There are 3 main aspects of IIS security Configuration to note
- Set Home directory Permissions
- Remove unwanted extension mappings
- Remove a dangerous IIS component
- When you install IIS, you should be aware that only the required services are installed, and you do not recommend the features such as Index Server, FrontPage server Extensions, the sample WWW site, and so on.
- Turn off unnecessary services, the service is not a good thing, the unnecessary services are turned off, especially the administrator do not know and some of the dangerous services, so as not to bring disaster to the system, but also to save some system resources. The following services can be turned off on the server:
- Computer Browser: Maintain the latest list of computers on the network, and provide this list
- Task Scheduler: Allow programs to run at specified times
- Routing and Remote Access: Provides routing services to enterprises in the LAN and WAN environments.
- Removable Storage: Manage removable media, drivers, and libraries.
- Remote Registry Service: Allows for remoting registry operations
- Print Spooler: Loads a file into memory for printing at a later time. Friends who want to use the printer cannot disable this item.
- Distributed Link Tracking Client: Sends a notification when a file moves through an NTFS volume in a network domain.
- COM + Event System: Provides automatic publishing of events to subscribed COM components.
- Alerter: Notifies selected users and computers to manage alerts.
- Messenger: NET send and alarm service messages between the transfer client and the server.
- Telnet: Allows remote users to log on to this computer and run programs.
- Open IIS Manager, delete the default Web site and all of the directories under it, and delete all the files on the disk. Create a Web root directory on a non-system partition, such as creating "Webmain" as the root of the site in D disk.
- Open IIS Manager, right-click Web site in the list on the left, select New/web from the menu that pops up, and follow the wizard's prompts to select the directory you created in the previous step as the site root.
- Right-click the newly created site name, select Properties from the pop-up menu, eject the Site Properties Settings dialog box, select the Home Directory tab, history Select the Read check box, and select Script-only in the Execute Permissions section below. It is to be noted that after the operating system service Pack is installed, the application mappings for IIS should be reset. Because the new service pack is installed, some application mappings will appear again, causing a security breach. This is a problem that is more easily overlooked.
- On the Home Directory tab, click the Configure button, pop-up the Application Configuration dialog box, and remove unnecessary IIS extension mappings in the Mappings tab, such as. idc. HRT. stm. Ida. htw. shtml shtm. If your server uses only ASP, you can delete all except. asp and. Asa.
- Next, limit the operation of the hazardous components. If the file system and user account permissions are set on the server side, the FSO, XML, and stream should all be security components because they do not have permission to cross out their own folders or sites. The most dangerous components are WSH and shells, because they can run programs such as EXE on the server's hard drive and should be deleted. You can delete these two components by using the following code:
Copy Code code as follows:
regsvr32/u C:\ System Folder \system32\wshom.ocx
regsvr32/u C:\ System Folder \system32\shell32.dll
Del C:\ System Folder \system32\wshom.ocx
Del C:\ System Folder \system32\shell32.dll (note: General can not be deleted, only the reverse registration can be)
