IIS is one of the most vulnerable components of Microsoft's component, an average of two or three months will be a loophole, and Microsoft's IIS default installation is really not flattering.
First, create a new Wwwroot folder in the D: root directory, which is used as the root of the Web server site, and contains folders for different Web sites. For example, to create a new directory for the first site file WebSite1, in order to eliminate the cross-station attacks and other related security issues, to achieve the various virtual host directory has independent access to the mechanism, we want to give each directory to assign an anonymous user account.
Right-click My Computer-----> Admin------> Local Users and Groups, then create a new user iisuser_01, select the user can not change the password and password will never expire, remove the remaining two check. (Of course, if you have 50 virtual hosts on your WEB SERVER, you can add some users in the same way). You can set a password for each new user, of course, empty is not a big deal, because this is used for IIS anonymous access to users, the system security is basically not affected.
New users because the default new users automatically join the user group, to remove their user group permissions, and then separate them only belong to the Guests group, this step must be remembered, security issues are critical. After the setup is complete, in order to facilitate the unified division of the WEB site anonymous Access user permissions, and then create a new user group, such as Iisuser_group, iisuser_01 users to add to the Iisuser_group group.
Once the user and group are set up, we turn on the wwwroot of the D disk again, right-click the WebSite1 folder in the security option of the property configuration, add iisuser_01 user rights (if the HTML site can only be read permission, if it is asp+acess database or need to enter Line FSO operation of the site, but also need to add "write" permission or generally we will "full control" rights to iisuser_01 users.
If you want to make a more secure configuration, you can set the IISUSER_01 user's permissions in the WebSite1 directory to read, and write permissions on the picture upload directory or database directory that requires an update or write operation, which is more secure. After this step, the site's directory security is enough. No, the use of some FSO and other Trojans can also be read across the station, although there is no permission to modify after the station, but for example, the top of the ocean with the folder packaging function, can still carry out the cross-station browsing system disk and package operation and download. This is done by right-clicking the C and D drive to select the security option in the attribute, adding the user group that we set up just now (which contains iisuser_01 or additional Web site Directory Users) to prohibit all operation rights for the group.
(Note the setting of the subdirectory inheritance permissions, and the WebSite1 directory does not inherit this permission from the parent directory.) )
In this way, each site's browser (anonymous access users) can only be the station directory files in certain permissions to operate, even if the ASP wood immediately to one of the site directory, will not affect other sites, but not to the security of the server any danger.
After the folder security configuration is complete, our next step is to configure IIS.
First, open the IIS Manager-"Home directory," to facilitate unified management, rename the default site to WebSite1 and point the home directory to the D:\wwwroot\WebSite1 directory.
Then click the Configuration button in this window to enter the application configuration, in the application extension bar to remove any unwanted mapping, only you really need to use the type of file, such as asp,aspx,shtml, the general WEB server applications with two of these mappings is enough, Other maps have had too many vulnerabilities in previous free Microsoft vulnerabilities, and you can check the previous vulnerabilities list. Start by deleting the unused extensions.
After you configure this item, click the Options bar above this window, typically in most ASP programs, we'll call the parent path in the code, and we'll check the "Enable Parent path" checkbox on this page, of course, if you're sure your program doesn't have code to invoke the parent path, it's best not to choose this, and the security will be stronger. Finally, click the Debug bar at the top of this window, in the error message option for a script error, select the Send the following text error message to the client otherwise the ASP script will likely show the client your database path (the hacker often says Bauku), program code, structure, parameters, and other important information.
To prevent the CGI vulnerability scanner from scanning the security implications of the IIS vulnerability, the HTTP404 Object not Found error page is redirected to a custom HTM file through the URL in the IIS Admin panel, and we can change C :/windows/help/iishelp/common/404b.htm content to read: <meta http-equiv= "REFRESH" content= "5; Url= Your site Home "", or you can modify the HTML file path for the 404 error page in the custom error bar in the IIS Admin panel and make the appropriate changes finally, we also want to bind the anonymous user account that was established for this site to access rights in the directory security for this site. Open the Directory Security tab in the site's property page, click "Edit" for authentication and access control to enable anonymous access, click the Browse button on the bar, select the anonymous user account iisuser_01 that we previously assigned to this site (WebSite1), and enter the user's password. Prompt to enter a confirmation password again. If no, leave it blank.
After setting up an anonymous access account, users of the "WebSite1" site can access the "WebSite1" Site Directory only when they invade the server using ASP's FileSystemObject components or other Trojan programs. : D:\wwwroot\WebSite1 under the content, when trying to access other content, there will be such as "No Permissions", "hard drive is not ready", "500 server Internal error" and so on error prompts (has tried to use ASP Sea Top 2006 Trojan Horse for a full test, Does not pose any impact on server security).
If your Web server needs to place multiple Web sites, the easiest way to do this is to configure the host header.
Here to establish two sites for www.alixixi.com and www.ejchina.com respectively for example. The DNS of the www.alixixi.com and www.ejchina.com two domains is first resolved to the IP address of the server. For example, www.alixixi.com is stored in the D:wwwroot\website1 directory above our configuration so that we open IIS Manager and right-click WebSite1 Site properties.
Click on the IP address of the Advanced button, modify the IP address of the main head for www.gzidc.me.
In this way, the first site is set to succeed, and then we can continue to add a second site, in the same way, when adding without changing the TCP/IP port, directly set the main head of another site for the www.ejchina.com can complete the establishment of the second site. The use of host headers to build multiple sites, you must use a friendly web site to access, but also through IP ports and multiple IP addresses to achieve multi-site, but this is no longer described in detail. If a pan-domain name resolution is required, the site is set to an empty host header and a *. Domain name is established in DNS. com resolves to server IP to enable universal Domain name resolution.
Finally, do not forget to back up the configuration of IIS, in the event of a catastrophic system crash or a major error in IIS requiring a reinstall, you can quickly restore IIS security Configuration, restore the site to normal operation, backup function is simple, the IIS Management Panel Operations toolbar-"All Tasks-" for backup.
To learn more about backup and related technical information, please click on the IIS Help and consult in the IIS6 Administrator's Guide.
The following is an excerpt from a related backup from the Administrator's Guide:
In fact, the configuration database refers to the combination of MetaBase.xml and MBSchema.xml files and the configuration database that hosts memory. The IIS configuration information is stored in the MetaBase.xml file, and the metabase schema is stored in the MBSchema.xml file. When IIS is started, these files are read by the storage layer and then written to the in-memory metabase by managing basic objects (ABO) ...
Speaking of MetaBase.xml, casually mentioned a little IIS6 often encountered problems, is unable to upload large files, IIS 6 for security reasons, the default maximum request 200K (also that the maximum submission data limit of 200KByte, 204800Byte). Usually the size of 200K is not enough to meet the needs of our site, the solution is as follows:
1. Turn off the IIS Admin service
2. Open \windows\system32\inesrv\metabase.xml
3. Modify the value of aspmaxrequestentityallowed for their own needs, the default is 204800, that is, limit the upload file maximum 200KB.
4. Start the IIS Admin Service
In fact, if you have some understanding of programming, carefully look at the contents of the MetaBase.xml file, you will find that many of the IIS configuration can also be modified inside, of course, unless you are familiar with, otherwise do not recommend direct modification.
Configuration to this step, we have successfully configured a high security WEB server, but to achieve a powerful Internet-enabled server, only the WEB function is not enough, for the day-to-day file upload download and maintenance management, we have to set up a powerful FTP server.
Turn from: http://blog.sohu.com/people/!aWRjbWlubWluQDE2My5jb20=/226632512.html
