IIS Security Mechanism Analysis (revised version)

Based on the security mechanism of the Windows NT kernel

1. The web file directory should be in ntsf partition Mode

The NTFS file system can manage files and directories. The FAT file system can only provide shared-level security, while the Windows NT security mechanism is built on the NTFS file system, therefore, it is best to use the NTFS file system when installing Windows NT. Otherwise, you will not be able to establish an NT security mechanism.

2. Modify share Permissions

By default, every time a new share is created, the Everyone user has full control of the share permission. Therefore, after creating a new share, the default permission of Everyone should be modified immediately, deleting Everyone in security settings is a good idea.

3. Change the system administrator account name

The specific setting method is as follows: Select "start" menu> "program"> Start "domain user manager"> select "Administrator Account (adminstrator) "→ select" user "menu →" RENAME "to modify it. Note that this step is best performed at the beginning of server setup. Otherwise, some permission settings will be lost in windows server 2003 and earlier versions.

4. Disable NetBIOS binding on TCP/IP

The NT system administrator can create an image between the NetBIOS name and the IP address of the target station to manage other servers on the Internet or Intranet. However, illegal users can also find the available servers. If this remote management is not required, cancel it immediately (unbind NetBIOS from TCP/IP through the network attribute binding option ).

Set IIS Security Mechanism

1. Security issues during installation

1) Avoid installation on the master Domain Controller

After IIS is installed, an IUSR_Computername anonymous account will be generated on the computer on which it is installed. This account is added to the domain user group to grant the access permissions applied to the domain user group to each anonymous user accessing the Web server, which not only brings potential risks to IIS, it may also threaten the security of the entire domain's resources. Therefore, do not install the IIS server on the domain controller, especially the primary domain controller.

2) Avoid installation on the system partition

Installing IIS on the system partition will cause illegal access to the system file and IIS, which may easily cause illegal user intrusion into the system partition. Therefore, you should avoid installing the IIS server on the system partition.

2. User security

1) Anonymous user access control

After IIS is installed, the anonymous user IUSR_Computername (random password generation) is generated. Its anonymous access brings potential security problems to the Web server and its permissions should be controlled. If you do not need anonymous access, you can cancel anonymous access to the Web service. Specific Method:

Choose Start> program> Microsoft Internet Server (public) "→" Internet Service Manager "→ start Microsoft Internet Service Manager → double-click" WWW "to start the WWW Service attribute page → cancel anonymous access to the Service.

2) control General User Access Permissions

You can use a password that combines numbers and letters (including uppercase and lowercase), a long password (generally more than 6 characters), and change the password frequently, common user accounts are managed by blocking failed logon attempts and setting the account validity period.

3. Security of IIS Authentication

1) Anonymous user access: allows anonymous access by anyone, with the lowest security among the three methods.

2) Basic Authentication: the user name and password are transmitted in plain text on the network, and the security performance is average.

3) Windows NT request/response method: the browser communicates with the IIS server through encryption, effectively preventing eavesdroppers, is a highly secure authentication form (supported by IE 3.0 or later ).

4. access permission Control

1) set access permissions for folders and files: For folders and files placed on the NTFS file system, you must control the permissions and set different permissions for different groups and users; in addition, the NTFS audit function can also be used to review reading and writing files for members of certain groups, by monitoring "File Access", "user object usage", and other actions, to effectively discover the precursor to illegal activities by illegal users, so as to prevent and stop them in a timely manner. Specific Method:

Select "start" menu> "program"> Start "domain user manager"> select "Review" option under "rules"> set "review rules ".

2) set the access permission for the WWW directory: the folder has been set to the Web directory. You can control the access permission for the WWW directory by operating the Web site property page, all files and subfolders in this directory inherit these security mechanisms. In addition to the permissions provided by the NTFS file system, the WWW Service also provides read permissions-allowing users to read or download files in the WWW directory; execution permission-allows users to run programs and scripts under the WWW directory. The specific settings are as follows:

Choose Start> program> Microsoft Internet Server (public) "→" Internet Service Manager "→ start Microsoft Internet Service Manager → double-click" WWW "to start the WWW Service attribute page → select the" directory "tab → select the WWW directory to be edited → select" edit "set "directory property" in "attribute.

5. IP address control

IIS allows or denies service requests sent from a specific IP address and allows users of a specific node to access the service. You can set up to prevent network users outside the specified IP address from accessing your Web server. The specific settings are as follows:

Choose Start> program> Microsoft Internet Server (public) "→" Internet Service Manager "→ start Microsoft Internet Service Manager → double-click" WWW "to start the WWW Service properties page → start the" advanced "tab on the Web properties page; control IP addresses.

6. Port Security Implementation

For IIS services, both WWW sites, Fpt sites, NNpt, and SMpt services have their respective TCP port numbers for listening and receiving browser requests (Post). The commonly used port numbers are: WWW is 80, Fpt is 21, and SMpt is 25. You can modify the port number to improve the security of the IIS server. If you modify the port settings, only users who know the port number can access the port, but users need to specify a new port number during access.

7. IP Forwarding Security

The IIS Service provides the IP packet forwarding function. In this case, the IIS server acting as the router will forward the IP packet received from the Internet interface to the Intranet, disabling this function improves the security of IIS services. The setting method is as follows:

Choose Start> program> Microsoft Internet Server (public) "→" Internet Service Manager "→ start Microsoft Internet Service Manager → double-click" WWW "to start the WWW Service attribute page → select the" protocol "tab → remove" Route Selection from TCP/IP properties ".

8. SSL Security Mechanism

SSL (encrypted SOCKET protocol layer) is located between the HTpt layer and the TCP layer. encrypted communication between users and servers is established to ensure the security of information transmission. SSL is based on public keys and private keys. Any user can obtain a public key to encrypt data, but the decryption data must be encrypted using the corresponding private key. When using the SSL security mechanism, the client first establishes a connection with the server. The server sends its digital certificate and public key to the client, and the client generates a random session key, encrypt the session key with the public key obtained from the server and upload the session key to the server over the network. The session key can be decrypted only on the server, the client and the server establish a unique security channel. The specific settings are as follows:

Choose Start> program> Microsoft Internet Server (public) "→" Internet Service Manager "→ start Microsoft Internet Service Manager → double-click" WWW "to start the WWW Service attribute page → select the" Directory Security "tab → click the" key Manager "button → use the key manager generates key files and request files → Apply for a certificate from the identity authentication permission → install a certificate on the server through the key manager → activate SSL security for the Web site.

After an SSL security mechanism is established, only customers allowed by SSL can communicate with the websites allowed by SSL. When using the URL Resource Locator, note that "htpts: // "instead of" htpt ://".

The implementation of the SSL security mechanism will increase the system overhead, increase the additional burden on the server CPU, and thus reduce the system performance to a certain extent. When planning the network, I suggest using the SSL security mechanism only for highly sensitive Web directories.