Server effective settings prevent Web intrusion graphic method _win Server

So it is an effective method to set up the Webshell to prevent the server.
I. Preventing illegal downloading of databases
It should be said that a little network security Administrator, will be downloaded from the Web site program's default database path changes. Of course, some administrators are very careless, get the program directly on their own server to install, even the description file is not deleted, not to mention the change of the database path. In this way, the hacker can download the website source program directly from the source site, then find the default database in the local test, and then read the user information and data through the download database (usually through MD5 encryption) to find the management entrance to obtain the Webshell. There is also a situation due to the program error caused by the Web site database path, so how to prevent this situation? We can add an extension map of the MDB. As shown in the following illustration:
--> -->
Turn on IIS to add a map of an MDB to parse the MDB into other files that cannot be downloaded: "IIS Properties"-"Home Directory"-"Configuration"-"mappings"-"Application Extensions" Inside Add. mdb file application resolution, as for the file to parse it you can make your own choice, as long as access to the database file can not be accessed.
The advantage of doing this is that 1 of the database files in the MDB suffix format are definitely not downloaded; 2 works for all MDB files on the server, which is useful for virtual host administrators.
Second, to prevent the upload
For the above configuration if the use of MSSQL database, as long as there are injection points, can still use the injection tool for guessing the database. If upload file does not have authentication at all, we can upload an ASP's Trojan horse to get the Webshell of the server directly.
To deal with the upload, we can sum up as: can upload the directory does not give executive permission, can execute the directory does not give permission to upload. Web programs are run by IIS users, and we can prevent intruders from uploading to Webshell by simply having write access to a specific upload directory for the IIS user and then removing the script execution permissions for the directory. Configuration method: First in the Web directory of IIS, open the Permissions tab, read and list directory permissions only to IIS users, and then go to the directory where the uploaded files are saved and stored in the database, add write permissions to the IIS users, and finally the "Properties"-"Execute Permissions" option for the two directories to change "pure script" to "none" Can. See figure below
--> -->
--> -->
Finally, when you set the above permissions, be sure to note that the inheritance of the parent directory is set. Avoid the settings that were made in vain.
Three, MSSQL injection
for MSSQL database defenses, we say, start with the database connection account first. Database does not use the SA account. Connecting to a database with the SA account is a disaster for the server. Generally, you can use the db_owner rights account to connect to the database, and if it works, it is safest to use the public user. Set to the DBO permission to connect to the database, the intruder can only guess the user name and password or differential backup to get Webshell, for the former, we can encrypt and modify the management background of the default login to defend. For differential backups, we know that it is conditional on having backup permissions and that you know the Web directory. Looking for a web directory we say it is usually done by traversing the directory or directly reading the registry. None of these two methods have been used in the Xp_regread and xp_dirtree two extended stored procedures, we just need to delete these two extended storage can, of course, the corresponding DLL file can also be deleted.
!--img-->!--gmi-->
But if it's due to a program error. Web directory, there is no way. So we also need to make the account less privileged to complete the backup operation. The specific operation is as follows: In this account's properties-database access options only need to select the corresponding database and give it the dbo permissions, for other databases do not operate. Then go to the database-attributes-permissions to remove the user's backup and backup log permissions, so that intruders cannot get webshell through differential backups.
!--img-->!--gmi--> !--v:2.3-->