In fact, the practice of IIS Lockdown is not difficult

To protect the security of the IIS server, we choose to use IIS Lockdown. IIS Lockdown is easy to use. Double-click iislockd.exe and the Internet Information Services Lockdown Wizard appears. Follow the instructions in the Wizard to add a lock to the Web server.

The welcome screen appears first. Click "Next" to display the final user license agreement screen. Select the I Agree option and click "Next" to go to the server Template Selection dialog box. select a template closest to the current Server configuration. This document assumes that the Static Web Server is used) template.

Select the View Template Settings option. The wizard displays a series of dialogs about the Template type. If this option is not selected, the wizard skips these dialogs and directly enters the URLScan installation process.

Click "Next" and the Internet Services dialog box appears. This is the first page for configuring the IIS lock option. IIS Lockdown can disable or delete four types of IIS services: HTTP, FTP, SMTP, and NNTPNetwork News Transport Protocol ).

How can we know which services are necessary? In addition to the selected server template type, personal experience and comprehensive testing are equally important.

The IIS service options in the Internet Services dialog box have three statuses:

(I) Enable: the option is selected and the check box is marked, for example, Web services. The service will be disabled by clearing the mark in the check box.

(Ii) Enable, but it is recommended to disable it. E-mail service in Example 2: The option is not selected and the check box is not marked. If you retain the clear status of the check box, the service will be disabled.

(3) disabled and unavailable. Example 2: File Transfer service: if an option is grayed out, its check box is not marked, indicating that the service cannot be modified, it may be because the service is not installed or because the selected server template requires the service.

If the purpose of the server is not changed frequently, it is best to completely delete the unused service so that no one will want to activate it in other places.

Click "Next". The Script Maps Script ing dialog box is displayed in the Wizard. Script ing is used to associate a specific file extension with ISAPIInternet Server API.) The execution file is interpreted by the specified ISAPI file. For example, the. asp file type is mapped to asp. dll.

If a script file is disabled, IIS Lockdown directs the script ing to a special DLL, when a user tries to run this script file, the DLL will return the "file not found" information. To disable a certain type of file, you only need to clear the check box for this type of file in the dialog box just now.

Click "Next" to enter the Additional Security option dialog box for the last IIS Lockdown. In this dialog box, you can delete unnecessary directories and prohibit unauthorized users from accessing the file system.

After IIS is installed, there will be many virtual directories for development and learning. These directories are not required in the environment that officially provides services to users. IIS Lockdown will delete the virtual directories selected in Figure 4 dialog box, however, the data contained in these directories remains intact.