Best practices for Security: Locking IIS and SQL Servers

Microsoft's IIS and SQL Servers are often a major part of the windows-based Distributed application environment. This means that they are also the most frequently targeted targets. In this article, we will provide some specific recommendations to improve the security of these products.

Recommendations for improving IIS security

There is a programming interface called ISAPI in IIS that is related to files that have DLLs as extensions. These files are also known as ISAPI extensions.

Small knowledge

ISAPI is an abbreviation for the Internet server API, an application programming interface (API) for the Microsoft IIS Web server, because the ISAPI is more tightly integrated with the Web server, This allows programmers to develop web-based applications that perform more efficiently than traditional CGI technologies by using ISAPI. In addition to Microsoft's IIS, there are other vendors ' Web server products that also support ISAPI interfaces.

ISAPI extensions are responsible for processing such as Active Server Pages (ASP),. NET network services and web-based print sharing functions. However, many of these extensions are unnecessary, especially if you are using a previous version of IIS 5.0. The problem is that many of these extensions (filters) have security vulnerabilities that can be exploited. The infamous "Red Code" is an example of a malicious program that exploits these extended functions. You can simply enable the ISAPI extensions that are required by the Web server and applications, and strictly limit the HTTP options that can be used with the various extensions.

Setting ISAPI options in IIS

Most IIS installations include simple applications and scripts designed to showcase the functionality of this network server. They are not very well designed to take security into account, especially before version 5.0. In this way, people can use the security vulnerabilities of these programs to overwrite the files on the server or remote access, or even remotely accessing sensitive server information, such as system settings and paths to executable programs. Before you set up any IIS servers for formal use, you should at least delete the "/inetpub/iissamples" directory, delete, move the "/inetpub/adminscripts" Administrator script directory, or restrict access to it. Microsoft IIS Security Tool IIS Lockdown Tool is useful for enhancing IIS security.

Any Web server that does not insist on constantly upgrading patches and keeping up to date is the primary target of malicious activity. It is important to regularly and timely repair Web servers that allow public access.

Network plug-ins such as ColdFusion and PHP can also create security vulnerabilities in Network servers. Be careful with these plug-ins, and look at the resource Web site and the latest security bulletins to see the latest patches and new vulnerabilities that these plug-ins require.

IIS Security Checklist

1. Application of the latest operating system service packs and IIS security upgrades and the latest upgrade packs for any applications installed on the same host. Consider using the automatic upgrade tool to automatically install patches.

2, the installation of host-based anti-virus and intrusion detection software. Keep these software up to date with patches and check your log files frequently.

3, close the unnecessary script interpreter and delete their binaries. Examples include Perl, PerlScript, VBScript, JScript, JavaScript, and PHP.
　　
4, use the log and often check the log records, it is best to summarize the event's Automation program to view the record and report unusual and suspicious events.

5, delete or limit the attacker to break through the computer commonly used system tools. For example, TFTP (. exe), FTP (. exe), cmd.exe, bash, Net.exe, Remote.exe, and Telnet (. exe).

6. Run only HTTP services on the Web server and the services required to support this service.

7. Be familiar with and minimize any connections to the internal network through a public network server. Turn off file and printer sharing and NetBIOS name resolution on an Internet-facing system.

8. Use a separate DNS server in the quarantine area for Internet-facing Web server services. Do not direct any queries that are not resolvable outside the quarantine zone to other public DNS servers or to your service provider's servers, and should not be directed to your internal DND server.

9, in the public-oriented system with the internal system with different accounts and passwords to make rules, Internet-facing IIS server should be located behind the firewall in the quarantine, quarantine and internal network between the second layer of firewalls. An Internet-facing IIS server should not be part of an internal Active Directory domain or use an account that is part of an internal Active Directory domain.

10, if necessary, block all ports leading to the quarantine zone, except for port 80 or 443 ports.

11. Install the operating system on one hard disk and install the Web site on a different hard drive to prevent directory traversal attacks.

12, if you must use the Remote Data protocol (or Terminal Services Protocol and Remote Desktop Protocol) to manage the server, the default 3389 port to the hacker is not easy to find other ports.

Tools to ensure IIS security

Use a Windows upgrade or an automatic upgrade for a single server.

Use System Management Server (SMS) or Windows Server Upgrade Service (WSUS) in a manageable environment or where an administrator is responsible for multiple different systems.

The Microsoft Baseline Security Analyzer (MBSA) helps system administrators perform scans on local systems and remote systems to find the latest patches. This tool runs on Windows NT 4, Windows 2000, Windows XP, and Windows 2003 platforms.

Use the IIS Lockdown Tool or the Security Settings Wizard (SCW) to enhance your IIS and servers. Use URLScan to filter HTTP requests. URLScan is part of the IIS Lockdown Tool that can be set up to reject malicious HTTP requests such as "Blue Code" and "Red Code", even before the server processes these malicious requests.

Download these tools to another machine and copy them to your IIS server before your IIS server connects to the Internet. Avoid connecting your IIS servers to the Internet before you thoroughly analyze and use patches.

SQL Server Security Recommendations

Modify the default SQL Server port

The most common SQL attacks are not even included in the security bulletin. This is an attempt to simply log on to the SA account using a blank password. Microsoft's SQL Server installed the default SA account with a blank password, which is the first thing you need to change.

Another common reason for creating a blank password is a product. For example, some versions of Visio install Microsoft SQL Server 2000 Desktop Engine (MSDE) and never modify the sa password. Users are not even aware that they are running MSDE. You can download a program from the eeye Digital security company to scan your network for SQL Servers that have a blank sa account.

SQL Server Security Checklist

1, set a sa account password, and limit the use of this account. You also need to change passwords regularly to prevent passwords from spreading and to be used by developers or by too many administrators. If anyone who knows the sa password leaves the company, you will need to modify the sa password. Use eeye tools to scan your network for SQL Servers with no sa password.

2. Set your SQL Server behind the firewall, separate from your IIS server or network server. Only these specified network servers are allowed to connect to the SQL Server. Your SQL Server should never be open to the Internet or allow public access.

3. Remove builtin/administrators from the sysadmin role and assign SQL administrative permissions to domain accounts that require SQL management functionality.

4, if possible, use Windows identity or use only Windows mode. In this way, a potential hacker must first authenticate to the domain, rather than just authenticate to the SQL Server.

5, do not run the SQL Server on the domain controller.

6, change the SQL Server startup account to a non-local account.

7. Enable failed login options (server properties/security tags) so you can view failed logins to see if any unauthorized individuals are trying to access the server. If possible, monitor SQL records and set up alerts in SQL using NetSend or e-mail.

8. Maintain the latest patch updates and service packs for the operating system and SQL. Some options refer to the tools that ensure IIS security.

9, to protect any extended stored procedures. Control the access of stored procedures to data, approving access to the data, rather than providing a comprehensive db_datareader and db_datawriter license to the data itself.

10, use the Setup tool to modify the standard SQL Server port, and close the default port 1433. Have your network administrator open a new port.

11, to ensure that the Everyone group does not have SQL Server registry key write right.