Building a High Security Web Server with IIS

Because of the convenience and ease of use of IIS (Internet Information Server), it has become one of the most popular Web server software. However, the security of IIS has been worrying. How to use IIS to build a secure web server is a topic that many people care about.

Constructing a Security System

To create a secure and reliable Web server, you must implement dual security for Windows 2000 and IIS, because IIS users are also Windows 2000 users, and IIS directories. Permissions depend on the permissions of Windows NTFS file system, so the first step in securing IIS security is to ensure the security of the Windows 2000 operating system:

1. Use the NTFS file system to manage files and directories.

2. Close the default share

Open the registry editor, expand the "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters" item, add the key value AutoShareServer, type REG_DWORD, the value is 0. This will completely turn off the "default share".

3. Modify Share Permissions

Immediately after creating a new share, modify Everyone's default permissions to prevent Web server visitors from gaining unnecessary permissions.

4. Rename the system administrator account to avoid unauthorized user attacks.

Right click on [My Computer]→[Administrative]→Start “Computer Management” program. In “Local User and Group”, right click on “Administrator” → select “Heavy” Name", modify the administrator account to a very common username.

5. Disable NetBIOS over TCP/IP

Right click on [Network Neighborhood] → [Properties] → [Local Area Connection] → [Properties] on the desktop to open the "Local Area Connection Properties" Dialog. Select [Internet Protocol (TCP/IP)] → [Properties] → [Advanced] → [WINS], and select the "Disable NetBIOS over TCP/IP" item on the lower side to release NetBIOS over TCP/IP.

6. Control the inbound connection on TCP/IP

Right click on the [Network Neighborhood] → [Properties] → [Local Area Connection] → [Properties] on the desktop to open the local Connection Properties dialog. Select [Internet Protocol (TCP/IP)] → [Properties] → [Advanced] → [Options], and click to select the "TCP/IP Filter" option in the list. Click the [Properties] button, select "Allow only", and then click the [Add] button to fill only port 80.

7. Modify the registry to reduce the risk of denial of service attacks.

Open the registry: Change the value of SynAttackProtect under HKLM\\System\\

CurrentControlSet\\Services\\Tcpip\\Parameters to 2 to make the connection respond faster to timeouts.
Guarantee IIS's own security

IIS Secure Installation

To build a secure IIS server, security issues must be considered from the time of installation.

1. Do not install IIS on the system partition.

2. Modify the default path for IIS installation.

3. Put the latest patches for Windows and IIS.

IIS Security Configuration

1. Delete unnecessary virtual directories

After IIS installation is completed, some directories are generated by default under wwwroot, including IISHelp, IISAdmin, IISamples, MSADC, etc., these directories have no practical effect and can be deleted directly.

2. Remove dangerous IIS components

Some IIS components after default installation may pose security threats such as Internet Service Manager (HTML), SMTP Service and NNTP Service, sample pages and Script, you can decide whether to delete according to your needs.

3. Set permissions for file classification in IIS

In addition to setting the necessary permissions for IIS files in the operating system, you also need to set permissions for them in IIS Manager. A good setup strategy is to create directories for different types of files on your Web site and then assign them the appropriate permissions. For example, the static file folder allows reading and rejecting writes, the ASP script folder allows execution, denial of writing and reading, and executable programs such as EXE allow execution and denial of reading and writing.

4. Delete unnecessary application mappings

There are many application mappings in ISS by default. Except for ASP's program mapping, other files are rarely used on websites.

In the "Internet Service Manager", right click on the website directory, select "Properties", in the "Home Directory" page of the Website Directory Properties dialog box, click the [Configure] button, and the "Application Configuration" pops up. Dialog box, on the "Application Mapping" page, delete the useless program map. If you need this type of file, you must install the latest system patch, and select the corresponding program map, then click the [Edit] button, in the "Add /Edit Application Extension Mapping" dialog box, check "Check whether the file is There is an option. In this way, when a client requests such a file, IIS will first check whether the file exists. After the file exists, it will not call the dynamic link library defined in the program map for parsing.

5. Protecting Log Security

Logging is an important part of the system security policy, ensuring that log security can effectively improve the overall security of the system.

● Modify the storage path of IIS logs

By default, IIS logs are stored in %WinDir%\\System32\\LogFiles. The hacker is of course very clear, so it is best to modify the storage path. In the "Internet Service Manager", right click on the website directory, select "Properties", in the "Web Site" page of the Website Directory Properties dialog box, in the case of "Enable Logging", click [Properties] next to it. Button, on the "General Properties" page, click the [Browse] button or enter the log storage path directly in the input box.

● Modify the log access permission, and only the administrator can access it.

With some of the above security settings, I believe that your web server will be much safer!