
1 start ISM (Internet Server Manager);
2 start WWW service property page;
3 cancel its anonymous access service.
(2) The general user
manages the general user account by using the password combined with the number (including capitalization), increasing the frequency of changing the password, blocking the failed login attempt, and the lifetime of the account.
3. Login authentication security
IIS server provides three forms of identity authentication for users.
Anonymous access: No need to interact with users, allowing anyone to access the site anonymously, with the lowest security in all three authentications.
Basic verification: In this mode, the user name and password entered by the user are transmitted in clear text on the network. Without any encryption, illegal users can intercept the data packet through online monitoring and obtain the user name and password from it. The safety performance is average.
Windows NT request/response mode: The browser communicates with the IIS server through encryption, which effectively prevents eavesdroppers and is a highly secure form of authentication. The disadvantage of this method is that it is only supported by IE3.0 and above.