A master collation of IIS Faq_ security settings

1. How to make ASP scripts run with System privileges

Modify the virtual directory of your ASP script to change "Application protection" to "low" ....

2. How to prevent ASP Trojan

ASP Trojan Horse based on FileSystemObject component
cacls%systemroot%\system32\scrrun.dll/e/D guests//prohibit guests use

regsvr32 scrrun.dll/u///delete

ASP Trojan Horse based on shell.application component

cacls%systemroot%\system32\shell32.dll/e/D guests//prohibit guests use

regsvr32 shell32.dll/u///delete

3. How to encrypt ASP files

Free download from Microsoft to Sce10chs.exe directly run to complete the installation process.

After installation, the Screnc.exe file is generated, which is a command tool running in DOS PROMAPT.

Run Screnc-l vb****** source.asp destination.asp

Generate a new file containing ciphertext ASP scripts destination.asp

With Notepad open to see the general "", whether or not the annotation, have become unreadable ciphertext

But cannot encrypt Chinese.

4. How to extract URLScan from IISLockdown

iislockd.exe/q/c/t:c:\urlscan

5. How to prevent the Content-location header from exposing the Web server's internal IP address

Perform

c****** C:\inetpub\admin******s\adsutil.vbs Set W3svc/usehostname True

The last thing you need is to restart IIS

6. How to solve HTTP500 internal error

IIS http500 Internal error Most of the reason

Mainly because of the IWAM account password is not synchronized caused.

We can solve the problem simply by synchronizing the Iwam_myserver account password in the COM + application.

Perform

c****** c:\inetpub\admin******s\synciwam.vbs-v

7. How to enhance the ability of IIS to Defense SYN flood

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]

Initiate SYN attack protection. The default entry value is 0, which means that the attack protection is not turned on, and the entry value of 1 and 2 indicates that SYN attack protection is initiated, set to 2

The security level is higher and the situation is considered an attack, you need to trigger the boot based on the conditions set by the TcpMaxHalfOpen and tcpmaxhalfopenretried values below. It should be noted here that the NT4.0 must be set to 1, set to 2 after a special packet will cause the system to reboot.

"SynAttackProtect" =dword:00000002
The number of half connections allowed to open at the same time. The so-called semi-connection, which means that the TCP session is not fully established, can be seen in the SYN_RCVD state with the netstat command. This uses the Microsoft recommended value, the server is set to 100, and the Advanced Server is set to 500. Suggestions can be set slightly smaller.

"TcpMaxHalfOpen" =dword:00000064

Determine if there is a trigger point for the attack. Here we use the Microsoft recommended value, the server is 80, and the Advanced Server is 400.

"TcpMaxHalfOpenRetried" =dword:00000050

Set the wait syn-ack time. The default entry value is 3, which consumes 45 seconds of the default process. The item value is 2 and consumes 21 seconds.

The item value is 1 and consumes 9 seconds. The minimum can be set to 0, which means no wait, and consumes a time of 3 seconds. This value can be modified according to the size of the attack.

Microsoft Site security recommended for 2.

"TcpMaxConnectResponseRetransmissions" =dword:00000001

Sets the number of TCP heavy flyer data segments. The default entry value is 5, which consumes 240 seconds of the default process. Microsoft Site security recommended for 3.

"TcpMaxDataRetransmissions" =dword:00000003

Set the critical point for SYN attack protection. When the available backlog changes to 0 o'clock, this parameter is used to control the opening of SYN attack protection, and the Microsoft Site security recommendation is 5.

"TCPMaxPortsExhausted" =dword:00000005

Prohibit IP source routing. The default entry value is 1, which indicates that the routing packet is not routed, the entry value is set to 0, all forwarding is set to 2, which means that all accepted source routing packets are discarded and Microsoft Site security recommendation is 2.

"DisableIPSourceRouting" =dword:0000002

Limit the maximum time that is in the TIME_WAIT state. The default is 240 seconds, the minimum is 30 seconds, and the maximum is 300 seconds. The recommended setting is 30 seconds.

"TcpTimedWaitDelay" =dword:0000001e

8. How to prevent *mdb files from being downloaded

Installing the URLScan tool released by Ms can fundamentally solve this problem.

It's also a powerful security tool, and you can get more detailed information from MS's website.

9. How to get IIS to run with minimal NTFS permissions

In turn, do the following work:

A. Select the entire hard drive:

System: Full Control

Administrator: Full Control

(Allows inheritable permissions from parent to be propagated to objects)

B.\program Files\Common Files:

Everyone: Read and run

Listing file Directories

Read

(Allows inheritable permissions from parent to be propagated to objects)

C.\inetpub\wwwroot:

Iusr_machine: Read and run

Listing file Directories

Read

(Allows inheritable permissions from parent to be propagated to objects)

E.\winnt\system32:

Select all directories except Inetsrv and Centsrv,

Remove the "Allow inheritable permissions from parent to propagate to objects" marquee, copy.

F.\WINNT:

Select in addition to downloaded program files, help, IIS temporary compressed files,

Offline all directories except Web pages, system32, Tasks, temp, web

Remove the "Allow inheritable permissions from parent to propagate to objects" marquee, copy.

G.\WINNT:

Everyone: Read and run

Listing file Directories

Read

(Allows inheritable permissions from parent to be propagated to objects)

H.\winnt\temp: (allows access to the database and appears on the ASP page)

Everyone: Modify

(Allows inheritable permissions from parent to be propagated to objects)

10. How to hide the IIS version

A hacker can easily telnet to your web port and send a GET command for a lot of information

The corresponding DLL files that IIS holds for IIS banner are as follows:

Web:c:\winnt\system32\inetsrv\w3svc. Dll

FTP:C:\WINNT\SYSTEM32\INETSRV\FTPSVC2. Dll

Smtp:c:\winnt\system32\inetsrv\smtpsvc. Dll

You can use the 16 editor to modify the keywords of those DLL files, such as the microsoft-iis/5.0 of IIS

The specific process is as follows:

1. Stop IIS Iisreset/stop

2. Delete a file with the same name under the%systemroot%\system32\dllcache directory

3. Revise