Keep the Web server away from scripting attacks

Source: Internet
Author: User
Tags anonymous object execution iis include inheritance window access

Many Web servers are installed in Windows 2003 Server system environment, but in the default state of the server system there are many security vulnerabilities, many hackers or illegal attackers often take full advantage of these vulnerabilities, to attack the Web site erected in the system. In order to improve the security of the Web server, it is necessary for us to take timely measures to prevent all kinds of script attacks in the Web server. The following, this article for you to make a few of the Web server away from the script attack settings clever strokes, I hope these content can help you to maintain good server system!

Start from Access, guard against script attacks

When a site visitor accesses content in a Web server, it is generally through the "IUSR_servername" user account to implement the access operation, ordinary visitors to the Web server can perform the permissions, is the "iusr_servername" user account permissions to determine. By default, the "IUSR_servername" user account is created automatically by the Windows 2003 Server system during the creation of IIS, which is often opened automatically for anonymous users who do not need authentication to easily access the content of the Web site's database. In order to prevent these ordinary anonymous user to execute the script program in the Web server at will, cause the server to have each kind of security hidden trouble, we need to the "IUSR_servername" user account permissions to make some appropriate settings, the following is the specific access permission setting step:

First log in to the Windows 2003 Server system with the Super Admin rights account, click Start/Programs/attachments/Windows Explorer in the System desktop, and in the Pop-up System Explorer window, locate the folder where the Web server home directory resides. Using the right mouse button to click the Home directory icon, execute the Properties command from the pop-up right-click menu, open the Property Settings window for the site's home directory, where we need to remove the Everyone account number from all disk partition access in the server system. To prevent any common user from potentially potentially security attacks on the server.

Considering that the "everyone" account is a parent of any user or group permission setting, we must first delete the child object from the parent object's permission inheritance before removing access to the Everyone account; When you delete this permission inheritance relationship, We can click the "Security" tab in the site's Home Directory property Settings window. Open the Security tab page shown in Figure 1, click the Advanced button in the tab page and go to the Advanced Security Settings window of the home directory, and check the "Allow inheritable permissions of the parent to propagate to this object and all child objects." Include those items that are explicitly defined here "is selected, if the option is found to be selected, we must cancel it in time, and then the system will automatically pop up the prompt as shown in Figure 2, asking us if we want to copy the parent object's access rights to the child object, at which point we can click Copy button so that we do not need to reset the permissions of the Admin user in the future.

Figure 1

Next we will be able to "IUSR_servername" user account permissions are targeted settings. When setting the "IUSR_servername" user account right, we first select the "IUSR_servername" user account from the group or User Name list box shown in Figure 1, and then list the list folder, write, and read in the Permissions listing box below the account number. All permissions are set to "allow", instead of having full control, read and run permissions set to allow, and for folders that do not need to be written through the web, we simply give "IUSR_servername" permissions to "List Folder Directory", "read", and so on. The user account is OK. Here, as the site of ordinary visitors to the "IUSR_servername" user account does not have the right to execute the script, then these ordinary guest users will not be able to perform various forms of script attacks on the Web server, so that the security of the Web server can be assured to some extent.

Figure 2

Script permissions to prevent script attacks

From the type of file that the site holds, the types of files stored in the Web server are mainly divided into two categories, one is the script files in various forms, the other is not script files, which include ordinary Web pages files, database files and various formats of image files. Therefore, in order to secure the Web server, it is necessary to set the execution permissions of different types of files in a targeted manner to ensure that the various script files in the Web server can be executed securely and stably, and that the non script files are executed arbitrarily.

When you set the execution permissions for a script file, we can click the Start/program/Administrative Tools/Internet Information Services Manager command, in the pop-up IIS console window, locate the specified folder for each type of script file and right-click the icon for the folder. Open the Properties setting window for the corresponding folder by executing the Properties command from the shortcut menu that pops up later.

Figure 3

Click the Table of Contents tab in the Settings window, open the label page shown in Figure 3, on the page, in application settings, click the Drop-down button to the right of EXECUTE permission: Select the "Script only" option from the Drop-down list that pops up, and click the OK button. In that case, script files in the specified directory can be executed by the Web server, and files that are not part of the script type will not be executed. In the same way, we open the property settings interface for other directories in the Web site and set the application execution permissions for other directories to "none" in that interface, so that scripts or normal files in other directories are not executed by the Web server system.

From site configuration to prevent script attacks

Once the ASP script below the database file is rejected by the above method, many people think that they will not be able to continue using the ASP script to execute the wrong method to avoid the Web site database files being maliciously downloaded; in fact, we just need to make appropriate changes to the application configuration parameters of the target site. can also effectively protect the Web site database files are maliciously downloaded. Below, this article in order to protect the access type of the database as the operating blueprint, to friends about how to configure the site from the website to protect the site database files are malicious download the specific settings operation:

First log on to the computer system on which the IIS server resides with Super Administrator privileges, and then run the start/program/Administrative Tools/Internet Information Services Manager command on the system desktop to open the server System's IIS console window. and locate the destination site option from the list area to the left of the window, right-click the Web site option, and execute the Properties command from the pop-up right-click menu to enter the Property configuration window for the target site.

Click the Home Directory tab in the Configuration window and click the Configure button in the corresponding tab page. Open the application configuration interface as shown in Figure 4, click the Add button in the Configuration interface, enter the Add dialog box shown in Figure 5, and in the Extension text box, enter. mdb in the Executable file text box to enter a file in an EXE format, the rest of the parameters are the default values, and finally click the "OK" button to complete the relevant setup action. After that, when we try to access the contents of the database file from the target Web site again from IE browser, IE browser will not be able to find the corresponding page of the error prompted, so that the target site's database will not be malicious users of the illegal attacks, so that the security of the Web server will also be a certain degree of protection!

Figure 4

Figure 5


Of course, there are many ways to secure a Web server to run safely, there is a very effective and we need to regularly use the method is to the server system to install a variety of security patches, this method can be said to protect the Web server safe operation of the fundamental!

Related Article

Alibaba Cloud 10 Year Anniversary

With You, We are Shaping a Digital World, 2009-2019

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.