AI tips Make IIS servers impeccable (below)

After completing the above settings, you also need to submit the previously created request Certificate file to the certificate server of the IIS website. When submitting the request Certificate file to the certificate server on the IIS website, you must first copy the "CertSrv" subdirectory under "system32" in the Windows System directory to the root directory of the target website; then, open the IE browser window in the server system, and enter the "http://www.aaa.com/certsrv/default.asp?urladdress (where" www.aaa.com "is the URL of the target website) in the address bar, click the "apply for a certificate" link and set the certificate application type to "Advanced Certificate Application" on the subsequent page. Next, on the Advanced Certificate Application page, click "use base64 encoding ......" Link, copy the certificate request file created earlier to the "Save application" text box, and click "Submit" to complete the task of submitting the certificate request file.

Once you submit the request Certificate file to the Certificate Server, you must issue the certificate to make the certificate valid. When issuing a certificate, you can click "start", "set", and "Control Panel" commands. In the displayed control panel window, find the "Certificate Authority" icon (as shown in Figure 5), and double-click the icon. In the settings window that appears, move the cursor to the "pending application" option, right-click the certificate you have applied for and choose "all tasks"/"issue" from the shortcut menu;

Figure 5

After the issuing operation is complete, double-click the issued certificate and click the Details tab in the certificate settings window, click the copy to file button on the corresponding tab page to open a file export wizard interface, and set the name and save path of the exported file according to the wizard prompt, click "finish.

After the server certificate is issued, the IIS server has not enabled the SSL encryption function. You also need to configure the IIS server on the Internet Service Manager Console. During configuration, you must re-enter the "Directory Security" tab page of the target website, click the "server certificate" button on the page again, and in the subsequent setting window, process pending requests ......" Select the project, follow the wizard prompts to set the storage path of the server certificate file, enable the default SSL port "443", and then click "finish; then return to the "Directory Security" tab page, click the "edit" button in the "Secure Communication" setting item, and in the edit settings window that opens, select the "require secure communication" option and click "OK" to enable the SSL encryption function of the IIS server. In the future you want to visit the target website "www.aaa.com", you must enter "https://www.aaa.com" in the IE address bar to browse the site content, in addition, any information you submit on the website is encrypted before transmission, so the security of the website information will be greatly enhanced.4. Use logs to find security risks

Any access to the IIS server will leave access records on the server, and the access by hackers or illegal attackers will also leave traces in the log file. Therefore, if we can use the log file, the hacker will be able to know whether the IIS server has been attacked in time and when it has been attacked. Once an attack record is found, security measures must be taken in a timely manner to prevent hackers from continuing attacks. Taking into account the log records of the IIS server, it is stored in the "system32logfiles" folder of the Windows system by default. Many hackers can easily find the original log file and modify it from here, in this way, we can't know from the log files whether the IIS server has security risks. To prevent hackers from arbitrarily changing log files, follow these steps:

Click Start, programs, administrative tools, and Internet Service Manager commands. In the displayed Internet Information Service Console window, right-click the target Web site, run the "properties" command from the shortcut menu. In the Web site property settings window that appears later, click the "Web site" tag. On the corresponding tag page, select the "Enable Logging" option and click "properties". In the attribute settings box shown in 6, you will see that the default storage location of IIS server log files is "% Windir % System32Logfiles ";

Figure 6

In this case, you can click the Browse button and select a hidden folder in the folder selection dialog box that appears to serve as a new storage location for IIS server log files. In addition, to allow log files to record hacker attacks in a timely manner, you 'd better select the daily option in the "New log interval" setting item; then, on the "extended attributes" tab page, you must specify the content recorded by the IIS server. Finally, to prevent hackers from arbitrarily modifying log files, you also need to return to the system resource manager window and modify the properties of the target log file so that only the local administrator can access the log file. After completing the preceding settings, log files on the IIS server can play a proper role and help you find security risks on the server in a timely manner.5. Restrict Access To hosts in a specific region

If the firewall is installed on the IIS server, it always prompts you to have some Internet hosts from a specific region. When you constantly try to attack your server, you can block all these "suspicious" hosts to prevent them from continuing attacks on the server. To block these suspicious hosts, follow these steps:

Click Start, programs, administrative tools, and Internet Service Manager commands. In the displayed Internet Information Service Console window, right-click the target Web site, run the "properties" command from the shortcut menu. In the Web site property settings window that appears later, click the "Directory Security" tab. On the corresponding tab page, click the "edit" button in the "IP address and domain name restriction" Settings. In the settings window shown in 7, you can select the "authorized access" option, click the Add button in the "excluded from the following" list. In the "Deny Access" setting box that appears, you can select "one group of computers, then, enter the IP address of any computer in the group and the subnet mask of the computer in the group, in this way, you can block all hosts from the "suspicious" area.

Figure 7

If you only want to block a single suspicious computer, you can select the "one computer" option and enter the IP address of the computer to block in the "ip address" text box, click OK to return to the settings window shown in Figure 7. If you want to restrict access to the IIS server by another computer, click Add, then, enter the IP address of the computer to be restricted. In this way, no target computer that appears in the "excluded from the following" box has the permission to access the IIS server, other computers can access the IIS server normally.6. Use hierarchical content to ensure access security

If you do not want all visitors to see the website information posted on the IIS server, you can grade the published website content, this prevents Restricted Users from viewing the content of the target site at will. With the content grading function, you can easily limit which websites can be accessed with authorization and which cannot be accessed by users at will. To classify the content of the target website, follow these steps:

Click Start, programs, administrative tools, and Internet Service Manager commands. In the displayed Internet Information Service Console window, right-click the target Web site, run the "properties" command from the shortcut menu. In the Web site property settings window that appears later, click the "HTTP header" tab;

On the corresponding tag page, you can click the edit grading button in the "content grading" setting item. In the edit settings window that appears, click the "grading" label, on the label page shown in figure 8, select the "enable grading of this resource" check box;

Figure 8

Next, select a proper category name in the "category" setting item, so that the grading Slider of the corresponding category will be automatically displayed. At this time, you only need to move the slider, you can change the grading level of the current category. After completing the preceding settings, click "OK" to save the preceding settings, in the future, when a viewer accesses a specified category of content, it will be subject to certain restrictions.