IIS builds a highly secure web server

IIS (ie Internet Information Server) convenience and ease of use, making it one of the most popular web server software. However, the security of IIS has been worrying. How to use IIS to build a secure web server is a topic that many people care about.

Constructing a Security System

To create a secure and reliable Web server, you must implement dual security for Windows 2000 and IIS, because IIS users are also Windows 2000 users, and IIS directories. Permissions depend on the permissions of the Windows NTFS file system, so the first step in securing IIS is to ensure the security of the Windows 2000 operating system: this article is published at www.xker.com (小新技术网)

1. Use the NTFS file system to manage files and directories.

2. Close the default share

Open the Registry Editor, expand the "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters" option, add the key value AutoShareServer, type REG_DWORD, value Is 0. This will completely shut down “default sharing”.

3. Modify Share Permissions

Immediately after creating a new share, modify the default permissions of Everyone to prevent Web server visitors from gaining unnecessary permissions.

4. Rename the system administrator account to avoid unauthorized user attacks.

Right click on [My Computer] →[Manage] → Start & ldquo; Computer Management & rdquo; program, in the "local users and groups", right click on the "admin account" Administrator)”→Select “Rename”, change the administrator account to a very common username.

5. Disable NetBIOS on TCP/IP

Right click on [Network Neighborhood] →[Properties] →[Local Area Connection] →[Properties] on the desktop, open “ Local connection properties & rdquo; dialog box. Select [Internet Protocol (TCP/IP)] & rarr; [Properties] & rarr; [Advanced] & rarr; [WINS], select the underside "Disable NetBIOS on TCP /IP"; one can release TCP /IP NetBIOS.

6. Control the inbound connection on TCP/IP

Right click on the [Network Neighborhood] →[property] →[local connection] →[attribute] on the desktop. Open the “Local Connection Properties” dialog. Select [Internet Protocol (TCP/IP)] & rarr; [Properties] & rarr; [Advanced] & rarr; [Options], click to select the "TCP /IP Filter" option in the list. Click the [Properties] button, select “Allow only ”, then click the [Add] button to fill only port 80.

7. Modify the registry to reduce the risk of denial of service attacks.

Open the registry: Change the value of SynAttackProtect under HKLM\\System

CurrentControlSet\\Services\\Tcpip\\Parameters to 2 to make the connection respond faster to timeouts.

Securing IIS itself

IIS Security Installation

To build a secure IIS server, security issues must be considered from the time of installation.

1. Do not install IIS on the system partition.

2. Modify the default path for IIS installation.

3. Put the latest patches for Windows and IIS.

IIS Security Configuration

1. Delete unnecessary virtual directories

After IIS installation is completed, some directories are generated by default under wwwroot, including IISHelp, IISAdmin, IISamples, MSADC, etc., these directories have no practical effect and can be deleted directly.

2. Removing dangerous IIS components

Some IIS components after default installation may pose security threats such as Internet Service Manager (HTML), SMTP Service and NNTP Service, sample pages and Script, you can decide whether to delete according to your needs.

3. Set permissions for file classification in IIS

In addition to setting the necessary permissions for IIS files in the operating system, you also need to set permissions for them in IIS Manager. A good setup strategy is to create directories for different types of files on your Web site and then assign them the appropriate permissions. For example, the static file folder allows reading and rejecting writes, the ASP script folder allows execution, denial of writing and reading, and executable programs such as EXE allow execution and denial of reading and writing.

4. Remove unnecessary application mappings

There are many application mappings in ISS by default. Except for ASP's program mapping, other files are rarely used on websites.

In the "Internet Service Manager", right click on the website directory and select "Properties". In the "Home Directory" page of the Website Directory Properties dialog box, click the [Configure] button. , pop-up "Application Configuration" dialog box, in the "Application Mapping" page, delete useless program mapping. If you need this type of file, you must install the latest system patch, and select the corresponding program map, then click the [Edit] button, check the "Add /Edit Application Extension Mapping" dialog box. Check if the file exists with the ” option. In this way, when a client requests such a file, IIS will first check whether the file exists. After the file exists, it will not call the dynamic link library defined in the program map for parsing.

5. Protecting Log Security

Logging is an important part of the system security policy, ensuring that log security can effectively improve overall system security.

●Modify the storage path of IIS logs

By default, IIS logs are stored in %WinDir%\\System32\\LogFiles. The hacker is of course very clear, so it is best to modify the storage path. In the “Internet Service Manager”, right click on the website directory and select “Attributes”. In the “Web Site” page of the Website Directory Properties dialog box, select “Enable Logging”. Next, click the [Properties] button next to it, on the "General Properties" page, click the [Browse] button or enter the log storage path directly in the input box. This article was published on www.xker.com (小新技术网)

● Modify log access permissions, settings can only be accessed by administrators.

With some of the above security settings, I believe your web server will be much safer!