Abnormal Web Server IIS Security Settings

1. Delete the default share. disable port 139.445.
Select the "Computer Management" program, select "shared folder", right-click the corresponding shared folder, and select "stop" to share. However, after the system is restarted, IPC $ and printer $ will be shared again.

IPC $ and printer $ work on ports 139 and 445. Let's close them manually.

To disable port 445, follow these steps:

(Port 445 is the file sharing. printer sharing communication port. It is open by default .)

Modify the registry and add a key value

Hive: HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetBTParameters

Add DWORD Value: SMBDeviceEnabled

Right-click the "SMBDeviceEnabled" value and select "modify"

In the displayed "Edit DWORD Value" dialog box, enter "0" under "value data ",

Click OK to complete the settings. Start the computer and close port 445.

To disable port 139, follow these steps:

(Port 139 is enabled because the NetBIOS network protocol is used, and the Netbios network Basic Input/Output System. It is a set of network standards developed by IBM in 1983. Microsoft continues to develop on this basis. Microsoft's client/server network systems are based on NetBIOS. In the built network system, the unique identifier of each host is its NetBIOS name. The system can use WINS service, broadcast, and Lmhost files to resolve NetBIOS names to corresponding IP addresses for information communication. In such a network system, it is very convenient and fast to use NetBIOS name for information communication. But on the Internet, it is similar to a backdoor program. Many hackers intrude into computers through this vulnerability !)

Control Panel-Network-Local Link-properties (uncheck "network file and printer sharing" Here)-TCP/IP protocol properties-advanced-WINS-Netbios settings-disable Netbios

Close port 139.

2. Set Directory Permissions

For WINDOWS users, most of the time in the WIN2003 system, permissions are divided by users.

Choose Start> program> Administrative Tools> Computer Management> local users and groups to manage system users and user groups.

NTFS security permission settings are powerful (remember to partition all hard disks into NTFS partitions)

Then we can determine the permissions that each partition has for each user.

Right-click a file (folder) and choose Properties> Security> here to manage the NTFS file (folder) permission.

An anonymous IIS user can be set for each IIS Site or virtual directory to an anonymous access user (now it is called an "IIS Anonymous user "),

When a user accesses the. ASP file of your website, the permission of this. ASP file is the permission of this "IIS Anonymous user.

The idea of permission setting is to create a system user for each independent individual (such as a website or a virtual directory) to be protected,

This site has a unique identity in the system that can set permissions.

Set all partitions to prohibit access by this user,

The folder setting corresponding to the Home Directory of the site allows the user to access (remove the parent permission and add the hypervisor group and SYSTEM group ).

After this setting, the ASP program in this site will only have the permissions of the current folder.

Specific settings

Drive C retains the administrators and system users and gives them full permissions. All other users Delete S>

S>
C: The Program FilesCommon Files Folder grants the everyone read permission.

C: Documents and SettingsAll Users this folder is deleted once again. Only administrators and system Users are retained and full permissions are granted.

C: the windows folder grants full permissions to administrators and system Users, and read and run permissions to Users user groups. All other partitions retain the permissions of administrators and system Users. All other Users are deleted.

Each website creates a separate user. add to Guests user group right-click "my computer"-Manage-"Local User Group"-"user" to create a user, for example, create "dongwang" Password: dongwang

Right-click "dongwang" user-properties-select "affiliated to" tab-delete the group that belongs to "users" by default, add a Guests group (Guest Group)-OK

Then select the "Remote Control" tab and enable "Remote Control" to cancel-OK

 

S> right-click the website Program folder. security. note: (website Program Folder) refers to the directory where your website is located. For example, if your website is stored in E: WEB dynamic network website

S> in IIS, enter the created user name and password in site or virtual directory properties → Directory Security → anonymous access and authentication control → edit → Anonymous Access → edit. Then confirm, and then prompt you to enter the password again and click OK;

3. Delete unnecessary components and disable unnecessary services
In fact, as long as the above permission settings are completed, FSO, XML, and strem are no longer insecure components, because they do not have the permission to cross-folder or site.

The most dangerous components are WSH and Shell, because it can run EXE and other programs on your hard disk, for example, it can run the elevation program to raise SERV-U permissions or even use SERVU to run a higher-privilege system program. (It is recommended not to use popular software such as SERV-U here. FTP server software here it is recommended to use Gene6. functional aspects than the SERV-U has been and nothing .)

FSO and XML are one of the most common components that many programs will use. WSH components will be used by some host management programs, and some packaging programs will also use

Manually delete WSH and Shell components.

-------------> The following are references:

The simplest way is to directly Unmount and delete the corresponding program file. Save the following code as a. BAT file (the following uses WIN2000 as an example. If 2003 is used, the system folder should be C: WINDOWS)

Regsvr32/u C: WINDOWSSystem32wshom. ocx

Del C: WINDOWSSystem32wshom. ocx

Regsvr32/u C: WINDOWSsystem32shell32. dll

Del C: WINDOWSsystem32shell32. dll

Run WScript. Shell, Shell. application, and WScript. Network. You may be prompted that the file cannot be deleted, so you don't have to worry about it. Restart the server and you will find that all three prompts "X Security.

Renamed insecure component

It should be noted that both the component name and Clsid must be modified and completely changed. The following describes how to use Shell. application.

Open the Registry Editor [start → run → regedit press enter], and then [edit → search → fill in Shell. application → find next]. Two registry keys can be found using this method: "{13709620-C279-11CE-A49E-444553540000}" and "Shell. application ". To ensure that the two registry keys are safe, export them and save them as the. reg file.

For example, we want to make such a change.

13709620-C279-11CE-A49E-444553540000 renamed 13709620-C279-11CE-A49E-444553540001

Shell. application is renamed as Shell. application_ajiang

Then, just export. the contents in the reg file are replaced by the above correspondence, and modified. import the reg file to the Registry (double-click it). After importing the renamed registry key, do not forget to delete the original two items. Note that the Clsid can only contain ten numbers and six ABCDEF letters.

The following is my modified code (two files are merged together ):

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOTCLSID {13709620-C279-11CE-A49E-444553540001}]

@ = "Shell Automation Service"

[HKEY_CLASSES_ROOTCLSID {13709620-C279-11CE-A49E-444553540001} InProcServer32]

@ = "C: \ WINNT \ system32 \ shell32.dll"

"ThreadingModel" = "Apartment"

[HKEY_CLASSES_ROOTC