How to establish a High-security Web server with IIS _win server

Construct a security system
To create a secure Web server, you must implement dual security for Windows 2000 and IIS because the user of IIS is also a user of Windows 2000, and the permissions of the IIS directory depend on the permissions control of the NTFS file system of Windows. So the first step in securing IIS is to secure the Windows 2000 operating system:
1. Use the NTFS file system to manage files and directories.
2. Turn off default sharing
Open Registry Editor, expand the "Hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters" item, and add a key value AutoShareServer , the type is REG_DWORD, and the value is 0. This allows you to completely turn off default sharing.
3. Modify Share Permissions
Modify the default permissions for everyone immediately after a new share is established, so that Web server visitors do not have the necessary permissions.
4. Rename the system administrator account to avoid illegal user attacks.
Right-click [My Computer]→[management]→ Start Computer Management program, in Local Users and groups, the mouse right click "Administrator Account" → select "Rename", change the administrator account to a very common user name.
5. Disable NetBIOS on TCP/IP
Right-click on the desktop [Network Neighborhood]→[Properties]→[local connection]→[properties] to open the Local Area Connection Properties dialog box. Select the Internet Protocol (TCP/IP)]→[Property]→[Advanced]→[wins] To remove NetBIOS on TCP/IP by selecting the "Disable NetBIOS on TCP/IP" option on the lower side.
6. TCP/IP on the control of the inbound connection
Right-click on the desktop [Network Neighborhood]→[Properties]→[local connection]→[properties] to open the Local Area Connection Properties dialog box. Select the Internet Protocol (TCP/IP)]→[Properties]→[advanced]→[Options], click to select the TCP/IP filter option in the list. Click the Properties button, select Allow only, and then click the Add button to fill in port 80 only.
7. Modify the registry to reduce the risk of denial of service attacks.
To open the registry: hklm\system\
The value of the SynAttackProtect under Currentcontrolset\services\tcpip\parameters is modified to 2, making the connection more responsive to timeouts.
Ensure the security of IIS itself
IIS Security Installation
To build a secure IIS server, security issues must be fully considered from the time of installation.
1. Do not install IIS on the system partition.
2. Modify the installation default path for IIS.
3. Hit the latest patches for Windows and IIS.
Security Configuration for IIS
1. Delete unnecessary virtual directories
After IIS installation is complete, some directories are generated by default in Wwwroot, including IISHelp, IISAdmin, IISSamples, MSADC, and so on, these directories have no practical effect and can be deleted directly.
2. Delete a dangerous IIS component
Some of the IIS components that are installed by default may pose security threats, such as Internet Service Manager (HTML), SMTP service, and NNTP Service, sample pages, and scripts, and you can decide whether to delete them according to your own needs.
3. Set permissions for the classification of files in IIS
In addition to setting the necessary permissions for the IIS files in the operating system, set permissions for them in IIS Manager. A good setting policy is to create a directory for different types of files on a Web site, and then assign them the appropriate permissions. For example: Static file Folder allows read, refused to write, ASP script folder allows execution, deny write and read, EXE and other executable programs allow execution, deny read and write.
4. Remove unnecessary application Mappings
There are many application mappings by default in ISS, and other files are rarely used on the site except for this program mapping of ASP.
In Internet Services Manager, right-click the Site directory, select Properties, and in the Home directory page of the Site Directory Properties dialog box, click the Configure button, eject the Application Configuration dialog box, and remove the unwanted program mappings from the Application Mappings page. If you need this type of file, you must install the latest system patches, select the appropriate program mappings, and then click the Edit button to check the "Verify the presence of files" option in the Add/Edit Application Extension Mappings dialog box. This way, when a client requests such a file, IIS checks to see if the file exists and the file exists before it is resolved by the dynamic link library defined in the calling program map.
5. Protect Log Security
Log is an important part of the system security policy, ensuring the security of the log can effectively improve the overall security of the system.
Modify the storage path of the IIS log
By default, IIS logs are stored in%windir%\system32\logfiles, and the hacker is certainly very clear, so it is best to modify its storage path. In Internet Services Manager, right-click the Site Directory, select Properties, and in the Web site page of the Site Directory Properties dialog box, click the Properties button next to the "Enable logging" option on the "General Properties" page and click [Browse] button or enter the log store path directly in the input box.
Modify log access permissions, and settings are accessible only to administrators.
With some of these security settings, trust your Web server to be a lot safer.