How to configure IIS in Windows XP
Debug ASP in Windows XP and Windows 2000 operating systemsProgramFirst, you must determine whether your installed system has an ASP debugging environment. IIS (Internet Information Service) is a simple operating platform provided by Microsoft for developers, the following describes how to install IIS:
1. First, you need to determine whether your operating system has IIS installed, as shown in:
1. Right-click my computer and Click Manage"
2. Click "services and applications"
3. Check whether "Internet Information Service" is installed. If it is not installed, there is no Internet Information Service under the services and applications.
4. If "Internet Information Service" is already installed on the system, skip the installation process in step 2. Refer to the debugging process in step 3.
Step 2: Install IIS as follows:
3.1 insert a Windows XP disc, click "install available Windows components", select "Internet Information Service (IIS)", and click "Next" to complete the installation.
3. debug the IIS runtime environment by performing the following steps:
First, perform the following operations after performing the relevant steps mentioned in the first step;
5. Select "default website" with the mouse, right-click and choose "New"> "virtual directory", and enter any name you want when obtaining the alias, here we assume that the input is "Web ".
6. Next, select "website content directory" and use "Browse" to select the desired website storage location.
7. The next step is to set access permissions. If you do not need it, retain the default value of the system and go to the next step. Set the access permission for the virtual directory and select read and run scripts. Do not select the following three items. Click "finish ".
Now, the virtual directory settings are complete. Click Browse to check whether ASP programs can be run. (if the window on the right shows that the web page is displayed, the installation is successful ). Alternatively, enter "http: // localhost/web/index.htm" in the address bar of E browser, or enter "http: // 127.0.0.1/index.htm if it is normal, your homepage will be displayed.
Note: Upload this file.
So far, IIS can serve you on your machine! Feel the joy of successfully building a website!
**************************************** ****************************************
How to configure IIS In win2003
Correctly set the disk security, as shown in the following figure (security settings for virtual machines, using ASP program as an example:
1. System Disk permission settings
C: partition part:
C :\
All administrators (this folder, subfolders and files)
All creator owners (only subfiles and files)
System all (this folder, subfolders and files)
Iis_wpg Create File/write data (only this folder)
Iis_wpg (this folder, subfolders and files)
Traverse folders/running files
List folders/read data
Read attributes
Create Folder/additional data
Read Permission
C: \ Documents ents and settings
All administrators (this folder, subfolders and files)
Power Users (this folder, subfolders and files)
Read and run
List folder Directories
Read
System all (this folder, subfolders and files)
C: \ Program Files
All administrators (this folder, subfolders and files)
All creator owners (only subfiles and files)
Iis_wpg (this folder, subfolders and files)
Read and run
List folder Directories
Read
Power Users (this folder, subfolders and files)
Modify permissions
System all (this folder, subfolders and files)
Terminal Server user (this folder, subfolders and files)
Modify permissions
2. Website and virtual machine permission settings (for example, the website is on an edisk)
Note: assume that all websites are under the wwwsite directory of the edisk and a guest user is created for each virtual machine. The user name is vhost1... vhostn and a webuser group are created. All vhost users are added to this webuser group for convenient management.
E :\
All administrators (this folder, subfolders and files)
E: \ wwwsite
All administrators (this folder, subfolders and files)
System all (this folder, subfolders and files)
Service all (this folder, subfolders and files)
E: \ wwwsite \ vhost1
All administrators (this folder, subfolders and files)
System all (this folder, subfolders and files)
Vhost1 all (this folder, subfolders and files)
3. Data backup disk
It is best to specify only one specific user to have full operation permissions on the data backup disk.
For example, if Disk F is a data backup disk, only one administrator can perform full operations on it.
4. permission settings elsewhere
Find these files on drive C and set the security to only the specific administrator with full operation permissions.
The following files are only accessible to administrators:
Net.exe
Net1.exet
Cmd.exe
Tftp.exe
Netstat.exe
Regedit.exe
At.exe
Attrib.exe
Cacls.exe
Format.com
5. Delete the c: \ inetpub directory, delete unnecessary mappings in IIS, create a trap account, and change the description.
Third: disable unnecessary services to improve security and System Efficiency
The Computer Browser maintains the latest list of computers on the network and provides this list.
Task scheduler allows programs to run at a specified time.
Routing and Remote Access provides routing services for enterprises in LAN and WAN Environments
Removable Storage manages removable media, drivers, and libraries
Remote Registry Service allows remote registry operations
Print Spooler loads the file into the memory for later printing. A friend who wants to use a printer cannot disable this option.
IPsec Policy agent manages IP Security Policies and starts ISAKMP/oakleyike) and IP Security drivers
Distributed Link Tracking Client sends a notification when the file is moved in the NTFS Volume of the network domain
COM + Event System provides automatic release of events to subscribe to COM components.
Alerter Notifies selected users and computers to manage alerts
Error Reporting Service collects, stores, and reports abnormal applications to Microsoft
Messenger transmits the net send and alarm service messages between the client and server
Telnet allows remote users to log on to this computer and run programs
Step 4: Modify the Registry to make the system stronger
1. To hide important files/directories, you can modify the Registry to completely hide them: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ current-version \ Explorer \ Advanced \ Folder \ Hi-dden \ showall ", right-click "checkedvalue" and choose modify from 1 to 0.
2. Start the system's built-in Internet connection _ blank "> firewall, and check the web server in the set service options.
3. Prevent SYN flood attacks
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters
Create a DWORD Value named SynAttackProtect. The value is 2.
Enablepmtudiscovery REG_DWORD 0
NoNameReleaseOnDemand REG_DWORD 1
EnableDeadGWDetect REG_DWORD 0
KeepAliveTime REG_DWORD 300,000
Invalid mrouterdiscovery REG_DWORD 0
Enableicmpredirects REG_DWORD 0
4. Disable response to ICMP route notification packets
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters \ Interfaces \ Interface
Create a DWORD value, with the name "descrimrouterdiscovery" set to 0.
5. Prevent ICMP redirection packet attacks
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters
Set enableicmpredirects to 0
6. IGMP protocol not supported
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters
Create a DWORD Value named igmplevel 0
7. Modify the Terminal Service port
Run regedit and find [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ WDS \ rdpwd \ TDS \ Tcp]. Do you see the portnumber on the right? In decimal format, change it to the desired port number, for example, 7126, as long as it does not conflict with others.
2. In the second place, HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ winstations \ RDP-TCP. The method is the same as above. Remember to change the port number just like the above.
8. Disable null IPC connection:
Cracker can use the net use command to establish a null connection, and then invade into the database. Net view and NBTSTAT are all based on NULL connections. It is good to disable NULL connections. Open the registry and find LOCAL_MACHINE \ System \ CurrentControlSet \ Control \ LSA-restrictanonymous. Change the value to "1.
9. Change the TTL value
Cracker can roughly judge your operating system based on the TTL value returned by Ping, such:
TTL = 107 (winnt );
TTL = 108 (Win2000 );
TTL = 127 or 128 (Win9x );
TTL = 240 or 241 (Linux );
TTL = 252 (Solaris );
TTL = 240 (IRIX );
In fact, you can change HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters: defaultttl REG_DWORD 0-0xff (0-255 decimal, default value 128) to an inexplicable number such as 258, at least let the little cainiao get dizzy for a long time, and you may not have to give up the intrusion.
10. delete default share
Someone asked me how I shared all the disks when I started. After I changed it back, I restarted and shared it again. This is the default share set for 2 k management, you must modify the Registry to cancel it: HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ LanmanServer \ parameters: the AutoShareServer type is REG_DWORD and change the value to 0.
11. Do not create a null connection
By default, any user connects to the server through an empty connection, and then enumerates the account and guesses the password. We can modify the Registry to disable NULL connections:
LOCAL_MACHINE \ System \ CurrentControlSet \ Control \ LSA-restrictanonymous can be changed to "1.
Step 5: other security measures
1. Disable NetBIOS on TCP/IP
Network neighbors-properties-local connection-properties-Internet Protocol (TCP/IP) properties-advanced-wins panel-NetBIOS settings-Disable NetBIOS on TCP/IP. In this way, cracker cannot use the nbtstat command to read your NetBIOS information and the MAC address of the NIC.
2. Account Security
Deny all accounts except yourself. Rename Administrator. I just created another administrator account, but I didn't have any permissions. Then I opened the notepad and knocked it out, copied it, and pasted it into the "password, let's break the password ~! It is a low-level account after it is broken. Do you think it is a crash?
Create two administrator accounts
Although this seems to be in conflict with the above, it actually follows the above rules. Create a general-permission account to receive and process common events. The other account with the administrative permissions only needs to use it as needed. The administrator can use the "RunAs" command to execute some work that requires special privileges for convenient management.
3. Change the c: \ windows \ HELP \ IISHelp \ common \ 404b.htm content to this way. If an error occurs, it is automatically forwarded to the homepage.
4. Security Logs
I have encountered such a situation that a host was infiltrated by someone else. The system administrator asked me to trace the murderer. I logged in and checked that the security log was empty. Remember: the default installation of Win2000 is not subject to any security review! Go to the Local Security Policy> Audit Policy to open the corresponding audit. The recommended audit is:
Account Management failed
Logon Event successful failed
Object Access failed
Policy Change failed
Failed to use privilege
System Event success/failure
Directory Service Access failed
Account Logon event failed
The disadvantage of review projects is that if you want to see that there are no records, there will be no difference at all. Too many review projects will not only occupy system resources, but also cause you to have no time to look at them, in this way, the meaning of the review is lost.
5. Run anti-virus software
I have never seen any anti-virus software installed on win2000/NT servers. In fact, this is very important. Some good anti-virus software can not only kill some famous viruses, but also kill a large number of Trojans and Backdoor programs. In this way, the famous trojans used by hackers are useless. Do not forget to update the virus database frequently. We recommend that you use the anti-virus software + blackice_blank. "> Firewall
6. database server security and Serv-u ftp server security configuration, change the default port and management password
7. set IP filtering and use BlackICE to disable common trojan ports
Generally, the following ports are disabled:
135 138 139 443 445 4000 4899
8. Set the Local Security Policy and group policy. If you set an error when setting the Local Security Policy, you can restore it to its default value.
Open the % SystemRoot % \ Security folder, create a "oldsecurity" subdirectory, and move all. log files under % SystemRoot % \ Security to the new subdirectory.
Find the "SeCEdit. SDB" security database under % SystemRoot % \ SECURITY \ database \ and rename it, for example, change it to "SeCEdit. Old ".
Start "Security Configuration and analysis" MMC snap-in: "Start"-> "run"-> "MMC", start the management console, and "Add/delete snap-in ", add the "Security Configuration and analysis" Management Unit.
Right-click "Security Configuration and analysis"-> "Open Database", browse the "C: \ winnt \ SECURITY \ Database" folder, and enter the file name "SeCEdit. SDB, click open ".
When the system prompts you to enter a template, select "setup security. inf" and click "open ".
If the system prompts "Access Denied.
You will find that a new security database is created in the "C: \ winnt \ SECURITY \ Database" sub-folder,
Log files are regenerated in the "C: \ winnt \ Security" subfolder. The security database is successfully rebuilt.