Windows IIS 6 Security Protector - URL Authorization Raiders!

Windows operating system IIS is one of the most commonly used web servers. IIS is powerful and easy to use, but it is also vulnerable to malicious attacks. Its security has always been the focus of everyone's discussion. In order to enhance the security of the Web server, many security features have been added to IIS6 of the Windows Server 2003 operating system. "URL Authorization" is one of them. This feature can make IIS6 work more securely and steadily. This article will introduce you to the relevant knowledge about URL authorization.

First, why use URL authorization
IIS website to facilitate the work of users, but its security has always been the topic of most concern to administrators. As we all know, there are some vulnerabilities in the IIS server component, and many "criminals" use these vulnerabilities to attack websites. Although the timely installation of IIS patches can fix these vulnerabilities, new vulnerabilities will continue to emerge. Many administrators use the method of canceling anonymous access to control the range of users accessing the website, but there are still some security risks in this way. In order to enhance the security of IIS, the URL authorization function is provided in the Windows Server 2003 system, which can strictly control the users browsing the website through the authorization manager. If you want a user account to access a virtual directory with URL authorization enabled, the user account must first be a valid account on the Windows Server 2003 system. In addition, the account will be added to the role assignment of the Authorization Manager.

Second, configure the URL authorization function
IIS6 does not enable the URL authorization function by default, you must manually configure it with the authorization manager. Below I will introduce how to achieve step by step.

1. Disable anonymous access
In Windows Server 2003 system, IIS6 allows users to access anonymously by default. To use URL authorization, you must first disable anonymous access. Click "Start → Run" and enter the "%systemroot% \\System32\\InetSrv\\IIS.msc" command in the run dialog (where "%systemroot%" indicates the directory where the operating system is located). After the carriage return, the "Internet Information Service (IIS) Manager" window pops up, and then expand "Local Computer → Website → Default Website". The following example uses the Online virtual directory of the default website as an example to describe how to configure the URL authorization function.

Right-click on the "Online Folder" option and select "Properties" from the pop-up menu. In the pop-up Online Properties dialog box, switch to the "Virtual Directory" tab and click the "Create" button. Click the "Edit" button in the Authentication and Access Control bar of the "Directory Security" tab. In the pop-up Authentication Method dialog box, uncheck the "Enable Anonymous Access" check box to ensure "Integrated Windows Authentication". The option is selected (Figure 1), then click the "OK" button twice.

2. Configure wildcard application mapping
After the anonymous access function is disabled, we officially start configuration. First configure the wildcard application mapping for the URL authorization feature. In the Virtual Directory tab of the Online Properties dialog box, click the "Configure" button, the "Applications" dialog box will pop up, click the "Insert" button in the "Wildcard Application Mapping" column (Figure 2), in "Add /Click the "Browse" button in the Edit Application Extension Mapping dialog box, go to the "%systemroot% \\System32\\InetSrv" directory, find the urlauth.dll file, click the "Open" button, and finally click the "OK" button.

3. Add WEB service extension
Then we add a URL to be authorized as a Web service extension in IIS6 in. In the Internet Information Services (IIS) Manager window, expand Local Computer→Website→Web Service Extension. Click the Add a new WEB Service Extension link in the WEB Service Extension box on the right to pop up the new WEB. Service extension dialog (Figure 3). Enter "URL Authorization" in the "Extension" field, then click the "Add" button, click "Browse" in the Add dialog box, find the urlauth.dll file in the "%systemroot%\\System32\\ InetSrv" directory, open it. Click the "OK" button. Then select the "Set extension status to allow" option in the New WEB Service Extension dialog box, and finally click the "OK" button.

4. New Authorization Store
To enable the URL authorization function, it must be used with the Authorization Manager, which is used to manage the user account accessing the IIS website. Therefore, It has to be managed and configured. First create a file for it to store authorization information. Enter the "Azman.msc" command in the Run dialog box, press the Enter button to pop up the Authorization Manager window, right click on the "Authorization Manager" option, select "Options" in the pop-up menu, then select "Development" in the Options dialog box. After the mode, click the "OK" button. Next we create a new authorization storage file, right click on the "authorization manager" option, select the "new authorization storage" option, pop up the authorization storage dialog (Figure 4), select the "XML file" single option, in the "storage name" After entering "C:\\MyStore.xml" in the field, click the "OK" button.

Then in the Authorization Manager window, right click on the MyStore.xml item. In the pop-up menu, select "New Application", enter "IIS6 URL Authorization" in the name bar, and click the "OK" button. Then in the Authorization Manager window, expand IIS6 URL Authorization→Define, right-click Operation Definition, and select New Operation Definition from the pop-up menu. Then enter "AccessURL" in the "Name" field, enter "1" in the operation number field, and finally click the "OK" button.

5. Configure Scope
Next, configure the scope for the newly created application IIS6 URL Authorization. Right click on the "IIS6 URL Authorization" option, select "New Scope" in the pop-up menu, enter "WebApp" in the name bar, and click the "OK" button. Then expand "IIS6 URL Authorization → Definition", right-click the "Role Definition" option, and select "New Role Definition" from the pop-up menu. Next, create a scope in the role definition, enter "Viewer" in the name bar, and click the "OK" button. Then click the "role definition" option, right click on the Viewer option in the right frame, pop up the shortcut menu, select the "Properties" option, switch to the "Definition" tab, click the "Add" button, switch to the "Operation" tab Page, after selecting the "AccessURL" option in the action definition list box, click the "OK" button twice in succession.

Then expand "IIS6 URL Authorization → WebApp", right click on the "Role Assignment" option, and select "Assign Roles" in the pop-up menu. After selecting the "Viewer" option in the Add Role dialog, click the "OK" button. Then right click on the "Viewer" option in the right frame, select the "Assign Windows Users and Groups" option, pop up the Select User or Group dialog box (Figure 5), enter the access site in the "Enter Object Name to Select" field. The user account required for the page, then click the "OK" button.

6. Configure the reader role
By default, IIS6 runs as a Network Service account. The following is the configuration of the account used by the reader. Right-click the "MyStore.xml" item, select "Properties" from the pop-up menu, switch to the "Security" tab, select "Reader" in the "Authorization Manager User Role" list, and then click "Add" " button, enter the "Network Service" account in the "Enter object name to select" field, and then click the "OK" button twice.
7. Configure the IIS Metabase file
After completing the above configuration process, the URL authorization function is still not enabled, you need to modify the IIS Metabase file parameters. Below we use the vbs script to modify the IIS Metabase file. Go to the "C:\\Inetpub\\AdminScripts" directory and create a new script file called "SetUrlAuth.vbs". After opening this file, copy the following into the script file and finally save the file.

The contents of the script are as follows:
'SetUrlAuth.vbs Content
Set objArgs= WScript.Arguments
If objArgs.count < 4 then
wscript.echo "Usage: SetUrlAuth VDirPath AzScopeName AzStoreName AzEnable
[ImpersonationLevel]"
wscript.echo ""
wscript.echo "Example:"
wscript.echo " SetUrlAuth w3svc/1/root/MyApp MyApp
msxml://d:\\inetpub\\wwwroot\\AzStore.xml True 1"
wscript.echo ""
wscript.echo "Run with 'cscript' command in cmd.exe to avoid Msgboxes"
Else
wscript.echo objargs(0)
DIM iis
set iis = GetObject("IIS://localhost/" & objArgs(0))
iis. AzScopeName = objArgs(1)
iis.AzStoreName = objArgs(2)
iis.AzEnable = objArgs(3)
If objArgs.count > 4 then
iis.AzImpersonationLevel = objArgs(4)
End if
iis.SetInfo
End if

Then click “Start→Run” and enter the “Cmd.exe” command in the Run dialog box to bring up the Command Prompt window. Switch to the "C:\\Inetpub\\AdminScripts" directory and run the "Cscript SetUrlAuth.vbs W3svc\\1\\Root\\WebApp WebApp msxml://C:\\MyStore.xml true 1" command to complete the Metabase file parameter modification.

This enables the URL authorization feature. Only the user account specified in the Authorization Manager's Viewer role can access the pages of your website's Online virtual directory.