15 Tips for Protecting IIS

Often, most Web sites are designed to provide instant access to information in the most acceptable way. In the past few years, more and more security issues caused by hackers, viruses and worms have seriously affected the accessibility of websites. Although Apache servers are often the target of attackers, Microsoft's Internet Information Service (IIS) Web servers are the real target of the public.

Advanced education organizations often struggle to find a balance between building a vibrant, user-friendly website or building a highly secure website. In addition, they must now work to improve the security of their websites in the face of shrinking technology budgets (in fact, many of their private sectors are also facing similar situations).

Because of this, I am here to provide some tips for university IT managers who have a headache for the budget to help them protect their IIS servers. Although primarily for IT professionals at the university, these techniques are basically applicable to IIS managers who want to increase security with a small budget. In fact, some of the techniques are also very useful for IIS managers with strong budgets.

First, develop a security policy
The first step in protecting a web server is to ensure that the network administrator knows every system in the security policy. If the company's top management does not regard the security of the server as an asset that must be protected, then the protection work is completely meaningless. This work requires long-term efforts. If the budget is not supported or it is not part of a long-term IT strategy, administrators who spend a lot of time protecting server security will not receive significant management support.

What are the direct consequences of network administrators establishing security for all aspects of resources? Some users who are particularly adventurous will be kept out of the door. Those users will then complain about the company's management, and the management will ask the network administrator what happened. Then, network administrators can't create documents that support their secure work, so conflicts have occurred.

By labeling the security level of the web server and the security policy of availability, network administrators will be able to easily deploy various software tools on different operating systems.

IIS Security Tips
Microsoft's products have always been the target of criticism, so IIS server is particularly easy to become the target of the attacker. With this in mind, network administrators must be prepared to implement a number of security measures. What I am going to offer you is a list that server operators may find useful.

1. Keep Windows Upgrade:
You must update all upgrades in time and fix all patches for your system. Consider downloading all updates to a dedicated server on your network and publishing the files on the machine as a web. Through these tasks, you can prevent your web server from accepting direct Internet access.

2. Using IIS prevention tools:
This tool has many practical advantages, however, please use this tool with caution. If your web server interacts with other servers, first test the prevention tool to make sure it is properly configured to ensure that it does not affect the communication between the web server and other servers.

3. Remove the default Web site:
Many attackers target the inetpub folder and place some sneak attacks on it, causing the server to crash. The easiest way to prevent this kind of attack is to disable the default site in IIS. Then, because worms access your site through IP addresses (they may have access to thousands of IP addresses a day), their requests may be in trouble. Point your real Web site to a back-partitioned folder and must include secure NTFS permissions (described in more detail in the NTFS section below).

4. If you don't need FTP and SMTP services, please uninstall them:
The easiest way to get into your computer is through FTP. FTP itself is designed to handle simple read/write access. If you perform authentication, you will find that your username and password are transmitted over the network in clear text. SMTP is another service that allows write access to folders. By disabling these two services, you can avoid more hacking attacks.

5. Check your administrators and services regularly:
One day I entered our classroom and found that there was one more user in the Administrators group. This means that someone has successfully entered your system at this time, he or she may throw the bomb into your system, which will suddenly destroy your entire system, or take up a lot of bandwidth for hackers. Hackers also tend to leave a help service. Once this happens, it may be too late to take any action. You can only reformat your disk and recover the files you back up every day from the backup server. Therefore, checking the list of services on the IIS server and keeping as few services as possible must be your daily task. You should remember which service should exist and which service should not exist. The Windows 2000 Resource Kit brings us a useful program called tlist.exe, which lists the services that run under svchost in each case. Running this program can find some hidden services you want to know. Give you a hint: Any service that contains a few words of daemon may not be a service that Windows itself contains, and should not exist on the IIS server. To get a list of Windows services and know what they do, click here.

6. Strictly control the write access of the server:
This sounds easy, however, on a university campus, a Web server actually has a lot of "authors". Faculty members want to have their classroom information accessible to remote students. The staff would like to share their work information with other staff. Folders on the server can have extremely dangerous access rights. One way to share or spread this information is to install a second server to provide dedicated sharing and storage purposes, then configure your web server to point to the shared server. This step allows the network administrator to limit the write access to the web server itself to the administrator group.

7. Set up complex passwords:
I recently entered the classroom and found many possible hackers from the event viewer. The domain structure in which he or she entered the lab is deep enough to run a password cracking tool for any user. If a user uses a weak password (such as "password" or changeme" or any dictionary word), the hacker can quickly and easily invade the user's account.

8. Reduce/exclude sharing on the web server:
If the network administrator is the only one who has write access to the web server, there is no reason for any sharing to exist. Sharing is the biggest temptation for hackers. In addition, by running a simple loop batch file, the hacker can view a list of IP addresses and use the \\\\ command to find the Share of Everyone/Full Control.

9. Disable NetBIOS in the TCP/IP protocol:
This is cruel. Many users want to access the web server through a UNC pathname. With NETBIOS disabled, they can't do this. On the other hand, with NETBIOS disabled, hackers can't see resources on your LAN. This is a double-edged sword. If the network administrator deploys this tool, the next step is how to educate Web users on how to post information if NETBIOS fails.

10. Block using TCP port:
This is another cruel tool. If you are familiar with every TCP port that accesses your server for legitimate reasons, you can go to the Properties tab of your network interface card, select the TCP/IP protocol you are binding, and block all ports you don't need. You must use this tool with care because you don't want to lock yourself outside of the web server, especially if you need to log in to the server remotely. To get the details of the TCP port, click here.

11. Double-check the *.bat and *.exe files: Search the *.bat
and *.exe files once a week to check if there is a hacker favorite on the server, but for you It is an executable file for a nightmare. Among these destructive files, some may be *.reg files. If you right click and select Edit, you can see that the hacker has created and will allow them to access the registry files of your system. You can delete these primary keys that don't make sense but bring convenience to the intruder.

12. Managing IIS Directory Security:
IIS Directory Security allows you to deny specific IP addresses, subnets, and even domain names. Alternatively, I chose a software called WhosOn that lets me know which IP addresses are trying to access a particular file on the server. WhosOn lists a series of exceptions. If you find a guy trying to access your cmd.exe, you can choose to deny this user access to the web server. Of course, on a busy web site, this may require a full-time employee! However, on the intranet, this is really a very useful tool. You can provide resources to all users inside the LAN, as well as to specific users.

13. Using NTFS Security:
By default, your NTFS drives use EVERYONE/Full Control permissions unless you manually turn them off. The key is not to lock yourself out, different people need different permissions, administrators need full control, and background management accounts need full control. Each system and service needs a level of access, depending on different files. The most important folder is System32. The smaller the access permissions of this folder, the better. Using NTFS permissions on a web server can help you protect important files and applications.

14. Manage User Accounts:
If you have already installed IIS, you may have generated a TSInternetUser account. Unless you really need this account, you should disable it. This user is easily penetrated and is a significant target for hackers. To help manage user accounts, make sure your local security policy is ok. The permissions of IUSR users should also be as small as possible.

15. Auditing your web server:
Auditing has a big impact on the performance of your computer, so if you don't check it often, don't do an audit. If you can really use it, please audit the system events and add the auditing tools when you need them. If you are using the WhosOn tool mentioned earlier, auditing is less important. By default, IIS always logs access, and WhosOn puts these records in a very easy-to-read database that you can open via Access or Excel. If you look at the exception database often, you can find the vulnerability of the server at any time.

Summary
All of the above IIS tips and tools (except WhosOn) are included with Windows. Don't forget to use these tips and tools one by one before testing your site reachability. If they are deployed together, the results can cost you a lot, and you may need to reboot to lose access.

Last tip: Log in to your web server and run netstat -an from the command line. Observe how many IP addresses are trying to establish a connection with your port, and then you will have a lot of research and research to do.