As one of the popular Web servers, IIS provides powerful Internet and Intranet services. How to strengthen the security mechanism of IIS and establish a reliable web server with high security performance has become an important part of network management. Based on the security mechanism of Windows NT 1. Apply the NTFS file system The NTFS file system can manage files and directories. The fat file system can only provide shared-level security, while the Windows NT security mechanism is built on the NTFS file system, therefore, it is best to use the NTFS file system when installing Windows NT. Otherwise, you will not be able to establish an NT security mechanism. 2. Modification of shared Permissions By default, every time a new share is created, the Everyone user has full control of the share permission. Therefore, the default permission of everyone should be modified immediately after a new share is created. 3. Rename the system administrator account Although the domain user manager can limit the number of password guesses, it cannot limit the number of system administrator accounts (Adminstrator), which may lead to illegal user attacks on the Administrator account password, using the domain user manager to rename the Administrator account is a good way. The specific settings are as follows: Choose "start"> "program"> Start "domain user manager"> select "admin account"> select "user"> "RENAME ", modify it. 4. Disable NetBIOS binding on TCP/IP The NT system administrator can create an image between the NetBIOS name and the IP address of the target station to manage other servers on the Internet or intranet. However, illegal users can also find the available servers. If this remote management is not required, cancel it immediately (unbind NetBIOS from TCP/IP through the network attribute binding option ). Set IIS Security Mechanism 1. Security issues during installation 1) Avoid installation on the master Domain Controller After IIS is installed, an iusr_computername anonymous account will be generated on the computer on which it is installed. This account is added to the domain user group to grant the access permissions applied to the domain user group to each anonymous user accessing the Web server, which not only brings potential risks to IIS, it may also threaten the security of the entire domain's resources. Therefore, do not install the IIS server on the domain controller, especially the primary domain controller. 2) Avoid installation on the system partition Installing IIS on the system partition will cause illegal access to the system file and IIS, which may easily cause illegal user intrusion into the system partition. Therefore, you should avoid installing the IIS server on the system partition. 2. User security 1) Anonymous user access control After IIS is installed, the anonymous user iusr_computername (random password generation) is generated. Its anonymous access brings potential security problems to the Web server and its permissions should be controlled. If you do not need anonymous access, you can cancel anonymous access to the web service. Specific Method: Choose Start> program> Microsoft Internet server (public) "→" Internet Service Manager "→ start Microsoft Internet Service Manager → double-click" www "to start the WWW Service attribute page → cancel its anonymous access to the service. 2) control General User Access Permissions You can use a password that combines numbers and letters (including uppercase and lowercase), a long password (generally more than 6 characters), and change the password frequently, common user accounts are managed by blocking failed logon attempts and setting the account validity period. 3. Security of IIS Authentication 1) Anonymous user access: allows anonymous access by anyone, with the lowest security among the three methods. 2) Basic Authentication: the user name and password are transmitted in plain text on the network, and the security performance is average. 3) Windows NT request/response method: the browser communicates with the IIS server through encryption, effectively preventing eavesdroppers, is a highly secure authentication form (supported by IE 3.0 or later ). 4. access permission Control 1) set access permissions for folders and files: For folders and files placed on the NTFS file system, you must control the permissions and set different permissions for different groups and users; in addition, the NTFS audit function can also be used to review reading and writing files for members of certain groups, by monitoring "File Access", "user object usage", and other actions, to effectively discover the precursor to illegal activities by illegal users, so as to prevent and stop them in a timely manner. Specific Method: Choose "start"> "program"> Start "domain user manager"> select "Review" option under "rules"> set "review rules ". 2) set the access permission for the WWW directory: the folder has been set to the web directory. You can control the access permission for the WWW directory through * as the web site property page, all files and subfolders in this directory inherit these security mechanisms. In addition to the permissions provided by the NTFS file system, the WWW Service also provides read permissions-allowing users to read or download files in the WWW directory; execution permission-allows users to run programs and scripts under the WWW directory. The specific settings are as follows: Choose Start> program> Microsoft Internet server (public) "→" Internet Service Manager "→ start Microsoft Internet Service Manager → double-click" www "to start the WWW Service attribute page → select the" directory "tab → select the WWW directory to be edited → select" edit "set "directory properties" in "properties. 5. IP address control IIS allows or denies service requests sent from a specific IP address and allows users of a specific node to access the service. You can set up to prevent network users outside the specified IP address from accessing your web server. The specific settings are as follows: Choose Start> program> Microsoft Internet server (public) "→" Internet Service Manager "→ start Microsoft Internet Service Manager → double-click" www "to start the WWW Service properties page → start the" advanced "tab on the Web properties page; and set IP addresses. 6. Port Security Implementation For IIS services, both WWW sites, FPT sites, nnpt, and smpt services have their respective TCP port numbers for listening and receiving browser requests (post). The commonly used port numbers are: WWW is 80, FPT is 21, and smpt is 25. You can modify the port number to improve the security of the IIS server. If you modify the port settings, only users who know the port number can access the port, but users need to specify a new port number during access. 7. IP Forwarding Security The IIS Service provides the IP packet forwarding function. In this case, the IIS server acting as the router will forward the IP packet received from the Internet interface to the Intranet, disabling this function improves the security of IIS services. The setting method is as follows: Choose Start> program> Microsoft Internet server (public) "→" Internet Service Manager "→ start Microsoft Internet Service Manager → double-click" www "to start the WWW Service attribute page → select the" protocol "tab → remove" route selection "from TCP/IP properties ". 8. SSL Security Mechanism SSL (encrypted SOCKET protocol layer) is located between the htpt layer and the TCP layer. encrypted communication between users and servers is established to ensure the security of information transmission. SSL is based on public keys and private keys. Any user can obtain a public key to encrypt data, but the decryption data must be encrypted using the corresponding private key. When using the SSL security mechanism, the client first establishes a connection with the server. The server sends its digital certificate and public key to the client, and the client generates a random session key, encrypt the session key with the public key obtained from the server and upload the session key to the server over the network. The session key can be decrypted only on the server, the client and the server establish a unique security channel. The specific settings are as follows: Choose Start> program> Microsoft Internet server (public) "→" Internet Service Manager "→ start Microsoft Internet Service Manager → double-click" www "to start the WWW Service attribute page → select the" Directory Security "tab → click the" key manager "button → use the key manager generates key files and request files → Apply for a certificate from the identity authentication permission → install a certificate on the server through the key manager → activate SSL security for the web site. After an SSL security mechanism is established, only customers allowed by SSL can communicate with the websites allowed by SSL. When using the URL Resource Locator, note that the entered "htpts: // "instead of" htpt ://". The implementation of the SSL security mechanism will increase the system overhead, increase the additional burden on the server CPU, and thus reduce the system performance to a certain extent. When planning the network, I suggest using the SSL security mechanism only for highly sensitive web directories. In addition, the ssl client must use IE 3.0 or later. |
|
|
|