Improve the FTP security administrator of IIS9 Yin Zhen Jing is the secret of martial arts that many martial arts masters seek. In this martial arts system administrator, there are also many secrets similar to 9 Yin Zhen Jing. Here we will introduce some practical skills to improve the FTP security of IIS. For the majority of network security engineers facing various network attacks, there will inevitably be various FTP attacks at work. The General Administrator will think that FTP service security in Windows is relatively weak, security cannot be guaranteed, so a third-party FTP program is installed on Windows server to meet your requirements. After years of research, I found that, in fact, using the FTP server under IIS, after working with the system settings, you can well hide your requirements. Maintenance-type Secure FTP is an FTP system that is not publicly used or rarely used. It is generally only used by network administrators or security engineers to maintain servers. Such a system is very much needed at work, but because it is not public, security is often not paid enough attention to, and many attackers like the target of attacks. This article tells you how to use an unfamiliar iis ftp Server to build an FTP Server that is maintained by a network administrator and is highly secure.Basic truth stageZhenjing's first emphasisYijin forging bone-- Specify the ftp ip address and modify the default port1. Use a dedicated IP address to build an FTP serverTake a typical Windows 2003 Server System as an example. After IIS and FTP are installed, choose Start> Administrative Tools> Internet Information Service IIS manager and point to FTP site 650) this. length = 650; "class = fit-image border =" 0 "alt =" build an FTP server with a dedicated IP "src =" http://www.bkjia.com/uploads/allimg/131227/0S02GE5-0.png "width =" 277 "height =" 160 "/> right click and select "new-> FTP site ", go to the FTP site creation wizard ". In this wizard, we will focus on specifying an IP address for the secure maintenance FtP server to be created and modifying the port.2. Use hidden ports for communicationWe recommend that you do not use the default port for "Port" setting, but set the default port to an uncommon port number greater than 10000 and less than 65535. Because many port scanning tools do not scan these ports by default. If attackers manually set the scan port, for the sake of time and speed, it is also rare to define port scanning rules such as 1-65535, so it is easy to confuse attackers, so they do not know that there is a high-end port hidden in the system to play a role. 650) this. length = 650; "class = fit-image border =" 0 "alt =" communicate with a Hidden Port "src =" http://www.bkjia.com/uploads/allimg/131227/0S02KI4-1.png "width =" 312 "height =" 222 "/> even if attackers scanned the port using a scanner, it is often because of this unfamiliar port and does not understand the specific running service. It is possible to find the FTP service only after detailed detection. Next, we will perform detailed security configuration for the new FTP server.The second injury-- Customize detailed FTP log recordsThe FTP System of IIS has a very complete and rich logging system. It is very important to use the log system to record the running status of the FTP server at any time.1. Enable the FTP server logging functionBy default, the FTP Log System of a site in the FTP site in IIS manager is enabled by default.2. FTP server advanced log ConfigurationDifferent from common FTP servers, if you need to establish a secure FTP server, you need to provide a detailed advanced definition of the log system, the defined content is a typical feature of setting up attackers or possible attacks. Detailed advanced rules to be customized are as follows: "New log plan": This option controls the generation rules of each log file. By default, a new FTP log is generated every time. Assume that attackers bypass various restrictions and conduct a large number of distributed brute force cracking attacks on a target FTP server. If FTP logs are recorded by default, A very large single file may be generated. Sometimes the log file size may reach dozens of GB, or even the space on the system disk may be broken, leading to problems in the normal operation of the system. Therefore, you must first determine that FTP logs are generated according to the file size. Select "20 mb when the file size reaches" under "New log plan" to generate a new log file, "log file directory": This option is very important. It defines the FTP log storage address, which is stored in "C: \ WINDOWS \ system32 \ LogFiles. 650) this. length = 650; "class = fit-image border =" 0 "alt =" FTP server's advanced log configuration "src =" http://www.bkjia.com/uploads/allimg/131227/0S02K458-2.png "width =" 433 "height =" 251 "/> for any default options widely known by attackers, must be modified within the permitted range. In addition, to protect the disk where the operating system is located, we recommend that you define the FTP log system to a folder separately used by each FTP user, however, this user cannot be granted access to this log file.3. define detailed logging rules for FTP server logsAfter the log file generation rules and paths are configured, You need to configure the log file record type in detail. A log file that records the vast majority of attackers and users' behaviors should contain the following records: the date is not selected by default and must be selected manually); the time is selected by default); The Client IP address is selected by default ); if the user name is not selected by default, you must manually select it.) If the method is selected by default, URL resources are selected by default. If the Protocol status is selected by default, Win32 resources are selected by default. If the time used is not selected by default, manually selected); user agent is not selected by default and needs to be selected manually); note that the more information the log system records, the better, because the log system records FTP attackers or normal users) access requires resource consumption, and the generated log records also require storage space. If too many items are recorded, the system may consume a large amount of log files.Zhenjing's third largestPoint-- Cancel Anonymous AccessAnonymous access is the default setting of the FTP server. This setting can support FTP access by common users. However, to create an FTP server with sufficient security, this setting must be removed. 650) this. length = 650; "class = fit-image border =" 0 "alt =" cancel Anonymous Access "src =" http://www.bkjia.com/uploads/allimg/131227/0S02K105-3.png "width =" 356 "height =" 252 "/> remove Anonymous FTP Server the access function is simple, you only need to point to the FIP site under the IIS manager, right-click and select "properties" to enter the "Security Account" tab, and cancel the "Allow anonymous connection.Zhenjing No. 4 destroys the palm of your heart-force security password rulesIntentionally or unintentionally, some users' FTP account passwords are too simple. To improve the security of the FTP server, especially the maintenance FTP server with strong security, you must set a complex account password.1. Group Policy OverviewIn Windows, the password rule settings are controlled by the Group Policy. To put it simply, the Group Policy setting is to modify the configuration in the registry. Of course, the Group Policy uses the organization management method of every batch worker, which allows you to manage and configure the settings of various objects, far more convenient and flexible than manually modifying the registry, and more powerful functions. Point to "start a line", and enter "gpedit. msc" to enter the Group Policy options of the Windows 2003 Server System. After entering the Group Policy Option, point to "Computer Configuration 1> Windows Settings 1> account policy 1> password policy" in the left-side Navigation Pane. You can set many security rules for passwords. 650) this. width = 650; "class = fit-image border =" 0 "alt =" Group Policy Introduction "src =" http://www.bkjia.com/uploads/allimg/131227/0S02G536-4.png "width =" 490 "height =" 242 "/>2. Enable Password Complexity Requirements PolicyFind the "Password Must Meet Complexity Requirements" option in the right ore body, double-click it, select the "enabled" button, and click confirm to make it take effect. 650) this. length = 650; "class = fit-image border =" 0 "alt =" Enable Password Complexity Requirements Policy "src =" http://www.bkjia.com/uploads/allimg/131227/0S02M242-5.png "width =" 291 "height =" 342 "/> If you enable the password must comply with the Complexity Requirement "policy, when you change or create an account password, the complexity policy is checked. The password must meet the following minimum requirements:. the password cannot contain the account name: B. the password cannot contain more than two consecutive characters in the User name: c. the password must contain at least six characters. d. the policy contains at least three of the following four types of characters: uppercase letters (A-Z), small English letters ". write a letter (a-z), 10 basic numbers (0-9), and special characters such! , $, #, %)3. Enable the Minimum Password Length PolicyIn addition, you can double-click "Minimum Password Length" to set the minimum password length. For example, if you set the minimum length to 8 characters, the security of the FTP user and even the System user is greatly improved, and the system security is greatly enhanced.Zhenjing's fifth-biggest behavior of a raccoon-using a dedicated account to access the FTP serviceMaintenance FTP Server users are generally network administrators, so there are no problems with the use of a large number of users, which are generally used by the organization administrator separately. In this case, if you use the FIP Server in IIS to build a Server, you should first consider removing anonymous access from the default FTP Server and then creating a dedicated FTP account, finally, assign an access directory for the dedicated FTP account.1. Create a dedicated FTP accountAssume that five administrators need to perform regular maintenance on the server, and their respective functions are different, they need to create at least five dedicated FTP accounts. 650) this. length = 650; "class = fit-image border =" 0 "alt =" Create a dedicated FTP account "src =" http://www.bkjia.com/uploads/allimg/131227/0S02L528-6.png "width =" 431 "height =" 120 "/> Net user ft01 pass11 @! Wd/add repeat the preceding settings to create ftp01 ~ Ftp05 and other accounts.2. Create the FTP folder corresponding to the dedicated accountAfter an FTP dedicated account is created, you need to assign an FTP directory to the dedicated account, locate the ny root folder as the system administrator, and create a corresponding folder for each user, for example, the user ftp01 corresponds to the ftp01 folder and the user ftp02 corresponds to the ftp02 folder.Excellent experienceThe above steps are just a few simple accounts, far from achieving the goal of Secure FTP, the following content will be set up in detail.The sixth day of Zhenjing, the ninth day of the Yin and white bone claw-use NTFS to restrict FTP User PermissionsAfter the FTP users corresponding to the administrators are set up, they cannot be used directly. You need to set detailed permissions for each account.1. Set the FTP user permission to a Guest groupBy default, system users created using the "net user" command belong to the "user" group and have certain permissions in the system. First, you need to delete the "user" group permissions of these Guest users and assign them to a member of the Guest user group. Run the following command to delete the "user" group permissions of the created accounts:
Net localgroupusers ftp01 /del
Run the following command to assign the account to the "Guest" User Group of the system:
Net localgroup guests ftp01 /add
650) this. length = 650; "class = fit-image border =" 0 "alt =" use NTFS to constrain FTP User Permissions "src =" http://www.bkjia.com/uploads/allimg/131227/0S02K227-7.png "width =" 484 "height =" 100 "/> current all FTP accounts are in the "Guest" user group, the permission is very low. After deleting and changing the user group to which the FTP user belongs, you need to set permissions for the folders corresponding to each FTP user.
2. Delete all FTP folder inheritance PermissionsTake the ftp01 folder corresponding to the ftp01 account as an example. Log On As a system administrator, right-click the folder and select the "Security" tab, by default, many permissions have been inherited from the parent folder. What we need to do is to delete these default permissions. However, a system prompt is displayed during deletion: because "SYSTEM" inherits permissions from its parent, you cannot delete this object. To delete "SYSTEM", you must prevent the object from inheriting permissions. Disable the permission inheritance option, and then try to delete "SYSTEM". Because the permission inherits the upper-level folder, it cannot be deleted directly. You need to click "advanced, go to the "Advanced Security Settings", 650) this. width = 650; "class = fit-image border =" 0 "alt =" Advanced Security Settings "src =" http://www.bkjia.com/uploads/allimg/131227/0S02LZ5-8.png "width =" 488 "height =" 369 "/>
3. Assign folder access permissions to FTP usersIn this case, the folder is not directly usable by many users in the system, and the folder cannot be opened directly by the Administrator. In this case, you need to assign access permissions to the FTP account. Select "add" under the "Security" tab of the folder, select "advanced-search now" respectively, and select the FTP dedicated user created above. Ftp01 has some permissions by default, including "read and run", "list folder directories", and "read. As the maintenance FTP used by system administrators, the upload function is often required. Therefore, you must select the "write" permission. All the above options are basic FTP settings. After the configuration is completed, a maintenance FTP server with certain security will be established. However, to ensure high security, other settings are required.
Zhenjing's seventh best white whip-force password change time and force password history policyThe Administrator may suffer from a brute-force cracking attack. In a secure FTP server that is used by a few people, each user should change the password regularly within the user's acceptable date to shorten the time for brute-force cracking, pay attention to password security protection. In Windows 2003 Server, you can use the "force password change time" and "force password history" policies for group policies to achieve this. Specifically, how can we limit the brute-force cracking time without affecting users' normal use? In Windows, you can use the force password to change the time policy. How can you avoid the insecure mechanism that many users, including administrators, are accustomed to using 2 or 3 fixed passwords? You can use the force password history policy.
1. enable the force password change time policyIn order to greatly shorten the time that a brute-force cracking attack can be initiated, and greatly reduce the success rate of brute-force cracking, without affecting the normal use of users, it is important to require users to modify their FTP passwords on a regular basis-group policies can be assigned. Use "gpedit. run the msc command to open the Group Policy Editor. Under "Computer Configuration", under "Security Settings", "Account Policy", and "Password Policy, you can see "Minimum Password Use Period" and "Maximum Password Use Period ". The "Maximum Password life" security setting is to determine the time (in days) that the user can use the password before changing the password. That is to say, this time controls the number of days that the user must change the password, the administrator can set the Password Expiration days to 1 ~ Between 999 days. Specifically, there are three cases: if the number of days is set to 0, the password never expires ~ The "Minimum Password Validity Period" must be less than the maximum password validity period between 999 days. If the maximum password validity period is set to 0, the Minimum Password validity period can be 1 ~ Value of any value between 998 days. We recommend that you set the password expiration time to 30 ~ 90 days. This is a proven security policy. In this way, attackers can only Crack user passwords within a limited period of time. This policy should be used in concert with the longest term of use above, and the reasonable setting should be about 30 days.
2. enable the force password history policyThe "force password history" policy means that the new password used by the user must not be the same as the last one used by the user before the user re-uses the old password. This policy ensures that the old password cannot be used repeatedly within a certain period of time to make the user account safer. It must be noted that if the administrator wants the "force password history" security policy option to be valid, set "password shortest Validity Period" to greater than 0. If you do not have the minimum password validity period, you can repeat the password rules until you get your favorite old password. The default setting does not follow this recommended method. Therefore, the administrator can specify a password for the user and then change the password defined by the administrator upon logon. If you set the password history to 0, you do not have to select a new password. Therefore, set the password history to 1.
The eighth method of removing the soul again -- wrong locking policy assignmentThrough some of the above settings, the current password security policy has been guaranteed, but in the face of the headache of brute force cracking attacks, how to make the maintenance FTP server powerful defense capabilities? This requires an error locking policy.
1. Define the account lock threshold valueThe "error locking" policy is under "Security Settings", "Account Policy", and "password policy" in "Computer Configuration" of the Group Policy. Double-click to open the "account lock threshold value". This security policy determines the number of logon attempts that cause the FTP user account to be locked. Before the Administrator resets the locked account or expires the account lock period, the locked account cannot be used. That is to say, if the number of Logon errors set by the Administrator is reached, the account will be locked. The administrator can set the number of failed login attempts to be between 0 and ~ The value between 999. If you set the value to 0, the account will never be locked. In general, to defend against brute-force or social engineering attacks, set the maximum number of logon attempts to an account to 5 ~ If an attacker attempts to log on to the account more than 10 times, the account will be automatically locked.
2. Define the account lock timeAfter setting the "error lock" policy, enable the "account lock time" policy. Here, set the time when the FTP account is locked. Once the account is locked, it can be used again after the time value is exceeded, interface 650) this. width = 650; "class = fit-image border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0S02MS3-9.jpg "width =" 498 "/>
The ninth major fumo boxing-enable directory security to prevent most FTP attacksAfter the above settings, an FTP server with sufficient security and high efficiency has been set up successfully, but as a maintenance FTP server dedicated for the administrator, if you can do the following settings, the overall security will be improved to at least two levels! Regardless of the FTP attack, logon is the most basic step and the result of most attacks. If the system administrator uses the "one enemy acquisition" method, attackers can directly intercept the FTP login function of illegal users, making it difficult for attackers to use or use it.) brute-force cracking attacks allow attackers to obtain the FTP account password and have no logon permissions, at least 90% of attacks can be solved! In the FTP Server of IIS, "Directory Security" can be used to implement this function. However, the policy varies depending on the Administrator's environment. Point to the FTP site of the IIs manager, right-click and select "ftp properties", open "Directory Security", and select "Access Denied" on the interface ", click the "add" button to define a single computer and multiple computers that are allowed to access. The configured "Directory Security" interface is a mechanism for determining the logon IP address of an FTP user, "Access Denied" indicates that FTP requests from all IP addresses are rejected by default, unless the IP address of the computer requesting FTP logon is included in the "excluded from" list box below. 650) this. length = 650; "class = fit-image border =" 0 "alt =" enable directory security to prevent most types of FTP "src =" http://www.bkjia.com/uploads/allimg/131227/0S02Ic8-10.png "width =" 392 "height =" 275 "attacks? /> With this setting, the administrator can control unique IP addresses or use the P) y function with very little absolute trust. For example, in a large company network, all employees use a fixed IP to connect to the network or use an egress gateway with a fixed IP address to access the Internet ), the administrator can define a computer or computer group that only allows this IP address to use FTP servers. All other I1 addresses cannot access the FTP server. After such setup, all external attackers are blocked from the FTP server. However, this feature may have defects in two cases:
FirstIn this case, the attacker not only successfully spoofed the Internet, but also the server, so that the server can assume that the attacker is a member of the permitted access, this allows attackers to attack the [y server. However, such an attack is too difficult. I believe few attackers are willing to try it.
SecondIn this case, attackers use penetration attacks to control computers with the same IP address as the server administrator, such as Administrator colleagues, and then perform FTP attacks on the computers of Administrator colleagues. Of course, such a penetration attack itself is difficult to FTP attacks, so there are quite a few similar attacks in reality.
Zhenjing general volume: conduct the final drill on the configured ServerIf there is defense, there will be attacks. No security engineer can say that the defense system built by himself is perfect and cannot be cracked. Therefore, the following will conduct theoretical advanced attack and defense drills on the maintenance FTP server protected by the above security measures: If attackers use traditional brute force cracking technology, no doubt, the above reinforced FTP server cannot be exhaustive, because the FTP server not only has an IP address restriction policy, that is, a directory security policy, even if the attacker successfully obtains a computer or IP address that allows the FTP server to be used ), the token has a high probability of being stuck in the port hiding policy, password security policy, password replacement policy, Account Logon error locking policy, and other related security policies of the FTP server. In the current network technology, the above-mentioned Secure FTP server should be cracked with a success rate close to zero. If attackers want to use a vulnerability attack, they should not talk about whether the Directory Security Policy can be bypassed. As for the existing and published vulnerabilities, these vulnerabilities are not yet available, it is not ruled out that attackers from some very good people have discovered the FTP shock vulnerability in IIS but have not published it ). If attackers use sniffing technology to obtain the password of the above FTP server, then the Directory Security Problem (IP policy) and possible regular password change problems need to be solved. In general, FTP servers under IIS may have vulnerabilities as the attack and defense technologies keep improving. However, as far as the current technology is concerned, the single FTP service itself does not include vulnerabilities in other services on the server.) security has been significantly improved. This article is published in: http:// OS .51cto.com/art/201012/239821.htm
This article is from the blog "Li chengguang's original technology blog!