Typically, most Web sites are designed to provide instant information access to visitors in the most acceptable way. In the past few years, the increasing number of hackers, viruses and worms security problems have seriously affected the accessibility of the site, although the Apache server is often the target of attackers, but Microsoft's Internet Information Services (IIS) Web server is the real target.
Higher education institutions often fail to find a balance between building vibrant, user-friendly web sites or building high-security sites. In addition, they must now work to improve the security of their web sites to face reduced technology budgets (many of their private sectors, in fact, face similar situations).
Because of that, I'm here to provide some tips for university IT managers who have a budget headache to help them protect their IIS servers. Although it is mainly in the face of the University of IT professionals, but these skills are also basically applied to the hope that a small amount of budget to improve security of the IIS management staff. In fact, some of these tips are also useful for IIS administrators who have a strong budget.
First, develop a set of security policies
The first step in securing your Web server is to ensure that your network administrator is aware of every system in your security policy. If the company's executives do not regard the security of the server as an asset that must be protected, then the protection work is totally meaningless. This work requires a long effort. If the budget does not support or it is not part of a long-term IT strategy, administrators who spend a significant amount of time protecting server security will not have significant management support.
What are the direct results that network administrators have to establish security for all aspects of resources? Some users who are particularly adventurous will be locked out of the door. Those users will then complain about the company's management, and the management will question what happened to the network administrator. Then, the network administrator is not able to establish a document that supports their security work, so the conflict occurs.
By labeling Web server security levels and availability security policies, network administrators will be able to easily deploy various software tools on different operating systems.
IIS Security Tips
Microsoft's products have always been a target, so IIS servers are particularly vulnerable to attackers. With this in mind, the network administrator must be prepared to perform a number of security measures. What I'm going to provide you with is a checklist that server operators may find very useful.
1. Keep Windows upgraded:
You must update all the upgrades in a timely manner and make all the patches for the system at the first time. Consider downloading all updates to a dedicated server on your network and publishing them as Web on the machine. With this work, you can prevent your Web server from accepting direct Internet access.
2. Use the IIS Precaution tool:
This tool has many practical advantages, however, please use this tool with caution. If your Web server interacts with other servers, first test the precaution tool to make sure it is configured correctly so that it does not affect communication between the Web server and other servers.
3. Remove the Default Web site:
Many attackers target the Inetpub folder and place some sneak attacks on it, causing the server to be paralyzed. The easiest way to prevent this attack is to disable the default site in IIS. Then, because Web bugs are accessing your site via IP addresses (they may have to visit thousands of IP addresses a day), their requests may be in trouble. Point your real web site to a Back-section folder, and you must include secure NTFS permissions, which will be elaborated in the sections that follow NTFS.
4. If you do not need FTP and SMTP services, please uninstall them:
The easiest way to get into a computer is through FTP access. FTP itself is designed to meet simple read/write access, if you perform identity authentication, you will find that your username and password are in the form of clear text on the network spread. SMTP is another service that allows write access to a folder. By disabling both of these services, you can avoid more hacker attacks.
5. Regularly check your Administrators group and services:
One day I entered our classroom and found one more user in the Admin group. This means that when someone has successfully entered your system, he or she may throw a bomb into your system, which will suddenly destroy your entire system or take up a lot of bandwidth for hackers to use. Hackers also tend to leave a help service, once this happens, taking any action may be too late, you can only reformat your disk, from the backup server restore your daily backup files. Therefore, checking the list of services on the IIS server and keeping as few services as possible must be a daily task for you. You should remember which service should exist and which service should not exist. Windows Resource Kit brings us a useful program called Tlist.exe, which lists the services that run under Svchost in each case. Run this program to find some hidden services you want to know. Let me give you a hint: Any service that contains a few words daemon may not be a service that Windows itself contains, and should not exist on the IIS server. To get a list of Windows services and know what their respective roles are, click here.
6. Strict control of the server's write access rights:
It sounds easy, however, on a college campus, a Web server actually has a lot of "authors". The faculty members want their classroom information to be accessible to remote students. Staff members want to share their work information with other employees. The folders on the server may have extremely dangerous access rights. One way to share or propagate this information is to install a 2nd server to provide dedicated sharing and storage purposes, and then configure your Web server to point to a shared server. This step allows the network administrator to restrict the write permissions of the Web server itself to the Administrators group only.
7. Set a complex password:
I recently entered the classroom and found a number of possible hackers from the Event Viewer. He or she entered the lab's domain structure deep enough to be able to run a password cracking tool on any user. If a user uses a weak password (such as "password" or "changeme" or any dictionary word), the hacker can quickly and simply invade the user's account.
8. Reduce/exclude sharing on the Web server:
If the network administrator is the only person who has write access to the Web server, there is no reason to have any shared presence. Sharing is the biggest temptation for hackers. In addition, by running a simple cyclic batch file, a hacker can look at a list of IP addresses and use the \ command to find everyone/Full control of the share.
9. Disable NetBIOS in the TCP/IP protocol:
It's cruel. Many users want to access the Web server through a UNC path name. As NetBIOS is disabled, they cannot do so. On the other hand, as NetBIOS is disabled, hackers cannot see the resources on your local area network. This is a double-edged sword, and if the network administrator deploys the tool, the next step is how to educate web users about how to publish information in the event of NetBIOS failure.
10. Use TCP port blocking:
This is another cruel tool. If you are familiar with each TCP port that accesses your server through legitimate reasons, you can access the Properties tab of your network interface card, select the bound TCP/IP protocol, and block all ports that you do not need. You have to be careful about using this tool because you don't want to lock yourself out of the Web server, especially if you need to remotely log on to the server. To get detailed details of the TCP port, click here.
11. Careful examination of *.bat and *.exe documents:
Search the *.bat and *.exe files once a week and check the server for executable files that hackers like best and that will be a nightmare for you. In these destructive files, there may be some *.reg files. If you right-click and choose Edit, you can find that the hacker has made and can get access to your system's registry files. You can remove the primary key that doesn't make any sense but will bring convenience to intruders.
12. Managing IIS Directory Security:
IIS directory security allows you to deny specific IP addresses, subnets, or even domain names. As a choice, I chose a software called Whoson, which enabled me to understand which IP addresses are trying to access specific files on the server. Whoson lists a series of exceptions. If you find a guy trying to access your Cmd.exe, you can choose to deny this user access to the Web server. Of course, in a busy Web site, this may require a full-time employee! However, in the intranet, this is really a very useful tool. You can provide resources to all intranet users, or to specific users.
13. Use NTFS security:
By default, your NTFS drives use everyone/Full Control, unless you manually turn them off. The key is not to lock yourself out, different people need different permissions, administrators need full Control, background management account also need full control, system and service each need a level of access, depending on the different files. The most important folder is System32, and the smaller the access to the folder, the better. In
Using NTFS permissions on a Web server can help you protect important files and applications.
14. Manage User accounts:
If you have installed IIS, you may have created a TsInternetUser account. Unless you really need this account, you should disable it. The user is easily infiltrated and is a notable target for hackers. To help manage your user account, make sure your local security policy is fine. The permissions of the IUSR user should also be as small as possible.
15. Audit your Web server:
Auditing has a big impact on your computer's performance, so if you don't see it regularly, don't audit it. If you can really use it, audit the system events and join the Audit tool when you need it. If you are using the Whoson tool mentioned earlier, auditing is less important. By default, IIS always records access, and Whoson places the records in a very easy to read database that you can open in Access or Excel. If you often look at the anomaly database, you can find the server's vulnerabilities at any time.
Summarize
All of the above IIS tricks and tools (except Whoson) are all Windows-owned. Don't forget to use these techniques and tools one at a time before testing your site for accessibility. If they are deployed together, the results may cost you a heavy loss, and you may need to reboot to lose access.
Last tip: Log on to your Web server and run Netstat-an at the command line. Observe how many IP addresses are trying to connect to your port, and then you will have a whole bunch of investigation and research to do.