Virtual host IIS guard against intrusion FAQ

1. How do I make ASP scripts run with system privileges?

Modify the virtual directory of your ASP script to change "Application protection" to "low" ....

2, how to prevent ASP Trojan?

ASP Trojan Horse based on FileSystemObject component

cacls%systemroot%/system32/scrrun.dll/e/D guests//prohibit guests use

regsvr32 scrrun.dll/u///delete

ASP Trojan Horse based on shell.application component

cacls%systemroot%/system32/shell32.dll/e/D guests//prohibit guests use

regsvr32 shell32.dll/u///delete

3, how to encrypt ASP files?

Free download from Microsoft to Sce10chs.exe directly run to complete the installation process.

After installation, the Screnc.exe file is generated, which is a command tool running in DOS PROMAPT.

Run screnc-l VBScript source.asp destination.asp

Generate a new file containing ciphertext ASP scripts destination.asp

With Notepad open to see the general "", whether or not the annotation, have become unreadable ciphertext

But cannot encrypt Chinese.

4, how to extract the URLScan from the IISLockdown?

iislockd.exe/q/c/t:c:/urlscan

5. How to prevent the Content-location header from exposing the internal IP address of the Web server?

Perform

cscript c:/inetpub/adminscripts/adsutil.vbs set W3svc/usehostname True

The last thing you need is to restart IIS

6, how to solve HTTP500 internal error?

IIS http500 Internal error Most of the reason

Mainly because of the IWAM account password is not synchronized caused.

We can solve the problem simply by synchronizing the Iwam_myserver account password in the COM + application.

Perform

cscript c:/inetpub/adminscripts/synciwam.vbs-v

7, how to enhance the ability of IIS Defense SYN flood?

Windows Registry Editor Version 5.00

[Hkey_local_machine/system/currentcontrolset/services/tcpip/parameters]

Initiate SYN attack protection. The default entry value is 0, which means that no attack protection is turned on, and the entry value of 1 and 2 indicates that SYN attack protection is initiated, the security level is higher after 2, and the situation is considered an attack, depending on the following tcpmaxhalfopen and tcpmaxhalfopenretried values, Set the conditions to trigger the boot. It should be noted here that the NT4.0 must be set to 1, set to 2 after a special packet will cause the system to reboot.

"SynAttackProtect" =dword:00000002

The number of half connections allowed to open at the same time. The so-called semi-connection, which means that the TCP session is not fully established, can be seen in the SYN_RCVD state with the netstat command. This uses the Microsoft recommended value, the server is set to 100, and the Advanced Server is set to 500. Suggestions can be set slightly smaller.

"TcpMaxHalfOpen" =dword:00000064

Determine if there is a trigger point for the attack. Here we use the Microsoft recommended value, the server is 80, and the Advanced Server is 400.

"TcpMaxHalfOpenRetried" =dword:00000050

Set the wait syn-ack time. The default entry value is 3, which consumes 45 seconds of the default process. The item value is 2 and consumes 21 seconds.

The item value is 1 and consumes 9 seconds. The minimum can be set to 0, which means no wait, and consumes a time of 3 seconds. This value can be modified according to the size of the attack.

Microsoft Site security recommended for 2.

"TcpMaxConnectResponseRetransmissions" =dword:00000001

Sets the number of TCP heavy flyer data segments. The default entry value is 5, which consumes 240 seconds of the default process. Microsoft Site security recommended for 3.

"TcpMaxDataRetransmissions" =dword:00000003

Set the critical point for SYN attack protection. When the available backlog changes to 0 o'clock, this parameter is used to control the opening of SYN attack protection, and the Microsoft Site security recommendation is 5.

"TCPMaxPortsExhausted" =dword:00000005

Prohibit IP source routing. The default entry value is 1, which indicates that the routing packet is not routed, the entry value is set to 0, all forwarding is set to 2, which means that all accepted source routing packets are discarded and Microsoft Site security recommendation is 2.

"DisableIPSourceRouting" =dword:0000002

Limit the maximum time that is in the TIME_WAIT state. The default is 240 seconds, the minimum is 30 seconds, and the maximum is 300 seconds. The recommended setting is 30 seconds.

"TcpTimedWaitDelay" =dword:0000001e

8, how to avoid *mdb files are downloaded?

Installing the URLScan tool released by Ms can fundamentally solve this problem.

It's also a powerful security tool, and you can get more detailed information from MS's website.

9. How do I get IIS to run with minimal NTFS permissions?

In turn, do the following work:

A, select the entire hard drive:

Ystem: Full Control

Administrator: Full Control

(Allows inheritable permissions from parent to be propagated to objects)

./program Files/common Files:

Everyone: Read and run

Listing file Directories

Read

(Allows inheritable permissions from parent to be propagated to objects)

C./inetpub/wwwroot:

Iusr_machine: Read and run

Listing file Directories

Read

(Allows inheritable permissions from parent to be propagated to objects)

E./winnt/system32:

Select all directories except Inetsrv and Centsrv, and remove the "Allow inheritable permissions from parent to propagate to objects" marquee, copy.

F./WINNT:

Select in addition to downloaded program files, help, IIS temporary compressed files,

Offline all directory removal from Web pages, system32, Tasks, temp, web, "Allow inheritable permissions from parent to propagate to objects" marquee, copy.

G./WINNT:

Everyone: Read and run

Listing file Directories

Read (allows inheritable permissions from parent to be propagated to objects)

H./winnt/temp: (allows access to the database and appears on the ASP page)

Everyone: Modify

(Allows inheritable permissions from parent to be propagated to objects)

10. How do I hide the IIS version?

A hacker can easily telnet to your web port, send get commands to obtain a lot of information, IIS banner the corresponding DLL file is as follows:

Web:c:/winnt/system32/inetsrv/w3svc. Dll

FTP:C:/WINNT/SYSTEM32/INETSRV/FTPSVC2. Dll

Smtp:c:/winnt/system32/inetsrv/smtpsvc. Dll

You can use the 16 editor to modify the keywords of those DLL files, such as the microsoft-iis/5.0 of IIS

The specific process is as follows:

1. Stop IIS Iisreset/stop

2, delete the%systemroot%/system32/dllcache directory under the same name file

3, modify