How to create a high-security Web server using IIS

Because of the convenience and ease of use of IIS (Internet Information Server), it has become one of the most popular Web Server software. However, the security of IIS has been worrying. How to use IIS to build a secure Web server is a concern of many people.
Construct a security system
To create a secure and reliable Web server, you must implement both Windows 2000 and IIS security, because IIS users are also Windows 2000 users, the permission of the IIS Directory depends on the permission control of the Windows NTFS file system. Therefore, the first step to protect IIS security is to ensure the security of the Windows 2000 operating system:
1. Use the NTFS file system to manage files and directories.
2. Disable default share
Open the Registry Editor, expand the "HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ LanmanServer \ Parameters" item, and add the key value AutoShareServer. The type is REG_DWORD and the value is 0. In this way, you can completely disable "default share ".
3. Modify share Permissions
After creating a new share, immediately modify the default permissions of Everyone to prevent Web Server visitors from obtaining unnecessary permissions.
4. Rename the system administrator account to avoid illegal user attacks.
Right-click [my computer] → [manage] → start the "Computer Management" program. In "local users and groups", right-click "Administrator) "→ select" RENAME "to change the Administrator account to a common user name.
5. Disable NetBIOS on TCP/IP
Right-click [Network Neighbor] → [attribute] → [local connection] → [attribute] on the desktop to open the "local connection attribute" dialog box. Select [Internet Protocol (TCP/IP)] → [properties] → [advanced] → [WINS], select "Disable NetBIOS on TCP/IP" on the lower side to remove NetBIOS on TCP/IP.
6. Control inbound connections over TCP/IP
Right-click [Network Neighbor] → [attribute] → [local connection] → [attribute] on the desktop to open the "local connection attribute" dialog box. Select [Internet Protocol (TCP/IP)] → [properties] → [advanced] → [Options], and click the "TCP/IP filter" option in the list. Click the [properties] button, select "allow only", and then click the [add] button to enter port 80 only.
7. Modify the Registry to reduce the risk of DoS attacks.
Open the Registry: Convert HKLM \ System \
The value of SynAttackProtect under CurrentControlSet \ Services \ Tcpip \ Parameters is changed to 2, which makes the connection response to timeout faster.
Ensure IIS security
IIS secure installation
To build a secure IIS server, you must fully consider the security issues during installation.
1. Do not install IIS on the system partition.
2. Modify the default installation path of IIS.
3. Install the latest patches for Windows and IIS.
IIS Security Configuration
1. Delete unnecessary virtual directories
After IIS is installed, some directories are generated by default under wwwroot, including IISHelp, IISAdmin, IISSamples, and MSADC. These directories have no practical effect and can be deleted directly.
2. Delete dangerous IIS Components
Some IIS components installed by default may cause security threats, such as Internet Service Manager (HTML), SMTP Service, NNTP Service, Sample Page, and script, you can decide whether to delete the file based on your needs.
3. Set permissions for file categories in IIS
In addition to setting necessary permissions for IIS files in the operating system, you must also set permissions for these files in the IIS manager. A good setting policy is to create directories for different types of files on the Web site and assign them appropriate permissions. For example, static file folders allow reading and writing, ASP script folders allow execution, writing and reading, EXE, and other executable programs allow execution and read/write rejection.
4. Delete unnecessary application mappings
By default, many application mappings exist in ISS. Except for the ASP program ing, other files are rarely used on websites.
In "Internet Service Manager", right-click the website directory and select "properties". On the "home directory" page of the "website directory properties" dialog box, click the [configuration] button, the "application configuration" dialog box is displayed. On the "Application ing" Page, useless program ing is deleted. If you need this type of file, you must install the latest system patch, select the corresponding program ing, and then click the [edit] button, in the "Add/edit application extension ing" dialog box, select the "check whether a file exists" option. In this way, when the customer requests such files, IIS will first check whether the files exist and then call the dynamic link library defined in the program ing for parsing.
5. Log Security Protection
Logs are an important part of the system security policy, ensuring the security of logs can effectively improve the overall security of the system.
● Modify the path for storing IIS logs
By default, IIS logs are stored in % WinDir % \ System32 \ LogFiles, which is clear to hackers. Therefore, it is best to modify the storage path. In "Internet Service Manager", right-click the website directory and select "properties". On the "Web site" page in the "website directory properties" dialog box, when "Enable Logging" is selected, click the [attribute] button next to it. On the "general attributes" page, click the [browse] button or enter the log storage path in the input box.
● Modify the Log Access permission and set that only the administrator can access the log.
With some of the above security settings, we believe your Web server will be much safer.