How to secure an IIS server on the external network

1. Use the Security Configuration Wizard (Configuration Wizard) to determine the minimum functionality required by your Web server, and then disable other unwanted features. Specifically, it can help you

Prohibit unwanted services

Plug the Unused ports

For open ports, make further restrictions on the addresses that can be accessed and other security

Disable Web extensions for IIS that are not required, if applicable

Reduced exposure to Smb,lan Manager, and LDAP protocol

To define a high signal-to-noise ratio solution

2. Put the Web site files on a non-system partition (partition), prevent directory traversal defects, NTFS permissions audit (AUDIT)

3. Regularly perform security scans and audits on your own system and find your weaknesses as early as possible before anyone else finds out.

4. Regular log analysis, looking for multiple failed landing attempts, recurring 404,401,403 errors, not for your site's request records, etc.

5. If you use IIS 6, use host Headers, URL scanning, implementation of automatic Web site content and IIS metabase replication, to IUSR_servername account users using the standard name, etc.

6. General Web Architecture Design ideas: Do not put your extranet Web server in the intranet's Active Directory (Active Directory), do not use the Active Directory account to run IIS Anonymous authentication, consider real-time monitoring, carefully set the application pool settings, and strive for any activity to do logging, Prohibit the use of Internet Explorer on the server