Advanced tips for securely maintaining IIS ASP Sites

One: Preface

People say, bitten, ten years of fear ... That's it. At the beginning of 2000, when I finally got rid of Winnt 4.0 server that terrible patch trip, toward Win2000 server. I can finally be more comfortable with my server. But with the SP1 patch appearing. I know, and Microsoft's patch karma has begun to cycle again. But it's okay. Win2000 Automation Management or let me rest assured a lot, and the previous management of Winnt after the insomnia symptoms have gradually disappeared. Occasionally, I can see my "dream" brother. But all this was lost in an intimate conversation with Bigeagle. A. Bigeagle sent to QQ. Showed me a piece of code. I can see that this is not bigeagle code, so rotten, but a bit familiar. One more look. Ah?! This is not my database connection string!! GOD. Suddenly feel there is an ominous omen. But fortunately, this is just an access, I also used a number of means to prevent him from being downloaded. But it's enough to keep me awake for a long time.

Two: IIS and ASP security protection during installation. (This is only a Web server, not a Web development platform on a local machine.)

)

The next few days are a few tough days. I started redeploying the security policy for the Win2000 Web server.

Find the reason that the ASP code is leaking, original. Every time I play the patch is more timely. But once IIS was uninstalled because of uninstalling FTP, I did not patch it up and caused the latest vulnerability web resolution error. (That is, the newer vulnerability translate:f use this plus some tools to see the ASP's code.) First, start reloading IIS.

The strategy for this installation is security and adequate. Get rid of some extra stuff.

One: FTP do not install, the function is not good, also easy to make mistakes, and the loophole is very big. The FTP default transmission password process is clear text transfer

, it is easy to be intercepted by others. (You may consider using a third-party tool.) )

Second: All instances, documents are not installed. This is on the Web server, preferably without these examples, and it turns out that the IIS defenses can be breached from these example sites.

Third: Select the Site directory when installing, it is recommended not to use the default directory C:\Inetpub, the best installation path is not the system disk on the disk. Such as:

D:\IISWEB, you can consider building your own directory. This way, even if IIS is breached, the system files can be protected as well as possible.

Four: Do not install the remote administration of HTML. HTML remote management in Winnt 4.0 can also be used, but the vulnerability is relatively large, and more dangerous, although the port number is random, but it is easy to be scanned, thus leaving hidden dangers. In fact, we can manage him through IIS on another server. It's safer.

Five: No more services, such as NNTP, if not a newsgroup. Do not be Ann. SMTP, if you have a better mail service, don't pretend to be him.

VI: Index Server. This index is really useful, but I haven't used him. Otherwise, you can use him to build a whole site of the file search, but now it seems that most of the ASP page is a Web page, dynamically from the database query. So the index server is not used at all, (not the index is bad, but itself the kind of ASP file structure is not suitable) so you can not install.