Many Web servers are deployed in the Windows 2003 Server system environment. However, by default, the server system has many security vulnerabilities. Many hackers or illegal attackers often make full use of these vulnerabilities, to attack the Web websites deployed in the system. To improve the running security of web servers, we need to take timely measures to prevent various script attacks on Web servers. below, this article has contributed a few tricks to keep Web servers away from script attacks. I hope these content will help you maintain your server system securely! Chinaz.com
Start with access permissions to prevent script attacks [Chinese webmaster website]
When a website visitor accesses the content on the Web server, it generally uses the "iusr_servername" User Account to perform access operations. Ordinary visitors have the permissions that can be performed on the Web server, it is determined by the permissions of the "iusr_servername" user account. By default, the "iusr_servername" user account is automatically created by the Windows 2003 Server System During IIS creation, this user account is often automatically opened for anonymous users who can easily access the website database without authentication. To prevent normal anonymous users from executing script programs on the Web server at will, resulting in various security risks on the server, it is necessary to set the permissions of the "iusr_servername" user account, the following describes how to set access permissions: [Chinese webmaster website]
First, log on to the Windows 2003 Server with the super Administrator account, and click "start", "program", "attachment", and "Windows Resource Manager" commands on the desktop of the system, in the system resource manager window that appears, find the folder where the home directory of the Web server is located, right-click the Home Directory icon, and run the "properties" command from the shortcut menu, open the attribute setting window of the home directory of the website. In this window, we need to delete the "everyone" account's access permission to all disk partitions in the server system, to prevent any common user from potential security attacks on the server. [Chinese webmaster site]
Because the "everyone" account is the parent object set by any user or group permission, before you delete the access permission of the "everyone" account, we must first Delete the sub-object permission inheritance relationship to the parent object. When deleting this permission inheritance relationship, we can click the "Security" tab in the Home Directory attribute settings window of the website, open the Security tab page shown in 1, click the "advanced" button on the tab page to go to the advanced security settings window of the main directory, in the settings window, check that "the parent item's inheritance permission is allowed to be propagated to this object and all sub-objects. Including the projects explicitly defined here: "whether the project is in the selected state. If this option is found to have been selected, We must promptly remove it from the selected state, then the system will pop up the prompt window shown in 2, asking if we want to copy the access permission of the parent object to the sub-object. At this time, we can click the copy button, in this way, we do not need to reset the permissions of administrator users in the future.
Chinaz.com
[Chinese webmaster site]
Figure 1 chinaz.com
Next, we can set the permissions of the "iusr_servername" user account. When setting the "iusr_servername" User Account permission, select the "iusr_servername" user account from the "Group or user name" list box shown in Figure 1, then, in the permission list box under the Account, set "list folder directories", "write", "read", and other permissions to "allow ", do not set "full control", "Read and run" and other permissions to allow. In addition, for folders that do not require write operations through the Web, you only need to grant permissions such as "list folder directories" and "read" to the "iusr_servername" user account. At this point, the "iusr_servername" User Account of ordinary website visitors has no right to execute scripts, so these ordinary Guest users will naturally not be able to launch various forms of script attacks on the Web server, in this way, the security of the Web server can be guaranteed to a certain extent. [Chinese webmaster site]
Chinaz.com
Figure 2
[Chinese webmaster site]
Start with Script permissions to prevent script attacks
Chinaz.com
From the perspective of the types of files stored on websites, the types of files stored on Web servers are mainly divided into two categories: script files in various forms and non-script files, this includes common webpage files, database files, and image files of various formats. Therefore, to protect the security of web servers, it is necessary to set the execution permissions for different types of files to ensure that various script files in the web server can be executed securely and stably, avoid arbitrary execution of non-script files.
[Chinese webmaster site]
When setting the execution permission for the script file, we can click the "Start", "program", "Administrative Tools", and "Internet Information Service Manager" commands in sequence, in the pop-up IIS Console window, find the specified folder for storing various script files, right-click the icon corresponding to the folder, and execute the "attribute" command from the shortcut menu that appears later, open the Property setting window for the corresponding folder. Chinaz.com
Figure 3
Chinaz.com
Click the "directory" tab in the settings window to open the tag page shown in 3. In the "application settings" Area of the page, click the drop-down button on the right of "execution permission, select the "Pure script" option from the drop-down list that will pop up later, and click the "OK" button. In this way, the script file in the specified directory can be executed by the website server, files that are not of the script type will not be executed. Follow the same operation method to open the attribute setting interface for other directories on the website, and set the application execution permission for other directories to "NONE ", in this way, scripts or common files in other directories will not be executed by the website server system.
Chinaz.com
Start with site configuration to prevent script attacks
Chinaz.com
Once the ASP script under the database file is rejected according to the above method, many people will think that they will not be able to continue to use the ASP script execution error method to prevent the website database file from being maliciously downloaded; in fact, we only need to modify the application configuration parameters of the target website, which can also effectively protect the malicious download of website database files. Next, this article takes the protection of access-type databases as the operating blueprint, to introduce to you how to start from the site configuration, to protect the website database files from malicious download specific settings: chinaz.com
First, log on to the computer system of the IIS server as the super administrator, then, run the "Start", "program", "Administrative Tools", and "Internet Information Service Manager" commands on the desktop to open the IIS Console window of the server system, find the target website option from the list area on the left of the window, right-click the website option, and run the "attribute" command from the shortcut menu, enter the attribute Configuration window of the target website.
[Chinese webmaster site]
Click the "main directory" tab in the configuration window, and click the "configuration" button on the corresponding tab page to open the application configuration interface shown in 4; click the Add button on the configuration page To Go To The add dialog box shown in step 5. In the "extension" text box, enter ". mdb, enter an EXE file in the executable file text box, use the default values for other parameters, and click OK to complete the settings. Then, when we try to access the database file content of the target website from IE again, the error message indicating that the corresponding page cannot be found will pop up in IE, in this way, the database of the target website will not be maliciously attacked by malicious users, so that the security of the web server will be guaranteed to a certain extent!
[Chinese webmaster site]
[Chinese webmaster site]
Figure 4 [Chinese webmaster station]
Figure 5 [Chinese webmaster station]
Summary:
Of course, there are still many ways to protect the secure running of web servers. One of the most effective and regular ways of use is to install various security patches for the server system in a timely manner, this method can be said to be fundamental to protecting the secure operation of web servers!