Win2K Internet Server Security Building Guide (ii) (IIS article)

iis| Security | The server Routing and Remote Access Service (RRAS) can configure a more flexible and complex packet filter, although the filtering method is static, but it has a lot of filtering details, including packet direction, IP address, various protocol types.

3, IPSec Policy Filters (IP Security Policy filter)

IPSec Policy filters is enforced by the IPSec Policy agent (IP Security Policy Agent) and is a nascent feature of the Win2K operating system. It makes up for the traditional TCP/IP design "Random Trust" major security vulnerabilities, can achieve more careful and accurate TCP/IP security. It can be said that IPSec is a policy based on communication analysis, which compares the content of the communication with the set rules to determine if the communication is consistent with the expectation, and then allows or rejects the transmission of the communication. These rules are called filter lists, and administrators can design them around various security authentication protocols, including:

Internet Key exchange protocol (Internet Key exchange Protocol,ike): A protocol that enables secure communication between VPN nodes, which is powerful and flexible in design.
Authentication IP packet (authentication Header,ah): That is, the data in the packet and a change in the digital signature, so that the receiver can confirm the identity of the sender of the data and confirm that the data in the transmission process has not been tampered with.
Encapsulation Security Payload (ESP): hardware is used to encrypt data in packets so that network listening software like the Sniffer class cannot get any useful information.

II. Configuration Security IIS5 If possible, IIS should be installed on a separate server. That is, this server is not a member of any domain and does not have to establish a Netlogon channel with the domain controller, thereby reducing the security risk posed by null user connections established through connections between servers. Moreover, because the system does not pass the authentication communication information, also reduces the logon password to intercept the possibility.

2, prohibit the service does not need

In addition, if only a simple Web server, then it is best to prohibit the following unwanted services:

3, reasonable set up the Web root folder

As discussed earlier, the application of the operating system to separate partitions or disk drives with applications is now being used for isolation technology. It is recommended that you locate the Web root folder wwwroot outside the operating system partition or even on another physical disk drive. Also, when you set up a Web site's virtual directory or redirected folder, make sure that the directories are not redirected to the boot partition of the operating system, because some attacks can compromise other folders on the partition where the folder resides.

Another security approach is to set the Web root folder on another server, making the IIS server a system that only buffers requests and responds to requests. And, after this process, the entire server is basically a generic one, with no content stored on it, and the server can be quickly and easily recovered from tape or other backups, even if the site is compromised.