15 tips for protecting IIS Web servers

Source: Internet
Author: User
Tags dedicated server ntfs permissions

Generally, most Web sites are designed to provide visitors with instant information access in the most acceptable way. Over the past few years, more and more hackers, viruses, and worms have brought serious security problems that have severely affected website accessibility. Even though Apache servers are often targets of attackers, however, Microsoft's Internet Information Service (IIS) Web server is the true target.

Higher education institutions often cannot find a balance between building dynamic and user-friendly websites or building highly secure websites. In addition, they must now work to improve website security in the face of the shrinking technical budget (in fact, many of their private departments are also facing a similar situation ).

That's why university IT managers I am here to offer some tips for budget headaches to help them protect their IIS servers. Although they are mainly for IT professionals at the university, these skills are also basically applicable to IIS administrators who want to improve security through a small amount of budget. In fact, some of the skills here are also very useful for IIS administrators with a strong budget.

First, develop a set of security policies

The first step to protect Web servers is to ensure that the Network Administrator understands every rule in the security policy. If the company's top management does not regard server security as an asset that must be protected, the protection work is completely meaningless. This work requires long-term efforts. If the budget is not supported or IT is not part of a long-term IT strategy, administrators who spend a lot of time protecting server security will not receive significant support from management.

What is the direct result of a network administrator setting up security for various resources? Some especially adventurous users will be locked out. The users will then complain about the company's management, and the management will ask the network administrator what happened. Therefore, the network administrator cannot establish a document to support their security work. Therefore, a conflict occurs.

By marking security policies for the security level and availability of Web servers, network administrators can easily deploy various software tools on different operating systems.

IIS security skills

Microsoft's products have always been the target of all attacks. Therefore, IIS servers are especially vulnerable to attacks. After understanding this, the network administrator must prepare to perform a large number of security measures. What I will provide you with is a list. Server Operators may find it very useful.

1. Windows upgrade:

You must promptly update all updates and patch the system. Consider downloading all updates to a dedicated server on your network and publishing the files on this server as a Web server. Through this work, you can prevent your Web server from accepting direct Internet access.

2. Use the IIS prevention tool:

This tool has many practical advantages. However, please use it with caution. If your Web server interacts with other servers, first test the prevention tool to ensure that it has been correctly configured so that it will not affect the communication between the Web server and other servers.

3. Remove the default Web site:

Many attackers target the inetpub folder and place some attack tools in it, causing server paralysis. The easiest way to prevent this attack is to disable the default site in IIS. Then, because worms access your website through IP addresses (they may access thousands of IP addresses a day), their requests may be in trouble. Point your real Web site to a folder in the back partition and must contain safe NTFS permissions (which will be detailed in the NTFS section below ).

4. If you do not need the FTP and SMTP services, uninstall them:

The simplest way to access a computer is through FTP. FTP itself is designed to meet the requirements of simple read/write access. If you perform identity authentication, you will find that your user name and password are transmitted over the network in plaintext. SMTP is another service that allows write permission to folders. By disabling these two services, you can avoid more hacker attacks.

5. Check your administrator group and services with rules:

One day I entered our classroom and found that there was another user in the Administrator group. This means that someone has successfully entered your system, and he or she may drop the bomb into your system, which will suddenly destroy your entire system, alternatively, hackers can use a large amount of bandwidth. Hackers also tend to leave a help service. Once this happens, it may be too late to take any measures. You can only reformat your disk and recover your daily backup files from the backup server. Therefore, check the service list on the IIS server and keep as few services as possible as your daily task. You should remember which service should exist and which service should not. Windows 2000 Resource kitlet us use a program called tlist.exe, which can list the services that run under svchost in each situation. Run this program to find some hidden services you want to know. The following message is displayed: Any service containing the words "daemon" may not be included in Windows and should not exist on the IIS server. To get a list of Windows Services and know their respective functions, click here.

6. strictly control the write access permissions of the server:

This sounds easy. However, on a college campus, a Web server actually has many "Authors. Faculty members all want their classroom information to be accessible to remote students. Employees want to share their work information with other employees. Folders on the server may have extremely dangerous access permissions. One way to share or spread this information is to install 2nd servers for special sharing and storage purposes, and then configure your Web server to point to the shared server. This step allows the network administrator to restrict the write permission of the Web server to the Administrator group only.

7. Set a complex password:

I recently entered the classroom and found many possible hackers from the event viewer. He or she entered the lab with a domain structure deep enough to run password cracking tools on any user. If a user uses a weak password (such as "password" or changeme "or any dictionary word), hackers can quickly and easily intrude into these user accounts.

8. Reduce/exclude sharing on Web servers:

If the network administrator is the only person with write permissions on the Web server, there is no reason for any sharing to exist. Sharing is the greatest temptation for hackers. In addition, by running a simple cyclic batch processing file, hackers can view an IP address list and use commands to find the sharing of Everyone/full control permissions.

9. Disable NetBIOS in TCP/IP:

This is cruel. Many users want to access the Web server through the UNC path name. As NETBIOS is disabled, they cannot do so. On the other hand, as NETBIOS is disabled, hackers cannot view resources on your LAN. This is a double-edged sword. If the network administrator deploys this tool, the next step is to educate Web users how to publish information when NETBIOS fails.

10. TCP port blocking:

This is another cruel tool. If you are familiar with every TCP port that accesses your server for legal reasons, you can go to the Properties tab of your network interface card and select the bound TCP/IP protocol, block all ports you do not need. You must be careful when using this tool, because you do not want to lock yourself out of the Web server, especially when you need to remotely log on to the server. For details about the TCP port, click here.

11. Carefully check *. bat and *. exe files: search once a week *. bat

And *. exe files, check whether there is a favorite hacker on the server, and it will be a nightmare for you to execute files. Some of these destructive files may be *. reg files. If you right-click and select edit, you can find that hackers have created and enabled them to access the Registry File of your system. You can delete these primary keys that do not make any sense but facilitate intruders.

12. Manage IIS Directory Security:

IIS Directory Security allows you to deny specific IP addresses, subnets, and even domain names. I chose a software called WhosOn, which allows me to know which IP addresses are attempting to access specific files on the server. WhosOn lists a series of exceptions. If you find that a user is trying to upload your cmd.exe, you can choose to deny the user access to the Web server. Of course, in a busy Web site, this may require a full-time employee! However, in the Intranet, this is really a very useful tool. You can provide resources to all users in the LAN or to specific users.

13. NTFS security:

By default, your NTFS drive uses EVERYONE/full control permissions unless you manually turn them off. The key is not to lock yourself out. Different people need different permissions, administrators need full control, and backend accounts need full control, each system and service requires a certain level of access permissions, depending on different files. The most important folder is System32. The smaller the ACL for this folder, the better. Using NTFS permissions on Web servers helps you protect important files and applications.

14. manage user accounts:

If you have already installed IIS, you may have a TSInternetUser account. Unless you really need this account, you should disable it. This user is easily infiltrated and is a notable target of hackers. To help manage user accounts, make sure your Local Security Policy is correct. IUSR user permissions should be as small as possible.

15. Audit your Web server:

Audit has a great impact on the performance of your computer. Therefore, if you do not check it frequently, do not audit it. If you can use it, Audit System Events and add audit tools as needed. If you are using the aforementioned WhosOn tool, auditing is not that important. By default, IIS always records Access. WhosOn places these records in a very easy-to-read database. You can open them through Access or Excel. If you often view abnormal databases, you can find the server's vulnerabilities at any time.

Summary

All of the above IIS skills and tools (except WhosOn) are provided by Windows. Do not forget to use these skills and tools one by one before testing your website accessibility. If they are deployed together, you may suffer heavy losses. You may need to restart them to lose access.

Last tip: log on to your Web server and run netstat-an on the command line. Observe how many IP addresses are trying to establish a connection with your port, and then you will have a lot of research and research to do.

Related Articles]

  • How to monitor and improve IIS Performance
  • How to deploy IIS7 on Server Core
  • Security Technology: Configure IIS honeypot to defend against hacker attacks

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.