Web Hosting IIS Prevents Intrusion Common Q&A

Web Hosting IIS Prevents Intrusion Frequently Asked Questions: 1. How to make asp script run with system privileges?

Modify the virtual directory corresponding to your asp script, "Application Protection" Modified to "Low"....

2. How to prevent asp trojan?

Asp trojan based on FileSystemObject component

cacls %systemroot%\\system32\\scrrun.dll /e /d guests //Bad guest use

regsvr32 scrrun.dll /u /s //delete

asp trojan based on shell.application component

cacls %systemroot%\\system32\\shell32.dll /e /d guests //Disable guests from using

regsvr32 shell32.dll /u /s //delete

3 How to encrypt asp files?

From Microsoft free download to sce10chs.exe run directly to complete the installation process.

After the installation is complete, the screnc.exe file will be generated, which is a command tool that runs on DOS PROMAPT.

Run screnc - l vbscript source.asp destination.asp

Generate a new file containing cipher text ASP script destination.asp

Open it with Notepad and see """ Within, regardless of whether it is annotated, it becomes an unreadable ciphertext

but cannot encrypt Chinese.

4. How to extract urlscan from IISLockdown?

iislockd.exe /q /c /t:c:\\urlscan

5. How to prevent Content-Location header Exposed the internal IP address of the web server?

Execute

cscript c:\\inetpub\\adminscripts\\adsutil.vbs set w3svc/UseHostName True

Finally need to restart iis< Br>

6. How to solve HTTP500 internal error?

Iis http500 internal error most of the reasons

Mainly due to the iwam account password is not synchronized.

We can solve the problem by synchronizing the password of the iwam_myserver account in the com+ application.

Execute

cscript c:\\inetpub\\adminscripts\\synciwam.vbs -v

7. How to enhance the ability of iis to defend against SYN Flood?

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters]

Starts syn attack protection. If the default value is 0, the attack protection is not enabled. The value of 1 and 2 indicates that the attack protection is enabled. After the setting is 2, the security level is higher. The startup needs to be triggered according to the conditions set by the following TcpMaxHalfOpen and TcpMaxHalfOpenRetried values

. It should be noted here that NT4.0 must be set to 1, and set to 2 will cause the system to restart under a special packet.

"SynAttackProtect"=dword:00000002

The number of semi-joins that are allowed to open at the same time. The so-called semi-join, which means that the TCP session is not fully established, you can see the SYN_RCVD state

with the netstat command. Here we use the Microsoft recommended value, the server is set to 100, and the advanced server is set to 500. The suggestion can be set slightly smaller.

"TcpMaxHalfOpen"=dword:00000064

Determine if there is a trigger point for the attack. Here we use the Microsoft recommended value, the server is 80, and the advanced server is 400.

"TcpMaxHalfOpenRetried"=dword:00000050

Set the time to wait for SYN-ACK. The default value is 3, which defaults to 45 seconds. The item value is 2 and the elapsed time is 21 seconds.

The item value is 1 and the elapsed time is 9 seconds. The minimum can be set to 0, which means no waiting, and the consumption time is 3 seconds. This value can be modified based on the size of the attack.

Microsoft Site Security is recommended as 2.

"TcpMaxConnectResponseRetransmissions"=dword:00000001

Sets the number of times TCP retransmits a single data segment. The default value is 5, which defaults to 240 seconds. Microsoft site security is recommended as 3.

"TcpMaxDataRetransmissions"=dword:00000003

Set the critical point for syn attack protection. When the available backlog becomes 0, this parameter is used to control the opening of the syn attack protection. The Microsoft site security recommendation is 5.

"TCPMaxPortsExhausted"=dword:00000005

Disable IP source routing. If the default value is 1, it means that the source route packet is not forwarded. The value of the entry is 0, indicating that all forwarding is performed. If the value is set to 2, all the accepted

source routing packets are discarded. The Microsoft site security recommendation is 2.

"DisableIPSourceRouting"=dword:0000002

Limit the maximum time in the TIME_WAIT state. The default is 240 seconds, the minimum is 30 seconds, and the maximum is 300 seconds. It is recommended to set to 30 seconds.

"TcpTimedWaitDelay"=dword:0000001e

8. How to avoid *mdb files being downloaded?

Installing ms issued urlscan tool can solve this problem fundamentally .

At the same time it is also a powerful security tool, you can get more detailed information from the ms website.

9. How to make the minimum ntfs permission of iis run?

Do the following work in order:

a. Select the whole hard disk:

ystem: Complete Control

administrator: Full Control

(Allows the inheritance permission from the parent to be propagated to the object)

.\\program files\\common files:

everyone: read and run

list file directory

read

(allows inheritance permissions from the parent to be propagated to the object)

c.\\inetpub\\wwwroot:

iusr_machine: Read and Run

List File Directory

Read

(Allows from the parent) Inheritable permissions are propagated to objects)

e.\\winnt\\system32:

Select all directories except inetsrv and centsrv,

Remove "Allow from the parent" The inheritable permissions are propagated to the object checkbox, copied.

f.\\winnt:

Select all except downloaded program files, help, iis temporary compressed files,

offline web pages, system32, tasks, temp, web Directory

Remove the "Allow inheritable permissions from parent to propagate to objects" checkbox to copy.

g.\\winnt:

everyone: read and run

list file directory

read

(allow The inheritance permission from the parent is propagated to the object)

h.\\winnt\\temp: (allows access to the database and displays on the asp page)

everyone: modify

(Allows inheritance permissions from the parent to be propagated to the object)

10. How to hide the iis version?

A hacker can easily telnet to your web port and send a get command. Get a lot of information

iis stores the corresponding dll file of IIS BANNER as follows:

WEB:C:\\WINNT\\SYSTEM32\\INETSRV\\W3SVC.DLL

FTP:C :\\WINNT\\SYSTEM32\\INETSRV\\FTPSVC2.DLL

SMTP: C:\\WINNT\\SYSTEM32\\INETSRV\\SMTPSVC.DLL

You can use hex editor to modify those dll files. Keywords such as iis Microsoft-IIS/5.0

The specific process is as follows:

1. Stop iis iisreset /stop

2. Delete %SYSTEMROOT%\\system32 The same name file under the \\dllcache directory

3. Modify