IIS classic Q & A [zz from technet]

I have seen some QA about IIS on MS technet. I think it is helpful for you to see it here.
If you are interested, you can read more here:
Http://www.microsoft.com/china/technet/community/columns/insider/default.mspx

[Edited by: neomagic on]

 

----------------------------------------------------
Leave a message
 
 
 
Post Operation:

Neomagic

 

Number of posts: 1,920
From: Xanadu
Registration Date: February 1, 2004
Points: 11

 
Is it best to rename the inetpub and wwwroot directories? Release date:
Reply topic reply
 

Q:
We are updating the security of the IIS 5.0 server in the network environment. Someone suggested renaming the inetpub and wwwroot directories. We didn't see any benefits of doing so. Can you talk about this?
A:
To ensure the security of the server, it is a good practice that the server does not use the standard directory name. For IIS, attackers do not have to know the basic file structure of the IIS server. For example, if you map the web site root directory to D:/websites/mywebsite, and send default when someone accesses the server. ASP page, the client will not know that the default file is located in the D:/websites/mywebsite folder. If attackers can obtain the write permission of the server, they may write their executable programs to the server, however, this requires the attacker to have executable permissions on the location where the program is to be written in the currently used user environment. In the default configuration of IIS 5, the everyone "Full Control" permission is granted to multiple locations, such as the/inetpub/scripts folder. Of course, you should delete or modify these folders. the IIS Lockdown tool can complete this task.
It is important to change the location of these files on the web server outside of the non-system drive because inetpub is added to the system drive by default. This can prevent attackers from exploiting the potential canonicalization attack (that is, using.../.. to fool IIS and traverse directories ). To better prevent this, you can change the default folder name provided by the installer. Without using the well-known paths, attackers can increase the difficulty of deliberate destruction. Because this operation is very simple (at least when you install the server for the first time) and improves security, it can be said that it is the best operation, as long as it is feasible, it should be done.

[Edited by: neomagic on]

 

----------------------------------------------------
Leave a message
 
 
 
Post Operation:
Neomagic

 

Number of posts: 1,920
From: Xanadu
Registration Date: February 1, 2004
Points: 11

 
How does one force NTLM authentication on IIS Server 6? Release date:
Reply topic reply
 

Q:
We have an IIS 6 server, but we cannot use integrated Windows authentication. I think this is because Windows Server 2003 uses Kerberos v5. Because the client in the firewall can always smoothly integrate Windows Authentication with IIS5 on Windows 2000 Server, is there a way to force Windows Server 2003/IIS6 to use the same authentication method (NTLM?) as Windows 2000 Server ?), So that clients in the firewall can perform identity authentication?
A:
Integrated Windows Authentication runs in the same way on IIS 6 and IIS 5. Therefore, I suspect that the above problem is irrelevant to NTLM and Kerberos. However, when troubleshooting as a problem, you may need to solve this basic problem. Now, let's first deal with the Kerberos section in this comprehensive problem.
IIS will attempt to use Kerberos for authentication only when all of the following conditions are met: 1. integrated Windows authentication enabled; 2. IIS is a member of an Active Directory domain; 3. the Web site has been registered as a service entity name (SPNs) through Kerberos; 4. the client is a member of a trusted domain; 5. the client uses a browser/operating system that supports Kerberos.
One of the most common causes of Kerberos failure is that the Web site is not a registered SPNs. This is the case if the Web site name used in the URL is not the computer's NetBIOS name. In this case, you need to use the Setspn.exe tool to register the Web site name as a service entity name through Kerberos. You can configure the Web site as the NetBIOS Name of the response computer to test the registration result. In an Intranet running Active Directory, you can set the Web site to respond to all unallocated IP addresses or to the IP addresses returned when you Ping the server name. If the authentication succeeds, you have resolved the Kerberos issue.
In addition, pay attention to other things. For details, see the IIS Resource Guide section under "Integrated Windows Authentication.
Alternatively, you can configure IIS to skip Kerberos negotiation and directly perform NTLM authentication. Therefore, you need to set the metadatabase registry entry "NtAuthenticationProviders" to "NTLM ". In IIS 5, 5.1, and 6.0, you can set this item at the site level. Note that you must record this modification, which is important. Otherwise, if you want to re-enable Kerberos one day, you will not be able to get what you want, and you will not find any information on the user interface that can explain why Kerberos cannot run in this case.
If this option is set (Kerberos is disabled), authentication can be used. This indicates that your guess is correct and Kerberos does have a problem. If authentication still fails, make sure that the client and server are configured with similar NTLM settings in the "Local Security Policy" shown below:

[Edited by: NeoMagic on]

 

----------------------------------------------------
Leave a message
 
 
 
Post Operation:
NeoMagic

 

Number of posts: 1,920
From: Xanadu
Registration Date: February 1, 2004
Points: 11

 
Basic Authentication and integrated Windows Authentication released on:
Reply topic reply
 

Q:
I have an internal enterprise website. I want all verified users to access a directory on another server. I have mapped the remote server content to the drive of the Web server, and to test, grant the Everyone group full control over the shared resource NTFS and then our application accesses the content by referencing the drive letter.
When we configure integrated Windows authentication for this directory, all users cannot access the remote location. However, if we use Basic Authentication and specify a domain, users can access the remote content. My question is, why cannot I remember the creden for the user to access the remote server for integrated Windows authentication, while basic authentication is OK?
A:
Although this seems like a problem because integrated Windows Authentication cannot remember creden。, this is not the case. To ensure the security of any site or server, the key to the problem is to balance the function and security. Basic Authentication uses the local logon type, also known as "interactive" logon. This type of credential can be delegated to other servers. Therefore, you can use the creden。 obtained through basic authentication to successfully access the remote system. This is also true for accessing the SQL server. You can use basic authentication to authenticate the client and forward the credential to the SQL server configured to use SQL authentication. However, when you use integrated Windows authentication to verify the IIS server, the "network" logon type is used. This type of logon is much more secure than basic authentication, but creden。 cannot be forwarded to other servers unless Kerberos is used in the enterprise intranet. Once Kerberos is used (and configured correctly), user creden。 can be delegated in the entire directory forest (see Microsoft Knowledge Base Article 326089 ).
To conveniently and reliably access remote content without considering the authentication type, When you configure a virtual directory to access remote content, you will be prompted to provide a user name and password valid for both the IIS server and remote server. When you access a virtual directory, the request is sent to the specified user, regardless of the authentication method used by the user, the remote content can be accessed.
Unless you can use Kerberos, we recommend that you modify the application to use a standard virtual directory instead of a mapped drive. In this way, remote content can be accessed reliably. In addition, it is not recommended to use a mapped drive because the mapped drive is included in the configuration file of the user who created the ing. If other users log on to this IIS server, the ing drive does not exist and there is no association between them and your application.

[Edited by: neomagic on]

 

----------------------------------------------------
Leave a message
 
 
 
Post Operation:
Neomagic

 

Number of posts: 1,920
From: Xanadu
Registration Date: February 1, 2004
Points: 11

 
In Windows 2000 Professional, is the number of IIS 5.1 connections limited to 10? Release date:
Reply topic reply
 

Q:
I have heard that the number of IIS 2000 connections on Windows 5.1 pro is limited to 10. This makes it unsuitable for our applications. I wonder if I can increase the number of connections in the operating system through registry settings or other workarounds.
A:
Among the questions I received, this is one of the most frequently asked questions. Many people have reasonable requirements and need to support more than 10 connections, to develop and test systems that support multiple concurrent accesses. However, some people want to use Windows 2000 Professional as a server platform, but it is not designed or not allowed. I know that many people in newsgroups and other places are discussing various settings that allow connections to exceed 10, but we haven't tested any of them for a simple reason, I believe that if you need server services, you need the server operating system.
It is often said that if the number of connections is 10, the number of users is 10. Generally, a Web Client can create multiple connections to the Web server. Therefore, your IIS server may not support 10 users at the same time. Therefore, Windows 2000 Professional installed with IIS 5 has a little-known special situation that allows you to set the Web site to accept up to 40 users. You only need to set the number of allowed connections to a value smaller than 40, and use the viola browser, then you can accept up to 40 concurrent HTTP connections. This special case only applies to HTTP, so you still cannot accept more than 10 connections through file and printer sharing.

 

----------------------------------------------------
Leave a message
 
 
 
Post Operation:
NeoMagic

 

Number of posts: 1,920
From: Xanadu
Registration Date: February 1, 2004
Points: 11

 
What causes the IUSR password to expire? Release date:
Reply topic reply
 

Q:
I encountered a problem on the IIS 5 server, and I could not perform anonymous access to these servers. The event log indicates that the IUSR password has expired. What causes the IUSR password to expire? Is it because it is configured to expire after a certain period of time by default?
A:
By default, the attributes of anonymous user accounts are set to "Password Never Expires" and "user cannot change password ". This is true for single-host servers and domain controllers. Therefore, the password will not expire unless some settings of the Account are changed. This may happen if the password expiration setting is enforced on the server through the security policy. This is probably because the Administrator has not realized the Special Purpose of this design, but has created a new anonymous user account or set the validity period for this account. (The security administrator once told me that IIS does not need an IWAM account and can delete it .) In addition, it may be because the security script that enforces the password policy is run, which leads to Resetting account policies for all users, including anonymous users. To determine what operations lead to these changes, you may need to enable review of account management and policy changes.

 

----------------------------------------------------
Leave a message
 
 
 
Post Operation:
NeoMagic

 

Number of posts: 1,920
From: Xanadu
Registration Date: February 1, 2004
Points: 11

 
What measures should I take if the IIS server is successfully attacked? Release date:
Reply topic reply
 

Q:
I recently discovered that my IIS was successfully attacked. I set up a system review on Sunday afternoon and found that someone successfully logged on to my computer at Monday morning. I found that some users on my system were modified by hackers.
The Guest logon is activated. The Guest and IUSR accounts are added to the Administrators group, and other user permissions are modified to enable the remote registry service. I fixed all these problems and set up an audit on the server, so far no suspicious behavior has been found. Can hackers still obtain privileges to access this system?
A:
Unfortunately, I am sorry to know that you have suffered this, but I think it is best for you and anyone who has suffered this level of attacks to reformat the drive and then redo all the settings. There are two major problems with your repair policy.
First, assume that you have discovered all the modifications the attacker has made to your system (but this is almost impossible, unless you have thoroughly searched all files and network activity logs ). Attackers may install Trojan Horse, keyboard recorder, or management console on your system, but you have not noticed these. Some of the latest attacks include kernel-mode drivers that appear to be part of the operating system (it is hard to find this even well-trained ).
Second, even if you have fixed everything, attackers may have obtained permission information, such as the user name and password. They may have created a location in the file structure that grants them full control permissions, and this location may be very hidden. They can log on to the system using the name they created or the password they have cracked.
Check any other computers connected to the IIS server immediately. Domain controllers and other servers (such as SQL, Exchange, and IIS servers) that communicate with the IIS server are the primary check targets. If attackers have the privilege of this IIS server, they may begin to destroy the entire network.
Obviously, these measures consume a lot of time and money. To this end, I urge companies and administrators to accumulate necessary skills and technologies to minimize the possibility of successful attacks. In addition, the system should be monitored and the Administrator should be notified as soon as problems arise.
One way to quickly implement high security is to use Microsoft's Internet Security and Acceleration (ISA) server and "publish" the Web server to the ISA Server. After this configuration, the ISA Server can act as a firewall to Prevent IIS servers from being attacked and provide necessary content to the client. In this way, attackers do not have the permission to directly access the IIS server. For more information, see the Internet server and Acceleration Server Product Guide at http://www.microsoft.com/isaserver/evaluation/productguide.asp
Of course, even if you have installed an ISA Server or other powerful firewall servers, you still need to take necessary measures to effectively ensure the security of web servers.

 

----------------------------------------------------
Leave a message
 
 
 
Post Operation:
Neomagic

 

Number of posts: 1,920
From: Xanadu
Registration Date: February 1, 2004
Points: 11

 
What is Web garden? Release date:
Reply topic reply
 

Q:
IIS 6.0 has a new function named Web garden. With it, you can configure the application pool to use multiple working processes. When does IIS create an additional working process? What knowledge should we know before we implement the Web Park?
A:
When you create an application pool, you are notified to IIS 6 to create a workflow to transfer the content of the Web site, file, and folder assigned to the application pool. You can configure the application pool to start more than one worker process, which improves scalability. This function is called Web garden, which is a small "Web farm ". Instead of using multiple computers to transmit the same content (Web farm), you can use multiple processes in one computer to transmit the same content.
When you configure an IIS 6 application as a Web garden, you only need to go to the "Maximum number of worker processes" box on the "performance" tab of "application pool properties, set the number of worker processes greater than 1. If the value is greater than 1, each request starts a new worker process instance. The maximum number of worker processes that can be started is the maximum number of worker processes you specify. Subsequent requests will be sent to the working process cyclically.
Web parks are useful when your application resources are limited. For example, if your connection to the database is slow, you can use multiple working processes to increase user throughput and the number of connections to the database.
Although the use of Web Parks is very useful in some cases, you must note that the session information of each worker process is unique. Because requests are routed to the application pool Worker Process cyclically, the Web garden may not be very useful for the applications in which session information is stored.
In a few cases, resource competition may occur when multiple worker processes run the same application. For example, if all worker processes attempt to record information to log files, or use resources that are not dedicated to multiple concurrent accesses, resource competition may occur.
If these problems do not exist, the Web garden may be one of the functions you need and will play a very important role.