Windows Server 2003 Server IIS site security and stability configuration

Today I am going to talk more deeply about website security and stability. For many friends who have been familiar with Linux and Windows, it is clear that IIS is unstable compared with apache in Linux. Any problems such as endless loops and Stack Overflow occur when IIS crashes, and other websites are affected. So why should I talk about the security and stability of IIS? In other words, write articles for the current market.

The following are suggestions for deploying a website using IIS:
1. Separate the IIS Directory & data from the system disk, for example, disk C with the system, disk D with the data, and disk E with only webpage files.
2. Only Administrators/SYSTEM/WEB users/FTP users are allowed to access the website directory, except for special directories.
3. Enable parent path
4. Delete any unused mappings that must be excluded from the IIS Manager (retain necessary mappings such as asp and aspx). If you do not understand, do not delete the mappings.
5. Redirect HTTP and other error pages to a custom HTML file through URLs in IIS
6. We recommend that you use W3C to expand the log file format and record all the record categories such as the customer IP address and user name on an hourly basis. The logs should be reviewed every day and can be read using a diary tool. (IIS logs should not be stored on the default C disk. We recommend that you change the path of the non-system disk logs and set the log access permission to only allow the administrator and system to be Full Control ).
7. Program security:
1) programs involving user names and passwords should preferably be encapsulated on the server and appear in as few ASP files as possible. The minimum permissions should be granted to the user names and passwords that are connected to the database;
2) for an ASP page that requires verification, you can trace the file name of the previous page. Only sessions that are transferred from the previous page can read this page.
3) prevent ASP homepage. inc file leakage;
4) prevent the conn. asp. bak file generated by the UE editor from being exposed.
8. Set IIS service recovery to automatically restart the service when there is a problem with IIS.

1) set the first failure of IIS Admin Service recovery to restart the Service, the second failure and subsequent failure to run a program, and reset the failure count to one day later, restart the service for 0 minutes, and then copy the following address in the running program C:/WINDOWS/system32/iisreset.exe command line parameter/start

2) set World Wide Web Publishing Services to restart after the first failure, second failure, and subsequent failure, and reset the failure count to 1 day, and restart the service for 0 minutes.
9. Delete the user permission of adsiis. dll in the C:/WINDOWS/system32/inetsrv directory to disable IIS traversal.
10. Web site permission settings (recommended)
Read permitted
Write not allowed
Origin access is not allowed.
Disable directory browsing
Disable log access
Disable index resources.

11. The permission to control the website directory is described in detail below.

1. Create a Web access user
0. Right-click my computer-Computer Management-local users and groups/users-right-click Create User
1. For example, the user name web001 and password 123abc! @ # (Try to use a 32-bit complex password for actual running, and save it with Notepad)
2. Check if the user cannot change the password and the password will never expire.

2. Modify Web user permissions

1. Right-click web001 properties -- affiliated -- delete Users and add IIS_WPG (www.111cn.net)

2. Switch to the environment page and deselect the three check boxes of client devices.

3. Switch to the remote control page and enable remote control to cancel the check.

3. Create an application pool and set permissions

1. Open Internet Information Service (IIS) manager and right-click application pool New-application pool

2. Enter the name of the new application pool, such as web001 or AppPool #1 by default. (it is better for websites to use the application pool independently. Other websites will not be affected when a problem occurs, we recommend that you do not use the same application pool for different types of websites)

3. Right-click the AppPool #1 attribute -- ID -- application pool ID/configuration -- enter the newly created WEB User: web001 and Password: 123abc! @ # Application -- re-enter the password 123abc! @ # -- OK. (We recommend that you use notepad to save the account and password related to the server)

4. Set the application pool and directory security permissions for the website

1. Right-click www.paipat.com and choose "home"> "application pool"> "AppPool #1".

 

2. Switch to directory security-authentication and access control/editing-enter the user and password you just created, and enter the password again when you click OK.

3. Enter the website directory, such as D:/wwwroot/web001, right-click the web001 attribute, and choose Security> add web001 user. The permission is only used for reading and writing, click Advanced -- select Web001 -- edit -- add delete permission.