Advanced tips for securely maintaining IIS ASP Sites

iis| Safety | advanced | technology | site

One: Preface
(Thanks to friends Bigeagle for this article only.) Not him, I might not have to worry so much about the Win2000 security issue. Oh! ）

People say, bitten, ten years of fear ... That's it. At the beginning of 2000, when I finally got rid of Winnt 4.0 server that dreadful mend

Ding's journey towards the Win2000 server. I can finally be more comfortable with my server. But with the SP1 patch appearing. I know

and Microsoft's patch karma has begun to cycle again. But it's okay. Win2000 Automation Management Still let me feel much better, and before the management of Winnt

The insomnia symptom also gradually disappears. Occasionally, I can see my "dream" brother. But all this was accompanied by a heart-to-heart talk with Bigeagle.

In vain. A. Bigeagle sent to QQ. Showed me a piece of code. I can see that this is not the code Bigeagle wrote, that

It sucks, but it's a little familiar. One more look. Ah?! This is not my database connection string!! GOD. Suddenly feel that there is a kind of ominous

Omen. But fortunately, this is just an access, I also used a number of means to prevent him from being downloaded. But it's enough to keep me awake for a long time

Here it comes. (Again, Bigeagle is not a snake, he is an eagle)

Two: IIS and ASP security protection during installation. (This is only a Web server, not a Web development platform on a local machine.)

）

The next few days are a few tough days. I started redeploying the security policy for the Win2000 Web server.

Find the reason that the ASP code is leaking, original. Every time I play the patch is more timely. But one time because the FTP was uninstalled, the reload

IIS, and after that, I didn't patch it up and cause the latest vulnerability to Web resolution error. (That's the newer loophole Translate

: F with this plus some tools to see the ASP's code. ）
First, start reloading IIS.
The strategy for this installation is security and adequate. Get rid of some extra stuff.
One: FTP do not install, the function is not good, also easy to make mistakes, and the loophole is very big. The FTP default transmission password process is clear text transfer

, it is easy to be intercepted by others. (You may consider using a third-party tool.) ）
Second: All instances, documents are not installed. This is on the Web server, preferably without these examples, and it turns out that these cases can

Subwebs break through the defenses of IIS.

Third: Select the Site directory when installing, it is recommended not to use the default directory C:\Inetpub, the best installation path is not the system disk on the disk. Such as:

D:\IISWEB, you can consider building your own directory. This way, even if IIS is breached, the system files can be protected as well as possible.

Four: Do not install the remote administration of HTML. The remote management of HTML can be used in Winnt 4.0, but the holes are relatively large and dangerous.

Risk, although the port number is random, but it is easy to be scanned by people, thus leaving hidden dangers. In fact, we can go through another server

IIS to manage him. It's safer.

Five: No more services, such as NNTP, if not a newsgroup. Do not be Ann. SMTP, if there is a better mail service

, and don't pretend to be him.

VI: Index Server. This index is really useful, but I haven't used him. Otherwise, you can use him to build a whole site of the text

Pieces of search, but now it seems that most of the ASP pages are a Web page, dynamically from the database query. So you can't use Indexing Service at all.

, (not the index is bad, but itself the kind of ASP file structure is not suitable) so you can not install.

Third: Have the purpose to carry on the security disposition.

One: pre-development work.

First, after starting IIS, see if there are any \iissamples,\iishelp,\msadc\, these directories, if any, they are mostly used as

examples, to help install, delete them, and then delete the script library, until the web directory leaves only the newly created virtual directory of the static, if

Have a managed web site, also delete him. We can work better without him. And see if there are any printer folders,

Most of them have access to the printer through the web. MS is strange. To show that I am powerful, to allow remote printing over the web

。 Believe that no network company is through the web to print the. It is also impossible for users to use your computer. Well, get rid of him.

。

And then. Start to configure security for each Web virtual directory in detail. The approximate strategy is this.

Categorize each folder management, such as, yes. Extension is identical to the same directory, such as *.asp, and *.inc as far as possible separate

。 If *.asp, the virtual directory permissions are open, but the actual directory permissions are granted to Administrator,system (Full Control)

Everyone (RC) can be. This allows reading to be allowed over the web. But in fact you can increase security, if you recognize him as a comparative insurance

The secret. If it is *.inc, the directory permissions are open, but direct access is not allowed. Here's another tip. Like what. You can be allowed

Allows the actual directory to be accessed by everyone, but in IIS, you remove the directory browsing entry, the file can only be read by the source file, but

Not allowed to be read directly. In this way, he will not be able to pour some of your stand-alone database. And your *.inc files won't be browsed.

Direct reading of the device.
Just now my brother "dream" still ask me, there is no way to let others see your connection string, you can try the following method

！
1 First establish the connection string and create a separate file *.inc (if *.inc, don't *.asp) you put your connection word

The string is copied in with the variable.
such as: connstr= "" Provider=SQLOLEDB.1; PASSWORD=PASSW; ..............
2 Then create a folder include, put in the root directory.
3 then each file opens the connection in the following way.
such as:<!--#include file= "Include\*.inc"-->
Set Conn=server.createobject ("Adodb.connection")
Conn.Open ConnStr

4 finally in IIS, the Include folder is protected by a denial of Read method. You will find that your connection can be opened as usual, but

If the other person sees your source code, he can't see the connection string even if he sees the include file path and name. And he can't download it,

Or use IE to open. So, you can protect your connection string.

The method used here is a common audit of NT permissions and IIS permissions. We know that in order for users to petition the Web to ask for server files

, each server that has IIS installed will have two built-in accounts. I_USEXXXXXX,I_WAMXXXXXX (x for your machine name), so

You can be targeted to prevent certain users from viewing your necessary information from your Web network.

Of course, there are some better file strategies you can refer to:
such as: CGI (. exe,. dll,. cmd,. pl) Everyone (X) is not allowed to read, run. Administrators (Full Control)
System (Full Control)
So, when you're writing an ASP application, try to classify your directory as well. Easy to manage with IIS and NT.
Such as. It is better to use the following structure
D:\web\asptest\static (Place *.htm)
D:\web\asptest\script (Place *.asp)
D:\web\asptest\include (Place *.inc)
D:\web\asptest\images (Place *.gif,*.jpg)
This way you can use the above method to achieve the security purpose.

Second: Enable log monitoring.

This is a good tool to mend, at least you can use it to monitor who has done what through WEBL, and of course, you have to protect the log permissions only

Can be a system administrator. and Super Admin control. This prevents some people from doing something without leaving traces. To stay on the scene and not

affect the response speed of IIS. It is also advisable to select the extended Log format for the consortium. (I used to be introduced to ODBC by others, it seems more convenient,

But that's not really the case. He was greatly influenced by the database. And the speed is slower).
You may consider recording the field data:
Customer IP Address
User name
Method
URI Resource
HTTP status
Win32 State
User Agent
Server IP Address
Server port

The latter two properties are useful if you have more than one WEB server on a single computer. Win32 State properties are useful for debugging.

When checking the log, pay close attention to error 5, which means that access is denied. Enter NET helpmsg err on the command line to find other

Win32 the meaning of the error, where err is the error number to look for.

Three: Configure the appropriate script mappings.

Trust me, most of the ASP source code leaks are caused by unsafe or malformed script mappings. And most of them

You may not be able to use it. As I said below.

1 *.htr This is a more powerful file, he is one of the Web applications. Same as an HTA. These are some of the more powerful features, but

Very few introductions. An HTA is an HTML-formatted application that is more powerful. Cut security is lower than HTM. So it might lead

to powerful operations. For example, HTR can use the web to heavy social password. Believe that most of our ASP programmers and NT network administrators do not need this

Couple Well, delete his corresponding option. Otherwise, anyone can use your web to do illegal operations, or even format

Out of your hard drive.

2 *.hta This I have said, he is a double-edged sword, with good, you can access through his to NT's many operations, on the ASP to open

NT users are also possible. But most of the work can not be done through the web relationship serve best. While *.hta is rarely used on the web, though he

iis4.0 on the launch. For example, if you save a file as a *.hta, you can open it with IE. Look, it's a strange interface. Listening to MS

The engineer said. NET in the *.hta changed the theory, the function increased. It seems that the work of network management should be increased. If you want to be safe.

Erase it.

3 *.IDC This dongdong is a relatively old database connection method, now most of the direct use of ASP files. No IDC, so delete

Drop him.

4 *.printer This is the printer file. Get rid of him, okay?

5 *.htw, *.ida *.idq These are index files, can also be removed.

Four: good safety habits.

Account Policy, Password policy
These are actually in my first two pieces of posts posted. , and so on, interested can look at the relevant articles.
Other than that. Also pay attention to more on Ms site, look at the security bulletin. (MS Traffic is such a long-term ranking of the world's top three!) ）
There are also some third-party tools to prepare. such as scan tool, simulate attack tool. Look at the security site more.
If you can have some good mafia friends (my other brother and family method), is also better. (Mafia is a hacker to go

of the road! ）

Five: Prevent the ASP code from being leaked.

Here can only be said to prevent, I only from the discovery of the vulnerability of the ASP method to start, now for iis4.0 is almost 20 kinds of

method, but installed SP6a after two kinds, can go to Microsoft's website security bulletin download 2000-8 months after the patch can be resolved. But if you use

The method above in this article. It can be loaded into the SP6.

If you are Win2000 server, there are two ways. After the SP1, there is another, so you have to reverse the Microsoft Security Bulletin to download

The corresponding hotfix. can be solved.

VI: To prevent malicious destruction.

This feature can deal with some of the bad molecules you've been monitoring, and you can see in the log, or in a Third-party tool, who's on the go.

Test, destroy your IIS, then put him as a no welcome blacklist, so that you can configure the site to its IP, or domain to refuse to visit

Ask, but this process comes at a cost, and your IIS is going to be the reverse lookup feature. may be time-consuming.

Six: the topic of security.
The above is just IIS and ASP. If you want to use the database. Use the road remote management, use the road remote connection database. That's a separate note.

Meaning As I said. There's no absolute security. And that is the need for security. On the topic of security, there is no end, only to be continued.