Advanced tips for securely maintaining ASP sites under IIS _ Server

I. Preface

(Thanks to friends Bigeagle for this article only.) Not him, I might not have to worry so much about the Win2000 security issue. Oh! ）

People say, bitten, ten years afraid ..., that's it. At the beginning of 2000, when I finally got rid of Winnt 4.0 server that terrible patch trip, toward Win2000 server. I can finally be more comfortable with my server. But as the patches for SQL Server appear. I know, and Microsoft's patch karma has begun to cycle again. But it's okay. Win2000 Automation Management or let me rest assured a lot, and the previous management of Winnt after the insomnia symptoms have gradually disappeared. Occasionally, I can see my "dream" brother. But all this was lost in an intimate conversation with Bigeagle. Once, Bigeagle sent to QQ, showed me a piece of code. I can see that this is not bigeagle code, so rotten, but a bit familiar. One more look, huh?! This is not my database connection string!! GOD. Suddenly feel there is an ominous omen. But fortunately, this is just an access, I also used a number of means to prevent him from being downloaded. But it's enough to keep me awake for a long time. (Again, Bigeagle is not a snake, he is an eagle)

Two. IIS and ASP security protection during installation

(This is only a Web server, not a Web development platform on a local machine.) ）
The next few days are a few tough days. I started redeploying the security policy for the Win2000 Web server. Find out why the ASP code was compromised. Originally, my patch every time play more timely. But once IIS was uninstalled because of uninstalling FTP, I did not patch it up and caused the latest vulnerability web resolution error. (That's the newer vulnerability translate:f, with some tools to see the ASP's code.) ）

First, start reloading IIS.

The strategy for this installation is security and adequate. Get rid of some extra stuff.

1. FTP does not install, the function is not good, also easy to make mistakes, and the loophole is very big. FTP default transmission password process is clear text transmission, it is easy to intercept. (You may consider using a third-party tool.) ）

2. Do not install all the examples and documents. This is on the Web server, preferably without these examples, and it turns out that the IIS defenses can be breached from these example sites.

3. Select the Site directory when installing, it is recommended not to use the default directory C:\Inetpub, the best installation path is not the system disk on the disk. Such as:
D:\IISWEB, you can consider building your own directory. This way, even if IIS is breached, the system files can be protected as well as possible.

4. Do not install HTML remote administration. HTML remote management in Winnt 4.0 can also be used, but the vulnerability is relatively large, and more dangerous, although the port number is random, but it is easy to be scanned, thus leaving hidden dangers. In fact, we can manage him through IIS on another server. It's safer.

5. Unnecessary services are also not set up, such as NNTP, if not a newsgroup. Do not be Ann. SMTP, if there is a better mail service, do not install it.

6. Indexing server. This index is really useful, but I haven't used him. Otherwise, you can use him to build a whole site of the file search, but now it seems that most of the ASP page is a Web page, dynamically from the database query. So the index server is not used at all, (not the index is bad, but itself the kind of ASP file structure is not suitable) so you can not install.

Three. Secure configuration for purposeful purposes

①, the work before the development.

First, after starting IIS, see if there are any \iissamples,\iishelp,\msadc\, these directories, if there are, they are mostly used as an example to help install, delete them, and then delete the script library, until the Web directory left only the newly created virtual directory. If there is a managed Web site, also delete him. Without it, we can work better. And see if there are any printer folders, most of them are accessing the printer via the web. MS is strange. To show that I am powerful, allow remote printing over the web. Believe that no network company is through the web to print the. It is also impossible for users to use your computer. Well, get rid of it.

And then. Start to configure security for each Web virtual directory in detail. The approximate strategy is this. Categorize each folder management, such as you can assign extensions to the same directory, such as *. ASP's, and *.inc as far as possible separate. If it is *. ASP, the virtual directory permissions are open, but the actual directory permissions are granted to the Administrator,system (Full Control) Everyone (RC). This allows reading to be allowed over the web. But in fact you can increase security, if you think it is more confidential. If it is *.inc, the directory permissions are open, but direct access is not allowed. Here's another tip. For example, you can allow the actual directory to be accessed by everyone, but in IIS you remove the directory browsing entry, and the included file is read only by the source file, but not directly. In this way, hackers will not be able to download to your stand-alone database, and your *.inc files will not be directly read by the browser.


Just now my brother "dream" still ask me, there is no way to let others see your connection string, you can try the following method!
1 First establish the connection string and create a separate file *.inc (if *.inc, do not *.) ASP's) You copy your connection string into a variable.

such as: connstr= "" Provider=SQLOLEDB.1; PASSWORD=PASSW; ..............

2 Then create a folder include, put in the root directory.

3 then each file opens the connection in the following way.

Such as:
Set Conn=server.createobject ("Adodb.connection")
Conn.Open ConnStr

4 finally in IIS, the Include folder is protected by a denial of Read method. You will find that your connection can be opened as usual, but if the other person sees your source code, he cannot see the connection string, even if he sees the path and name of the include file. He can't download it or use IE to open it. So, you can protect your connection string.

The method used here is a common audit of NT permissions and IIS permissions. We know that in order for users to ask for a file from the Web, each server that has IIS installed has two built-in accounts. I_USEXXXXXX,I_WAMXXXXXX (x is your machine name) so that you can prevent certain users from viewing your necessary information from your Web network.

Of course, there are some better file strategies you can refer to:

such as: CGI (. exe,. dll,. cmd,. pl) Everyone (X) is not allowed to read, only run. Administrators (Full Control) System (Full Control).

So, when you're writing an ASP application, try to classify your directory as well. Easy to manage with IIS and NT.

For example, it is better to use the following structure

D:\web\ASPtest\static (Place *.htm)
D:\web\ASPtest\script (Place *. ASP)
D:\web\ASPtest\include (Place *.inc)
D:\web\ASPtest\images (Place *.gif,*.jpg)

This way you can use the above method to achieve the security purpose.

②, enable log monitoring

This is a good tool to mend, at least you can use it to monitor who has done what through the web. Of course, you also have to protect the log permissions only by the system administrator and Super Admin control. This prevents some people from doing something without leaving traces. In order to stay on site without affecting the response speed of IIS, it is recommended that you choose the extended log format. (I used to be introduced to ODBC by others, it seems more convenient, but in fact it is not so.) It is affected by the database very much, and the speed is slower.

You may consider recording the field data:

Customer IP Address
User name
Method
URI Resource
HTTP status
Win32 State
User Agent
Server IP Address
Server port


The latter two properties are useful if you have more than one WEB server on a single computer. Win32 State properties are useful for debugging.

When checking the log, pay close attention to error 5, which means that access is denied. Enter NET helpmsg err on the command line to find the meaning of other Win32 errors, where err is the error number to look for.

③, configuring the appropriate script mappings

Trust me, most of the ASP source code leaks are caused by unsafe or malformed script mappings. And most of them may not be available to you, as I said below:

1 *.htr This is a more powerful file, he is one of the Web applications. Same as an HTA. These are some of the more powerful features, but few are introduced. An HTA is an HTML-formatted application that is more powerful. Cut security is lower than HTM. So it can lead to powerful operations. For example, HTR can reset the password via the web. I believe most of our ASP programmers and NT network administrators do not need this. Well, delete his corresponding option. Otherwise, anyone can use your web to do illegal operations, or even format your hard drive.

2 *.hta This I have said, he is a double-edged sword, with good, you can through his to access NT many operations, on the ASP to open NT users is also possible. But most of the work can not be done through the web relationship serve best. And *.hta is rarely used on the web, though he has launched it in iis4.0. For example, if you save a file as a *.hta, you can open it with IE. Look, it's a strange interface. Listen to MS Engineers said. NET in the *.hta changed the word, the function increased. It seems that the work of network management should be increased. If you want to be safe, erase it.

3 *.IDC This dongdong is a relatively old database connection method, now most of the direct use of ASP files. No IDC, so delete him.

4 *.printer This is the printer file, get rid of him.

5 *.htw, *.ida *.idq These are index files, can also be removed.

④, good safety habits

Pay attention to the site of MS, look at the security bulletin. (MS Traffic is such a long-term ranking of the world's top three!) There are also a few third-party tools to prepare. such as scan tool, simulate attack tool. Look at the security site more.

If you can have some good mafia friends (my other brother and family method), is also better. (Mafia is the way hackers go!) ）

⑤, prevent ASP code from being leaked

Here can only be said to prevent, I only have seen from looking at the vulnerability of ASP method, now for iis4.0 there are almost 20 kinds of methods, but installed SP6a after two, you can go to Microsoft's website security bulletin download 2000-8 months after the patch can be resolved. But if you use the method above in this article. It can be loaded into the SP6.

If you are Win2000 server, there are two ways. After the SP1, there is another, so you have to reverse the Microsoft Security Bulletin board to download the corresponding hotfix. can be solved.

⑥, to prevent malicious destruction

This feature can deal with some of the bad molecules you monitor, you can see in the log or Third-party tools who are constantly detecting and destroying your IIS. Then put him on the list of unwelcome, so that you can configure the site to its IP or domain to deny access, but this process is to pay the price, your IIS to take the role of reverse lookup. may be time-consuming.

The topic of ⑦ and safety

The above is just IIS and ASP. If you want to use a database, use remote management, use the remote connection database, you should also pay attention to separate. As I said, there is no absolute security, and that is the need for security. On the topic of security, there is no end, only to be continued.