How to securely and effectively protect the normal operation of iis services

　　Server tutorial of kangfire website construction Institute (bkjia.com)Generally, most Web sites are designed to provide visitors with instant information access in the most acceptable way. Over the past few years, more and more hackers, viruses, and worms have brought serious security problems that have severely affected website accessibility. Even though Apache servers are often targets of attackers, however, Microsoft's Internet Information Service (IIS) Web server is the true target.

Higher education institutions often cannot find a balance between building dynamic and user-friendly websites or building highly secure websites. In addition, they must now work to improve website security in the face of the shrinking technical budget (in fact, many of their private departments are also facing a similar situation ).

That's why university IT managers I am here to offer some tips for budget headaches to help them protect their IIS servers. Although they are mainly for IT professionals at the university, these skills are also basically applicable to IIS administrators who want to improve security through a small amount of budget. In fact, some of the skills here are also very useful for IIS administrators with a strong budget.

IIS security skills

Microsoft's products have always been the target of all attacks. Therefore, IIS servers are especially vulnerable to attacks. After understanding this, the network administrator must prepare to perform a large number of security measures. What I will provide you with is a list. Server Operators may find it very useful.

1. Windows upgrade:

You must promptly update all updates and patch the system. Consider downloading all updates to a dedicated server on your network and publishing the files on this server as a Web server. Through this work, you can prevent your Web server from accepting direct Internet access.

2. Use the IIS prevention tool:

This tool has many practical advantages. However, please use it with caution. If your Web server interacts with other servers, first test the prevention tool to ensure that it has been correctly configured so that it will not affect the communication between the Web server and other servers.

3. Remove the default Web site:

Many attackers target the inetpub folder and place some attack tools in it, causing server paralysis. The easiest way to prevent this attack is to disable the default site in IIS. Then, because worms access your website through IP addresses (they may access thousands of IP addresses a day), their requests may be in trouble. Point your real Web site to a folder in the back partition and must contain safe NTFS permissions (which will be detailed in the NTFS section below ).

4. If you do not need the FTP and SMTP services, uninstall them:

The simplest way to access a computer is through FTP. FTP itself is designed to meet the requirements of simple read/write access. If you perform identity authentication, you will find that your user name and password are transmitted over the network in plaintext. SMTP is another service that allows write permission to folders. By disabling these two services, you can avoid more hacker attacks.

5. Check your administrator group and services with rules:

One day I entered our classroom and found that there was another user in the Administrator group. This means that someone has successfully entered your system, and he or she may drop the bomb into your system, which will suddenly destroy your entire system, alternatively, hackers can use a large amount of bandwidth. Hackers also tend to leave a help service. Once this happens, it may be too late to take any measures. You can only reformat your disk and recover your daily backup files from the backup server. Therefore, check the service list on the IIS server and keep as few services as possible as your daily task. You should remember which service should exist and which service should not. Windows 2000 Resource kitlet us use a program called tlist.exe, which can list the services that run under svchost in each situation. Run this program to find some hidden services you want to know. The following message is displayed: Any service containing the words "daemon" may not be included in Windows and should not exist on the IIS server. To get a list of Windows Services and know their respective functions, click here.

6. strictly control the write access permissions of the server:

This sounds easy. However, on a college campus, a Web server actually has many "Authors. Faculty members all want their classroom information to be accessible to remote students. Employees want to share their work information with other employees. Folders on the server may have extremely dangerous access permissions. One way to share or spread this information is to install 2nd servers for special sharing and storage purposes, and then configure your Web server to point to the shared server. This step allows the network administrator to restrict the write permission of the Web server to the Administrator group only.

7. Reduce/exclude sharing on Web servers:

If the network administrator is the only person with write permissions on the Web server, there is no reason for any sharing to exist. Sharing is the greatest temptation for hackers. In addition, by running a simple cyclic batch processing file, hackers can view an IP address list and use commands to find the sharing of Everyone/full control permissions.

Summary:

All of the above IIS skills and tools (except WhosOn) are provided by Windows. Do not forget to use these skills and tools one by one before testing your website accessibility. If they are deployed together, you may suffer heavy losses. You may need to restart them to lose access.

Last tip: log on to your Web server and run netstat-an on the command line. Observe how many IP addresses are trying to establish a connection with your port, and then you will have a lot of research and research to do.