Windows IIS 6 Security Protection Sticker-URL Authorization Overview

IIS in Windows is one of the most common Web servers. IIS is powerful, easy to use, but vulnerable to malicious attacks. Its security has always been the focus of discussion. To enhance the security of Web servers, many security protection functions are added to IIS6 in Windows Server 2003. "URL Authorization" is one of them. This feature makes IIS6 more secure and stable. This article will introduce you to URL Authorization.

I. Why URL Authorization?

The IIS website provides convenience for users, but its security has always been the most important topic for administrators. As we all know, there are some vulnerabilities in IIS server components, and many "bad guys" exploit these vulnerabilities to attack websites. Although timely installation of IIS patches can fix these vulnerabilities, new vulnerabilities will continue to emerge. Many administrators use the unanonymous access permission method to control the scope of users accessing the website, but this method still has certain security risks. To enhance IIS security, the URL Authorization function is provided in Windows Server 2003. It can strictly control users who browse websites through the authorization manager. To enable a user account to access a virtual directory with URL Authorization enabled, the user account must be a valid account in Windows Server 2003. In addition, you must add this account to the role assignment item of the authorization manager.

Ii. Configure URL Authorization

By default, the URL Authorization function is not enabled for IIS6. You must manually configure it with the authorization manager. Next, I will introduce how to implement it step by step.

1. Disable Anonymous Access

In Windows Server 2003, IIS6 allows anonymous access by default. To use the URL Authorization function, you must first disable anonymous access. Click Start> Run. In the run dialog box, enter the "% systemroot % System32InetSrvIIS. msc" command ("% systemroot %" indicates the directory of the operating system ). Press enter to bring up the "Internet Information Service (IIS) manager" window, and expand "Local Computer> website> default website" in turn ". The following uses the Online virtual directory of the default website as an example to describe how to configure URL Authorization.

Right-click the "Online folder" option and choose "properties" from the shortcut menu. In the displayed Online Properties dialog box, switch to the "virtual directory" tab and click "CREATE. On the "Directory Security" tab, click the "edit" button in the "authentication and Access Control" column. In the displayed "authentication method" dialog box, cancel the check before "enable Anonymous access, make sure that the "Integrated Windows Authentication" option is selected (1), and then click "OK" twice.

2. Configure wildcard application ing

After the anonymous access function is disabled, the configuration is officially started. First, configure the wildcard application ing for the URL Authorization function. On the virtual directory tab of the Online Properties dialog box, click "Configure" to bring up the "application" dialog box. Click "insert" in the "wildcard application ing" Column (2 ), in the "Add/edit application extension ing" dialog box, click "Browse" to go to the "% systemroot % System32InetSrv" directory and find urlauth. after the dll file, click "open" and then click "OK.

 

3. Add WEB service extensions

Then we will add a Web service extension for URL Authorization in IIS6. In the Internet Information Service (IIS) manager window, expand "Local Computer> website> Web Service extension ", in the WEB Service Extension box on the right, click the "Add a new WEB Service extension" link to bring up the new WEB Service Extension dialog box (3 ). In the "extension" column, enter "URL Authorization", click "add", and click "Browse" in the Add dialog box ", locate urlauth in the "% systemroot % System32 InetSrv" directory. dll file, open it, and click "OK. In the new WEB Service Extension dialog box, select the "set extension status to allow" option, and click "OK.

4. Create an authorized storage

To enable the URL Authorization function, you must use it with the authorization Manager. The authorization manager is used to manage the user accounts that access the IIS website. Therefore, you must manage and configure the authorization manager. First, you must create a file for storing authorization information. In the run dialog box, enter "Azman. run the msc command. Press enter to bring up the authorization manager window. Right-click the "Authorization manager" option and choose "option" from the menu ", then, select "Developer mode" in the Options dialog box and click "OK. Next, create an authorized storage file, right-click the "Authorization manager" option, and select the "Create authorized storage" option. The "authorized storage" dialog box is displayed (4). Select the "XML file" option, in the "Storage name" column, enter "C: MyStore. xml, click OK.

In the authorization manager window, right-click the MyStore. xml item. Select "New Application" in the pop-up menu, enter "IIS6 URL Authorization" in the name bar, and click "OK. In the authorization manager window, expand "IIS6 URL Authorization> definition", right-click "Operation definition", and select "create operation definition" in the pop-up menu ". Enter "AccessURL" in the "name" column, "1" in the Operation number column, and click "OK.

5. Configure the scope

Then configure the scope of authorization for the newly created application IIS6 URL. Right-click the IIS6 URL Authorization option, select "new scope" in the pop-up menu, enter "WebApp" in the name bar, and click "OK. Next, expand "IIS6 URL Authorization> definition", right-click the "Role Definition" option, and select "create role definition" in the pop-up menu ". Create a scope in the role definition, enter "Viewer" in the name column, and click "OK. Click the "Role Definition" option, right-click the Viewer option on the right side of the box, a shortcut menu is displayed, select the "attribute" option, switch to the "Definition" tab, and click the "add" button, switch to the "operations" tab, select the "AccessURL" option in the Operation definition list box, and click "OK" twice in a row.

Expand "IIS6 URL Authorization> WebApp" in sequence, right-click the "role assignment" option, and select "Assign role" in the pop-up menu ". Select the "Viewer" option in the "add role" dialog box and click "OK. Right-click the "Viewer" option in the right frame and select the "Assign Windows users and groups" option. The "select user or group" dialog box is displayed (5 ), in the "Enter object name to select" field, enter the user account required to access the website page, and then click "OK.

 

6. Configure the reader role

By default, IIS6 runs as a Network Service account. Configure the account used by the reader. Right-click "MyStore. xml, select "attributes" in the pop-up menu, switch to the "Security" tab, and select "Reader" in the "Authorization Manager User role" list ", click "add", enter the "Network Service" account in the "Enter object name to select" column, and then click "OK" twice.

7. Configure the IIS Metabase File

After completing the preceding configuration process, the URL Authorization function is still not enabled. You must modify the parameters of the IIS Metabase file. Next we will use the vbs script to modify the IIS Metabase file. Go to the "C: InetpubAdminScripts" directory and create a new script file named "SetUrlAuth. vbs. Open this file, copy the following content to the script file, and then save the file.

The script content is as follows:

SetUrlAuth. vbs content
Set objArgs = WScript. Arguments
If objArgs. count <4 then
Wscript. echo "Usage: SetUrlAuth VDirPath AzScopeName AzStoreName AzEnable
[ImpersonationLevel]"
Wscript. echo ""
Wscript. echo "Example :"
Wscript. echo "SetUrlAuth w3svc/1/root/MyApp
Msxml: // d: inetpubwwwrootAzStore. xml True 1"
Wscript. echo ""
Wscript. echo "Run with cscript command in cmd.exe to avoid msgboxes"
Else
Wscript. echo objargs (0)
DIM iis
Set iis = GetObject ("IIS: // localhost/" & objArgs (0 ))
Iis. AzScopeName = objArgs (1)
Iis. AzStoreName = objArgs (2)
Iis. AzEnable = objArgs (3)
If objArgs. count> 4 then
Iis. AzImpersonationLevel = objArgs (4)
End if
Iis. SetInfo
End if

Click "Start Time" and enter "cmd.exe" in the dialog box. A Command Prompt window is displayed. Switch to the "C: InetpubAdminScripts" directory and run the "Cscript SetUrlAuth. vbs W3svc1RootWebApp WebApp msxml: // C: MyStore. xml true 1" command to modify the Metabase file parameters.

In this way, the URL Authorization function is enabled. Only the user account specified in the Viewer role of the authorization manager can access the Online virtual directory page of your website.