IIS Security Prevention SQL injection attacks

Iis security check list

Http://windows.stanford.edu/docs/IISsecchecklist.htm China Network Management Alliance www_bitscn_com

Http://www.iisutm.com.

The following is a brief list of security points. before checking these security points, ensure that the IIS server is online. If the following security points are violated, the Administrator may need to understand the security hazards that should occur to known security problems in the security document.

General assumptions

1. There is no IIS on the domain controller.
2. only install the required services (FTP, WWW, SMTP, NNTP) to send emails without the SMTP service; you can use CDOSYS. DLL (a COM component provided by Windows) or use a third-party Web application such as blat.exe to send emails.
3. Never use a cross-server virtual directory.
4. The underlying Windows operating system is reliable.
5. Only the system administrator is the local administrator.

Design Guide

1. The website should never be on the system drive.
2. If the transmitted information is sensitive, you need to install SSL. If SSL is enabled, You need to request SSL (through the deletion capability of access port 80 ).
3. All FTP sites and required World Wide Web sites need to enable IP filtering for "stanford-only" sites. IPSec filters can be used to achieve this goal.
4. The virtual directory should be used as little as possible. You do not need to use the virtual directory unless you need to use a different drive. If cross-drive is required, you need to reconsider based on security risks.
5. Remove all write permissions that can be removed from the NTFS drive.
6. Do not make it easy for others to find scripts and code. Hackers use these code to find vulnerabilities that can be used to control servers.

The following are some good preventive methods:

Do not use an explicit name for your scripts directory. consider renaming your script with an extension of unusual characters. For example, rename myscript. asp to myscript. dum. This requires adding a ing. dum to a specific code processor in the ISAPI extension MIME ing (MIME) (in this case, it is changed to the "asp. dll" code processor ). This will make your script hard to find. To put it bluntly, you do not need to modify the ISAPI extension ing to rename all .asp.html.

Consider compiling all the data to the DLL file. This not only protects the source code, but also greatly improves the performance. Compiled code runs nearly 20 times faster than the original script.

Web applications (scripts and executable files) can run normally with limited permissions. More permissions will be used by hackers to download files, analyze your code vulnerabilities, and allow hackers to download your code. The required minimum permissions are NTFS: read, IIS: Run, and IIS: No read is required.

7. Use the Add/delete control panel on the IIS server with caution. If you turn on Windows Components, Windows will inadvertently reset all ISAPI filters and extensions to the default value and reset other things. This is one of Microsoft's designs that you need to be careful about.

Installation and configuration

1. Delete all default virtual directories (icons with folders on the top of the world) and application root (icons with green balls in the box)
Delete iisadmin
Delete iissamples
Delete msadc
Delete iishelp
Delete scripts
Delete printers

2. Delete all default content
Delete % systemdirectory % \ inetsrv \ iisadmin
Delete % systemdirectory % \ inetsrv \ iisadmpwd
Delete inetpub \ wwwroot (or \ ftproot or \ smtproot)
Delete inetpub \ scripts
Delete inetpub \ iissamples
Delete inetpub \ adminscripts
Delete % systemroot % \ help \ iishelp \ iis
Delete % systemroot % \ web \ printers
Delete % systemdrive % \ program files \ common files \ system \ msadc. msadc is only required for websites that use Microsoft Access databases.

3. Configure the default website to be extremely secure (for example, SSL is required, only Windows authentication is integrated, access from only one IP address is allowed, and the NTFS permission home directory cannot be empty), and then stop the website. The result is that the default website is damaged. 80% of hackers will blindly attack your website, rather than your real website.

4. configure all websites that match the DNS name of the Host header. Open the ISM, website tab, click the Advanced button, select "all unallocated" (or specific IP addresses) in the dialog box, click the edit button, and specify the Host Header in the appropriate field. Perform the same operations on HTTP and HTTPS. The Host header of the default website is not configured. This will transfer 90% of the work of automated hacking tools to the paralyzed default website.

5. IIS permission for the main directory: Enable "read" and "record access ". Disable "write", "index resource", "directory browsing", "script Resource Access" (only WebDAV uses this permission), and Frontpage Web permissions. Select "NONE" for the execution permission ". Enable the execution permission for directories containing script files.

6. Disable all unnecessary ISAPI filters. Run this operation to open the ISM and ISAPI filter tabs.

Delete Frontpage ISAPI filters (or extensions on earlier IIS servers. Set Frontpage ISAPI (Extension) to read-only. To disable the Frontpage extension on an earlier IIS server, run the following command: "c \ common \ microsoft shared \ web server extensions \ 40 \ bin \ fpsrvadm-o uninstall-p all ".

Digest authentication. This authentication method requires support for Reversible Encryption passwords, which is a bad idea. Reversible Encryption is not supported in the Stanford Windows structure. Delete this filter.

HTTP compression. This filter allows compression of HTTP streams. This is a good function, but may cause reduced security.

SSL. It is unlikely that you do not need SSL support, but if you do not need it, delete it.

7. Delete the DLL file associated with ISAPI filter disabling. Frontpage: fpexdll. dll, summary: md5filt. dll, compression: compfilt. dll, SSL: Sspifilt. dll.

8. (if possible) unmap the following extensions: idea,. stm in the ISM, Home Directory tab, and select the configuration button.

9. Disable "enable parent path. On the ISM, Home Directory tab, click Configure to open the application options tab and deselect the check box. This prevents malicious Web directory traversal without knowing the basic structure of the directory. Web developers cannot use the image path... \ Default.htm, and must use a fully qualified path.

Patch Level

1. Apply Service Pack and patches. You can use UpdateExpert and Microsoft's HfCheck tools.

2. Install the High-encryption package (with Windows 2000 SP 2) and Use 128-bit encryption.

Authentication Mode
1. Disable basic authentication at the website level, virtual directory level, and directory level.
2. Disable digest authentication anywhere.
3. the IUSR & IWAM account should not be a domain user or a Guests user. If you do not need anonymous access, delete these accounts.
4. If the web data is ultra-sensitive (ultra sensitive) data, consider placing the server outside the domain.

Authorize changes
1. Enable IIS audit, change to W3 extended log records, and check that the information is correctly recorded. (For example, do I need a user name ?) Consider enabling the following items: Date and Time, Client IP address, Server IP address, server port, user name, HTTP method used to access the website, URI end, URI query, and request status.
2. The setting only allows the system and local administrator to access IIS logs.
3. Delete write permissions for non-administrator accounts of "hklm \ software. Administrator and system account: full control, all: read or execute.
4. Restrict NTFS permissions for All executable programs on the system. NTFS permission: Administrator and system account: full control, user: read or execute. Exercise caution when granting permissions to IUSR accounts.
5. Restrict the permissions of any script compiler such as Perl. NTFS permission: Administrator and system: full control, everyone: Read/execute. Exercise caution when granting permissions to IUSR accounts.
6. Ensure that all users have only read-only permissions:

Web root
% Systemroot %
% Systemroot % \ system32
% Systemroot % \ system32 \ inetsrv
% Systemroot % \ system32 \ inetsrv \ asp
% Systemroot % \ program files \ common files \ Network Management Network bitsCN

This article is from The Love Of Water blog (http://www.uhn.cn)
Please refer to: http://www.cnnovo.com/server/blogview-server-70_1.html