iis| Safety | advanced | skill | Site One: preface
(Thanks to friends Bigeagle for this article only.) Not him, I might not have to worry so much about the Win2000 security issue. Oh! )
People say, bitten, ten years of fear ... That's it. At the beginning of 2000, when I finally got rid of Winnt 4.0 server that dreadful mend
Ding's journey towards the Win2000 server. I can finally be more comfortable with my server. But with the SP1 patch appearing. I know
and Microsoft's patch karma has begun to cycle again. But it's okay. Win2000 Automation Management Still let me feel much better, and before the management of Winnt
The insomnia symptom also gradually disappears. Occasionally, I can see my "dream" brother. But all this was accompanied by a heart-to-heart talk with Bigeagle.
In vain. A. Bigeagle sent to QQ. Showed me a piece of code. I can see that this is not the code Bigeagle wrote, that
It sucks, but it's a little familiar. One more look. Ah?! This is not my database connection string!! GOD. Suddenly feel that there is a kind of ominous
Omen. But fortunately, this is just an access, I also used a number of means to prevent him from being downloaded. But it's enough to keep me awake for a long time
Here it comes. (Again, Bigeagle is not a snake, he is an eagle)
Two: IIS and ASP security protection during installation. (This is only a Web server, not a Web development platform on a local machine.)
)
The next few days are a few tough days. I started redeploying the security policy for the Win2000 Web server.
Find the reason that the ASP code is leaking, original. Every time I play the patch is more timely. But one time because the FTP was uninstalled, the reload
IIS, and after that, I didn't patch it up and cause the latest vulnerability to Web resolution error. (That's the newer loophole Translate
: F with this plus some tools to see the ASP's code. )
First, start reloading IIS.
The strategy for this installation is security and adequate. Get rid of some extra stuff.
One: FTP do not install, the function is not good, also easy to make mistakes, and the loophole is very big. The FTP default transmission password process is clear text transfer
, it is easy to be intercepted by others. (You may consider using a third-party tool.) )
Second: All instances, documents are not installed. This is on the Web server, preferably without these examples, and it turns out that these cases can
Subwebs break through the defenses of IIS.
Third: Select the Site directory when installing, it is recommended not to use the default directory C:\Inetpub, the best installation path is not the system disk on the disk. Such as:
D:\IISWEB, you can consider building your own directory. This way, even if IIS is breached, the system files can be protected as well as possible.
Four: Do not install the remote administration of HTML. The remote management of HTML can be used in Winnt 4.0, but the holes are relatively large and dangerous.
Risk, although the port number is random, but it is easy to be scanned by people, thus leaving hidden dangers. In fact, we can go through another server
IIS to manage him. It's safer.
Five: No more services, such as NNTP, if not a newsgroup. Do not be Ann. SMTP, if there is a better mail service
, and don't pretend to be him.
VI: Index Server. This index is really useful, but I haven't used him. Otherwise, you can use him to build a whole site of the text
Pieces of search, but now it seems that most of the ASP pages are a Web page, dynamically from the database query. So you can't use Indexing Service at all.
, (not the index is bad, but itself the kind of ASP file structure is not suitable) so you can not install.
Third: Have the purpose to carry on the security disposition.
One: pre-development work.
First, after starting IIS, see if there are any \iissamples,\iishelp,\msadc\, these directories, if any, they are mostly used as
examples, to help install, delete them, and then delete the script library, until the web directory leaves only the newly created virtual directory of the static, if
Have a managed web site, also delete him. We can work better without him. And see if there are any printer folders,
Most of them have access to the printer through the web. MS is strange. To show that I am powerful, to allow remote printing over the web
。 Believe that no network company is through the web to print the. It is also impossible for users to use your computer. Well, get rid of him.
。
And then. Start to configure security for each Web virtual directory in detail. The approximate strategy is this.
Categorize each folder management, such as, yes. Extension is identical to the same directory, such as *.asp, and *.inc as far as possible separate
。 If *.asp, the virtual directory permissions are open, but the actual directory permissions are granted to Administrator,system (Full Control)
Everyone (RC) can be. This allows reading to be allowed over the web. But in fact you can increase security, if you recognize him as a comparative insurance
The secret. If it is *.inc, the directory permissions are open, but direct access is not allowed. Here's another tip. Like what. You can be allowed
Allows the actual directory to be accessed by everyone, but in IIS, you remove the directory browsing entry, the file can only be read by the source file, but
Not allowed to be read directly. In this way, he will not be able to pour some of your stand-alone database. And your *.inc files won't be browsed.
Direct reading of the device.
Just now my brother "dream" still ask me, there is no way to let others see your connection string, you can try the following method
!
1 First establish the connection string and create a separate file *.inc (if *.inc, don't *.asp) you put your connection word
The string is copied in with the variable.
such as: connstr= "" Provider=SQLOLEDB.1; PASSWORD=PASSW; ..............
2 Then create a folder include, put in the root directory.
3 then each file opens the connection in the following way.
such as:<!--#include file= "Include\*.inc"-->
Set Conn=server.createobject ("Adodb.connection")
Conn.Open ConnStr
4 finally in IIS, the Include folder is protected by a denial of Read method. You will find that your connection can be opened as usual, but
If the other person sees your source code, he can't see the connection string even if he sees the include file path and name. And he can't download it,
Or use IE to open. So, you can protect your connection string.
The method used here is a common audit of NT permissions and IIS permissions. We know that in order for users to petition the Web to ask for server files
, each server that has IIS installed will have two built-in accounts. I_USEXXXXXX,I_WAMXXXXXX (x for your machine name), so
You can be targeted to prevent certain users from viewing your necessary information from your Web network.
Of course, there are some better file strategies you can refer to:
such as: CGI (. exe,. dll,. cmd,. pl) Everyone (X) is not allowed to read, run. Administrators (Full Control)
System (Full Control)
So, when you're writing an ASP application, try to classify your directory as well. Easy to manage with IIS and NT.
Such as. It is better to use the following structure
D:\web\asptest\static (Place *.htm)
D:\web\asptest\script (Place *.asp)
D:\web\asptest\include (Place *.inc)
D:\web\asptest\images (Place *.gif,*.jpg)
This way you can use the above method to achieve the security purpose.
Second: Enable log monitoring.
This is a good tool to mend, at least you can use it to monitor who has done what through WEBL, and of course, you have to protect the log permissions only
Can be a system administrator. and Super Admin control. This prevents some people from doing something without leaving traces. To stay on the scene and not
affect the response speed of IIS. It is also advisable to select the extended Log format for the consortium. (I used to be introduced to ODBC by others, it seems more convenient,
But that's not really the case. He was greatly influenced by the database. And the speed is slower).
You may consider recording the field data:
Customer IP Address
User name
Method
URI Resource
HTTP status
Win32 State
User Agent
Server IP Address
Server port
The latter two properties are useful if you have more than one WEB server on a single computer. Win32 State properties are useful for debugging.
When checking the log, pay close attention to error 5, which means that access is denied. Enter NET helpmsg err on the command line to find other
Win32 the meaning of the error, where err is the error number to look for.
Three: Configure the appropriate script mappings.
Trust me, most of the ASP source code leaks are caused by unsafe or malformed script mappings. And most of them
You may not be able to use it. As I said below.
1 *.htr This is a more powerful file, he is one of the Web applications. Same as an HTA. These are some of the more powerful features, but
Very few introductions. An HTA is an HTML-formatted application that is more powerful. Cut security is lower than HTM. So it might lead
to powerful operations. For example, HTR can use the web to heavy social password. Believe that most of our ASP programmers and NT network administrators do not need this
Couple Well, delete his corresponding option. Otherwise, anyone can use your web to do illegal operations, or even format
Out of your hard drive.
2 *.hta This I have said, he is a double-edged sword, with good, you can access through his to NT's many operations, on the ASP to open
