IIS and web site folder permission Configuration

IIS is one of the most vulnerable components in Microsoft. On average, one vulnerability may occur in two or three months. Microsoft's default IIS installation is not flattering.
First, create a wwwroot folder in the D: root directory, which is used as the root directory of the WEB server site and stores folders of different websites. For example, you can create the first website directory WebSite1 to store files. To prevent cross-site attacks and other related security issues, you can implement an independent access mechanism for each virtual host directory, we need to assign an anonymous user account to each directory.

Right-click my computer on the desktop -----> Manage ------> local users and groups, and create a new user, IISUSER_01. If the user cannot change the password or the password will never expire, remove the remaining two items and check. (Of course, if your web server has 50 virtual hosts, you can add some users in the same way ). You can set a password for each new user. Of course, this is not a problem because it is used to access the user anonymously in IIS and has no impact on system security.

After a User is added, the new User is automatically added to the Users group by default. the permissions of the User group must be removed and the User group must be assigned to the Guests group again. Remember this step, security issues are critical. After the configuration is complete, create a user group, for example, IISUSER_GROUP, and add IISUSER_01 to the IISUSER_GROUP group, to facilitate the unified division of the permissions for anonymous users of the WEB site.

After the user and group are set, open the wwwroot of drive d again and right-click the website1 folder in the security options of attribute configuration, add IISUSER_01 user permissions (for a pure HTML site, you can only grant read permissions. For an ASP + ACESS database or a site that requires FSO operations, you also need to add the "write" permission or generally grant the "full control" permission to the IISUSER_01 user ).
 
For more rigorous security configuration, you can set IISUSER_01 to read the website1 directory and grant the write permission to the Image Upload directory or database directory that requires update or write operations, this is more secure. After this step, is the website's Directory Security enough? No, some FSO and other Trojans can also be used for cross-site reading. Although there is no permission to modify the cross-site, for example, using the folder packaging function at the top of the ocean, you can still browse system disks and packages across sites and download them! The solution is to right-click the C and D drive letters and select the security options in the properties to add the user group we just created (including IISUSER_01 or other new WEB site directory users ), disable all operation permissions of the group.
(Note that the WebSite1 directory does not inherit the permission of the parent directory .)
 
In this way, the viewer (anonymous user) of each site can only perform certain permission operations on the files in the directory of the site, even if the ASP Trojan is uploaded to one of the website directories, it will not affect other sites, nor pose any danger to server security.

After the folder security configuration is complete, we will configure IIS in the next step.

First, open the main directory of IIS Manager-". To facilitate unified management, rename the default site as WebSite1 and direct the main directory to the D: \ wwwroot \ WebSite1 directory.

Then, click the configuration button in this window to enter the application configuration. In the application extension column, delete any unnecessary mappings that are not required, and only retain the file types you actually need, such as ASP, ASPX, shtml, and so on. Generally, it is enough for WEB server applications to have two mappings. In the past, many security vulnerabilities have occurred in free Microsoft vulnerabilities, if you don't believe it, you can check the previous vulnerability list. Start to delete unnecessary extensions one by one.

After configuring this item, click the option bar at the top of this window. Generally, in most ASP programs, we will call the parent path in the code, on this page, check the [enable parent path] Check box. Of course, if you are sure that your program will not have code to call the parent path, you 'd better not select this option, higher security. Finally, click the debugging column at the top of this window. In the error message option of the script error, select [send the following text error message to the client]. Otherwise, when an ASP script error occurs, the error message is likely to display your database path (known as brute-force database), program code, structure, parameters, and other important information to the client.

To prevent the cgi vulnerability scanner from scanning for IIS vulnerabilities, in the IIS Management Panel, the error page of HTTP404 Object Not Found is redirected to a customized HTM file through URL resetting. We can change the page to C: change/WINDOWS/Help/iisHelp/common/404b.htm content to: <META http-equiv = "REFRESH" content = "5; URL = your website homepage">, alternatively, you can modify the HTML file path of the 404 error page in the custom error bar on the IIS Management Panel and make the final modification, we also need to bind the anonymous user account previously created for the site to the access permission in the Directory Security of the site. Open the "Directory Security" tab on the properties page of the site and click "edit" for identity authentication and access control"
Select enable Anonymous Access, Click Browse in this column, select IISUSER_01, the anonymous user account assigned to this site (WebSite1), enter the password of this user, and prompt to enter the password again. Leave it blank if none exist.

After an anonymous access account is set up, when the user of the "WebSite1" website uses the FileSystemObject component of ASP or its Trojan program to attack the server, you can only access the content under "WebSite1" website directory: d: \ wwwroot \ WebSite1. When you try to access other content, an error message such as "no permission", "not ready for hard disk", and "500 server internal error" appears. (I tried to use the asp ocean top 2006 trojan for a comprehensive test, does not affect server security ).

If your WEB server requires multiple WEB sites, the simplest method is to configure the Host header.

Here, we will create two sites: www.alixixi.com and www.ejchina.com. First, resolve the DNS of www.alixixi.com and www.ejchina.com to the IP address of the server. For example, www.alixixi.com is stored in the d: wwwroot \ WebSite1 directory we configured above. In this case, open the IIS manager and right-click the WebSite1 site attribute.

Click the Advanced button of the IP address to change the Host header of the IP address to www.gz idc. me.

In this way, the first site is set successfully, and then we can continue to add the second site. In the same way, you do not need to change the TCP/IP Port when adding the site, directly set the Host Header of another site to www.ejchina.com to complete the establishment of the second site. To create multiple sites using the Host Header, you must use a friendly website to access the site. You can also use IP Ports and multiple IP addresses to implement multiple sites, but we will not detail them here. If you need to perform wildcard domain name resolution, set the site to an empty Host header, and create a *. Domain Name. com domain name in the domain name DNS to resolve to the server IP address to achieve wildcard domain name resolution.

Finally, do not forget to back up the IIS configuration. In case of a catastrophic system crash or a major IIS error, You need to reinstall the IIS and other emergencies. You can quickly restore the IIS Security Configuration and restore the normal operation of the site, the backup function is simple. You can back up all tasks in the Operation Toolbar of the IIS Management Panel.

For more information about backup and related technologies, click IIS Help and refer to IIS6 administrator guide.

The following is a piece of backup data from the Administrator guide:
In fact, the configuration database refers to the combination of MetaBase. xml and MBSchema. xml files and the configuration database with resident memory. IIS configuration information is stored in the MetaBase. xml file, and the configuration data library architecture is stored in the MBSchema. xml file. When IIS is started, these files will be read by the storage layer, and then written to the configuration database in the memory by managing the basic object (ABO...

Speaking of MetaBase. xml. If you mention a problem that IIS6 often encounters, that is, it cannot upload large files. For security reasons, IIS 6, the default maximum number of requests is 200 KB (that is, the maximum number of data submitted is 200 kb and 204800 bytes ). Generally, the size of 200 kb cannot meet the requirements of our site. The solution is as follows:
1. Disable the IIS Admin Service.
2. Open \ Windows \ system32 \ inesrv \ metabase. xml
3. Modify the value of ASPMaxRequestEntityAllowed as needed. The default value is 204800, that is, the maximum size of uploaded files is kb.
4. Start IIS Admin Service

In fact, if you have some knowledge about programming, check metabase carefully. the content in the xml file, you will find that many IIS configurations can also be modified in it, of course, unless you are familiar with it, it is not recommended to directly modify it.

In this step, we have successfully configured a WEB server with high security. However, to implement a powerful server that applies to the internet, only WEB functions are not enough, for daily file upload, download, maintenance, and management, we also need to set up a powerful FTP server!

Transferred from: http://blog.sohu.com/people! Aw1_bwlubwluqde2my5jb20 =/226632512.html