Windows IIS6.0 Web site minimum permissions settings detailed

First a general memo security strategy, a lot of details too late to write.

partitions, using NTFS formatting

Plan the partitions, directories, and permissions for each folder in advance, leaving only the Administrators group, and System group permissions, for each root directory.

C:\Documents and Settings removes other group permissions in addition to the Administrators group, and you need to manually reset the file and directory permissions.

Administrator account password is set to strong crossover password, 10 to 16 bits

Delete the owning folder in the C:\Inetpub directory

Deletes the Iisadmpwd directory in the C:\WINNT\system32\inetsrv.

To change the user expiration time to 0 in the local Security policy (no permanent period)

Modify the system security policy to set the maximum retention period of the password in the account policy to "0"; custom audit Policy

1 Successful account management failure

2 The logon event failed successfully

3) Object access failed

4 The policy change failed successfully

5) Privilege usage failed

6 The System event failed successfully

7) directory service access failed

8 The Account login event failed successfully

The directories that should be audited include: system32,sql2000, et cetera. The audit process is as follows:

Folder Properties-Security-advanced-audit-add-everyone-all failures success audits

Modify Event Viewer log properties, 51200K.

Prevent DOS:

Change the following values in registry HKLM\System\CurrentControlSet\Services\Tcpip\Parameters to protect against a certain intensity of Dos attacks

"TcpTimedWaitDelay" reg_dword=30

The server port security settings (TCP/IP filtering feature) are open.

Turn on the system firewall and add the planned ports that need to be opened to the firewall.

Ensure that the Mircosoft network client and the Mircosoft network file and print total in the Local Area Connection properties are checked out.

Installing antivirus Software

No matter IIS6.0 Add ASP virtual site, also PHP virtual host.

Independent anonymous access to users, and remove all groups, that is, blank group

Establish a separate IIS address pool

Set the appropriate access permissions for the virtual directory

List of current application mappings

Then, refer to the following table to delete the related categories:

If you do not use the following application	Delete the following items
Password modification based on the web	. htr
Internet Database Connectors (Note: All IIS5 Web servers will use similar techniques like ADO to replace database connectors)	. IDC
Server-side Include file (Server-side Includes)	. stm,. shtm, and. shtml
Internet Printing	. Printer
Indexing Service (Index Server)	. htw,. Ida and. idq