IIS security reinforcement policy-protection against attacks and intrusions

1. Buffer Overflow
 
In a simple explanation, the buffer overflow is mainly because the submitted data length exceeds the normal requirements of the server, causing the server to check the code error. Overflow methods can be divided into stack-based overflow and stack-based overflow. In versions earlier than IIS 6, Web services run under the LocalSystem account. When a hacker intrude into the account by exploiting the buffer overflow vulnerability, most administrator commands can be executed.
 
The viruses identified by this vulnerability are red code and Nimda )". EEye Digital Security discovered the HTR buffer vulnerability, a typical vulnerability, in 1996. EEye found that IIS is very vulnerable. If the attack is passed to IIS, the input value is not a string of letters but a system command that can be executed. The interpreter of the HTR File overflows the input buffer when an ultra-long file ending with. htr is in ism. dll.
 
We have never used HTR (I personally understand it), but it was used by Microsoft Script Programming earlier and has already been replaced by ASP technology.
 
Note: according to the preceding instructions, we know that the root cause of a vulnerability is. the htr file and the ism. dll is associated. dll and. the hting between htr files is broken or ism is deleted. dll.
 
2. Notorious Unicode
 
First, you need to know what is the Unicode secondary Decoding Vulnerability? Open IE and select View → encoding → Unicode (UTF-8), no encoding can contain enough characters to hold hundreds of numeric encodings before Unicode is created. For example, if you want to view a web page of Traditional Chinese (BIG5), it is impossible to implement it in your Simplified Chinese Windows system without Unicode support.
 
If an invalid user submits some special codes, IIS may mistakenly open or execute files not in the Web root directory. Unauthorized users can use the IUSR_machinename account to access any files in the user directory. At the same time, we know that this account belongs to the Everyone and Users groups by default, windows 2000 Server has the default security permission "Everyone full control". Therefore, any files accessible to these user groups may be deleted, modified, or executed.
 
Note: You can restrict the permissions of network users to access and call CMD commands. If you do not need to use the Scripts and Msadc directories, you can delete or rename them. Another problem is that, do not use the default WINNT path when installing Windows NT.
 
3. FrontPage Server Extension Vulnerability
 
For websites that install the FrontPage server, there are usually several directories starting with the letter "_ vti" in the Web directory (by default), which provide hackers with an opportunity. We can search for the default Frontpage directory from the search engine. In this case, we can return a large amount of information from the engine.
 
Note: do you really need FrontPage Server Extension? I have never used it. This is a hidden danger caused by default installation. If you do not need it, you can simply uninstall the service.
 
Suggestions on IIS reinforcement policies
 
The source code of your website will not be exactly the same, and most programmers will not provide you with only one type of code. Therefore, do not follow the following reinforcement list, especially contact the provider of the program before reinforcement. After confirmation, modify the Server Extension content in this article.
 
1. Adjust IIS logs
 
When you want to determine whether the server is under attack, logging is extremely important. The default log does not greatly help us to search for hacker records, so we must extend the W3C log record format as follows:
 
★Check whether logging is enabled, right-click the site, and select the Enable "Properties> Web site> Enable Logging" check box from the menu.
 
★Change the default Log Path. After a hacker successfully intrude into a system, the first thing to do is to clear the log. If you log on to the remote control software on the GUI or log on from the terminal, we naturally cannot protect logs. However, most popular log clearing tools Delete the default W3C log records using the command line method. Therefore, you can rewrite the path shown in figure 1 to achieve simple protection.
 
★Select W3C extended log file format from the activity log format drop-down list ". Click the "Properties> extended properties" tab and add the following information records: customer IP address, user name, method, URI resource, HTTP status, Win32 status, user proxy, Server IP address, and server port.
 
Log records are the only places we can find vulnerabilities after being intruded. For example, if you find "http get 200 (Successful file upload)" in the log, there is nothing to justify, you must have not updated the patch or enabled the upload permission. Therefore, log protection is essential to every administrator.
 
2. Delete all default examples of IIS
 
This is the content that is retained during installation on Windows 2000 and Windows Server 2003. Because these files can only be accessed locally, these default examples do not pose a threat to the Server. If you do not need them as the reference and remote management help during site creation, you can delete them and optimize the system (you need to disable the IIS service ).
 
3. Delete unnecessary extended Mappings
 
IIS 5 is pre-configured to support such. dynamic program files such as asp, but in addition to several commonly used file formats, it also supports the file types that may cause buffer overflow mentioned in this article. When IIS receives these types of file requests, this call is processed by DLL, so it is best to delete them.
 
Select "WWW Service> Edit> Home directory> application configuration", and select the target object based on the following table:
 
The new dedication of IIS 6
 
We often see reports on the security of Windows Server 2003 on the Internet. But aren't our administrators working on patch updates every day? In fact, the most direct feeling in Windows Server 2003 is the security of IIS 6. Till now, I have not found any major vulnerability in IIS 6 that can be exploited by hackers.
 
In previous versions, there was no luxury in Working Process Isolation (Worker Process Isolation) and authorized access to URLs. In addition, the main improvement is IIS's "Default availability" and "Default locking extension service" (2 ).
 
When upgrading the Server to Windows Server 2003, if you have not run the IISLockdown tool, the Server will prohibit us from providing Web services.