IIS FAQ for creating a secure IIS server

1. How to make asp script run with system permission

Modify the virtual directory corresponding to your asp script, and change "application protection" to "low"....

2. How to prevent asp trojan

Asp trojan based on FileSystemObject component

cacls %systemroot%\\system32\\scrrun.dll /e /d guests //Disable guest use

regsvr32 scrrun.dll /u /s //delete

asp trojan based on shell.application component

cacls %systemroot%\\system32\\shell32.dll /e /d guests //Forbidden guests to use

regsvr32 shell32.dll /u /s //delete

3. How to encrypt asp files

Free download from Microsoft to sce10chs.exe run directly The installation process can be completed.

After the installation is complete, the screnc.exe file will be generated, which is a command tool that runs on DOS PROMAPT.

Run screnc - l vbscript source.asp destination.asp

Generate a new file containing cipher text ASP script destination.asp

Open it with Notepad and see """ Within, regardless of whether it is annotated, it becomes an unreadable ciphertext

but cannot encrypt Chinese. This article was published on www.xker.com (小新技术网)

4. How to extract urlscan from IISLockdown

iislockd.exe /q /c /t:c:\\urlscan

5. How to prevent the Content-Location header from exposing the internal IP address of the web server

Execute

cscript c:\\inetpub\\adminscripts\\adsutil.vbs set w3svc/UseHostName True

Finally need to restart iis

6. How to solve HTTP500 internal error

iis http500 internal error most reasons

Mainly due to iwam account The password is not synchronized.

We only need to synchronize the password of the iwam_myserver account in the com+ application to solve the problem.

Execute

cscript c:\\inetpub\\adminscripts\\synciwam.vbs -v

7. How to enhance the ability of iis to defend against SYN Flood

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters]

Starts syn attack protection. If the default value is 0, the attack protection is not enabled. The value of 1 and 2 indicates that the attack protection is enabled. After the setting is 2, the security level is higher. The startup needs to be triggered according to the conditions set by the following TcpMaxHalfOpen and TcpMaxHalfOpenRetried values. It should be noted here that NT4.0 must be set to 1, and set to 2 will cause the system to restart under a special packet.

"SynAttackProtect"=dword:00000002

The number of semi-joins that are allowed to open at the same time. The so-called semi-join, which means that the TCP session is not fully established, you can see the SYN_RCVD state with the netstat command. Here we use the Microsoft recommended value, the server is set to 100, and the advanced server is set to 500. The suggestion can be set slightly smaller.

"TcpMaxHalfOpen"=dword:00000064

Determine if there is a trigger point for the attack. Here we use the Microsoft recommended value, the server is 80, and the advanced server is 400.

"TcpMaxHalfOpenRetried"=dword:00000050

Set the time to wait for SYN-ACK. The default value is 3, which defaults to 45 seconds. The item value is 2 and the elapsed time is 21 seconds.

The item value is 1 and the elapsed time is 9 seconds. The minimum can be set to 0, which means no waiting, and the consumption time is 3 seconds. This value can be modified based on the size of the attack.

Microsoft Site Security is recommended as 2.

"TcpMaxConnectResponseRetransmissions"=dword:00000001

Sets the number of times TCP retransmits a single data segment. The default value is 5, which defaults to 240 seconds. Microsoft site security is recommended as 3.

"TcpMaxDataRetransmissions"=dword:00000003

Set the critical point for syn attack protection. When the available backlog becomes 0, this parameter is used to control the opening of the syn attack protection. The Microsoft site security recommendation is 5.

"TCPMaxPortsExhausted"=dword:00000005

Disable IP source routing. If the default value is 1, it means that the source route packet is not forwarded. If the value of the entry is 0, it means all forwarding. If it is set to 2, it means discarding all the accepted source routing packets. The Microsoft site security recommendation is 2.

"DisableIPSourceRouting"=dword:0000002

Limit the maximum time in the TIME_WAIT state. The default is 240 seconds, the minimum is 30 seconds, and the maximum is 300 seconds. It is recommended to set to 30 seconds.

"TcpTimedWaitDelay"=dword:0000001e

8. How to avoid *mdb files being downloaded

Installing the urlscan tool released by ms can solve this problem fundamentally.

At the same time it is also a powerful security tool, you can get more detailed information from the ms website.

9. How to make the minimum ntfs permission of iis run

Do the following work in order:

a. Select the entire hard disk:

system: full control

administrator: Full Control

(Allows inheritance permissions from the parent to be propagated to the object)

b.\\program files\\common files:

everyone: read and run

list file directory

read

(allows inheritance permissions from the parent to be propagated to the object)

c \\ inetpub \\ wwwroot:.

iusr_machine: read and Execute

lists the files in the directory

read

(Allows inheritance permissions from the parent to be propagated to the object)

e.\\winnt\\system32:

Select all directories except inetsrv and centsrv,

remove “Allows the inheritance of inheritance from the parent to the object” marquee, copy.

f.\\winnt:

Select all except downloaded program files, help, iis temporary compressed files,

offline web pages, system32, tasks, temp, web Directory

Remove “ Allows inheritance permissions from the parent to be propagated to the object & rdquo; checkbox, copy.

g.\\winnt:

everyone: read and run

list file directory

read

(allow The inheritable permissions from the parent are propagated to the object)

h.\\winnt\\temp: (allow access to the database and display on the asp page)

everyone: modify

(Allows inheritance permissions from the parent to be propagated to the object)

10.How to hide the iis version

A hacker can easily telnet to your web port and send a get command to get A lot of information

iis stores the corresponding dll file of IIS BANNER as follows:

WEB:C:\\WINNT\\SYSTEM32\\INETSRV\\W3SVC.DLL

FTP:C: \\WINNT\\SYSTEM32\\INETSRV\\FTPSVC2.DLL

SMTP:C:\\WINNT\\SYSTEM32\\INETSRV\\SMTPSVC.DLL

You can use the hex editor to modify those dll files. Keywords such as iis Microsoft-IIS/5.0

The specific process is as follows:

1. Stop iis iisreset /stop

2. Delete %SYSTEMROOT%\\system32\\ The same name file under the dllcache directory

3. Modify /q /c /t:c:\\urlscan