IIS7.5 Security Configuration Research (recommended) _win server

Operating system: Windows Server 2008 R2 Enterprise Service Pack 1 x64 IIS version: IIS7.5 program: asp.net

Installation of IIS7.5

http Common features : Open static content, default document, HTTP error; directory browsing, WebDAV publishing if no special requirements, do not open; HTTP redirection can be turned on as needed.

Application Development : This can be opened according to the actual situation, such as open asp.net,.net Extensibility for asp.net, ISAPI extension, ISAPI filtering, and on server side include files on demand. If the server installs SQL Server 2008 as if you need to choose to install asp.net, net extensibility

Health and Diagnostics : It is recommended to open HTTP logging, logging tools, request monitoring, and others to open as needed.

Security : It is recommended to open URL authorization, request filtering, IP and domain restrictions, and other requirements to open.

Performance, management tools, FTP server, IIS can host the Web core can be opened according to.
Cloud-dwelling Community Small note: If you need to follow a server-safe dog need to install IIS 6 Administrative compatibility

Introduction to IIS7.5 permission configuration

--------------------------------------------------------------------------------

IIS7.5 involves two accounts, one for anonymous accounts and one for application pool accounts. In the NTFS permission settings for the disk, anonymous accounts only need to have read access to the Site directory, and the application pool account needs to be given the appropriate permissions according to the actual program, such as: to write the file, to give write permission, need to call a program (such as Cmd.exe) need to give execution permission. In summary, access to a file requires access to the anonymous account first, and then to the appropriate permissions for the application pool account depending on what permissions the program needs to operate.

Several basic problems found in the study:

1. The Write permission of the upload directory is decided by the application pool account;
2. The default account for the application pool is IIS Apppool\{app pool name} and belongs to the IIS_IUSRS group;
3. The default anonymous account is the IUSR account and belongs to the Authenticated Users group;
4. Any user belongs to the Users group and is still part of the Users group after manual deletion;
5. After uploading the Trojan, the directory that can see is decided by the application pool account;
6. Under this test environment, the Users group has default write access to the site directory;
7. The operation of an ASPX file is independent of the running permissions of NTFS;
8. The anonymous account for the website only needs to have Read permission to the website directory;
9. Application pool account running ASPX also requires only read permission, but if you want to write a file, you need to write permissions, and you want to execute other programs;

common server intrusion Threats and resolution measures

Common server intrusion Threats:

1. WebDAV Direct upload Webshell
2. Upload Webshell via program file upload
3. Webshell's high authority leads to the right to be raised

To solve the common problem measures:

1. Solving WebDAV problems
The WebDAV component is not installed directly at the time of installation

2. Prevent upload of Trojan file execution
You can set up directories in IIS that need to be uploaded, and the script in the Edit function permission in the handler mapping is removed, so that even if you upload a Trojan file in this directory, it cannot be performed.

Upload directory cancel application pool account execution permissions

3. Prevent Trojan to see files outside the directory of the website

You can set the process pool account to have no Read access to other folders.

4. Prevent Trojan to execute after CMD

Cancels NTFS execution permissions on the process pool account.

5. Prevent Trojan execution after running CMD authority too high

Process pool Accounts Select a lower-privileged account, preferably the default account.

Recommended Security Configuration Scenarios

Security Configuration Simple configuration: 1. Anonymous accounts use the default IUSR.

2. The application pool uses the default identity, which is the IIS apppool\ application pool name for the account.

3.IIS upload directory set to script not executable

Tighten Security Configuration:

1. Anonymous accounts using the default "Application User" is the corresponding IUSR.
2. Application pool account Use the default IIS apppool\ application pool name.
3. Remove Everyone,users permissions on all disks.
4. Remove all users ' permissions on the system32 (you need to change the owner to the administrator first).
5. Give IUSR Read permission under the website directory.
6. In the Web site directory to give IIS apppool\ application pool name Read permissions, if the program has special requirements of the permissions, such as writing files, then the corresponding directory given the appropriate permissions, such as Write permission.
7. The upload directory requested by the Web site gives IIS apppool\ application pool name Write permission, but does not give execution permissions.
8. Remove script execution permissions from the upload directory in IIS.

Attention:
1. Both of these configurations use the default application pool account, and if customized, it is best to add the customization to the IIS_IUSRS group.
When you build multiple sites in 2.iis7.5, if you use the default application pool account, the system defaults to the different application pool names, such as IIS apppool\.
The application pool account needs to have read and execute permissions on the System32 folder for the first time the 3.asp.net program accesses the compilation

Questions

1. During the testing process found that access to the ASPX program, if the anonymous account for the custom account, then need to give the custom anonymous account in the folder C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP Write access on. NET files; However, if you use the default anonymous account, which is IUSR, you need to give the application pool account Write permission on this folder. The question is whether this folder requires write access to which account, because when you select the default anonymous account, the IUSR is immediately prohibited from writing permission to this file, as long as the application pool account has Write permission in this folder, as normal?

2. When the anonymous user is the default for the program, it should be IUSR, but why is the process pool account passed?