Secure an IIS Web server with these 10 steps
来源:互联网 发布:2016全国人口普查数据 编辑:程序博客网 时间:2024/04/29 23:17
Problem
Internet Information Services (IIS) is a favorite target of hackers. Thus, it's critical for administrators who manage IIS Web servers to make sure that they are locked down. The default installations of IIS 4.0 and IIS 5.0 are particularly vulnerable.
Solution
Take these 10 steps to secure IIS:
- Set up an NTFS drive just for the IIS application and data. If possible, don't allow IUSER (or whatever the anonymous username is) access to any of the other drives. If the application runs into any problems because the anonymous user doesn't have access to programs on the other drive(s), then use FileMon from Sysinternals to troubleshoot which file it can't access and try working around it by moving the program to the IIS drive. If that is impossible, then allow IUSER access just to that file.
- Set the NTFS permissions on the drive:
Developers = Full
IUSER = Read and execute only
System and admin = Full - Use a software firewall to make sure that none of the end users (only the developers) have access to any other port on the IIS machine besides port 80.
- Use the Microsoft tools for locking down the machine: IIS Lockdown and UrlScan.
- Enable logging using IIS. In addition to the IIS logging, if possible, use logging from the firewall as well.
- Move the logs from the default location, and make sure that they are being backed up. Set up a replication for the log folders so that a copy is always available in a second location.
- Enable Windows auditing on the machine, because there is never enough data when trying to backtrack any attacker's activity. It's even possible to have a script run to check for any suspicious activity using the audit logs, and then send a report to an administrator. Now this might sound a bit extreme, but if security is really important in your organization, this type of action is a good practice. Set up auditing to report any failed account logons. Plus, as with the IIS logs, change the default location (c:/winnt/system32/config/secevent.log) to a different location, and make sure that you have a backup and a replicated copy.
- On a regular basis, go through as many security articles (from various sources) as you can. It is always better that you understand as much as possible about IIS and general security practices and not just follow what others (like me) tell you.
- Sign up to a mailing list for IIS bugs and stay up to date in reading it. One such list is X-Force Alerts and Advisories from Internet Security Systems.
- Finally, make sure that you regularly run Windows Update and verify that the patches actually get deployed.
- Secure an IIS Web server with these 10 steps
- How to Secure an nginx Server with Fail2Ban
- Building an IIS web server on a home LAN
- So you want to replay an IIS web server log?
- IIS Web Server Security
- Creating an Extender Control to Associate a Client Behavior with a Web Server Control
- 1. Steps to set up java web project with IDEA
- Build Secure Web Services With SOAP Headers and Extensions
- Building an Erlang chat server with Comet
- 10 Steps to Become an Outstanding Java Developer
- Configuring Web Gardens with IIS 6.0 (IIS 6.0)
- How to secure an Ubuntu 12.04 LTS server - Part 1 The Basics
- How to secure an Ubuntu 12.04 LTS server - Part 2 The GUI installer script
- An SSL error has occurred and a secure connection to the server cannot be made
- An SSL error has occurred and a secure connection to the server cannot be made.
- IIS的The server has encountered an error -解决方法
- Mongoose: an Embeddable Web Server in C
- Flash: An Efficient and Portable Web Server
- Java安全基础
- J2EE初学者需要理解的问题
- ANT介绍及安装及配置
- 带教老师的金玉良言
- ant 中文手册--介绍
- Secure an IIS Web server with these 10 steps
- Java常见面试题(含答案)
- 实现Java与C语言接口
- Java工具包的安装配置和使用
- [转载]给中国学生的第四封信:大学四年应是这样度过 by 李开复--www.kaifulee.com
- 看程序员是怎么喝酒的(搞笑)
- 电脑族每天请喝四杯茶
- 如何对付难以沟通的同事
- 感悟