protection system to establish High security server from IIS

iis| Security | security | server | performance

If your computer is newly installed windowsnt4/windows2000, it is not meant to be used directly as an Internet server. Although Microsoft's patch has hit a lot, there are still holes. Now let's talk a little bit about how to use IIS to build a server with high security performance.

first, based on the Windows NT security mechanism

1 NT dozen SP6 patches, 2K dozen SP2 patches. Convert the file system of the disk to NTFS (the partition of the installation system can be converted when the system is installed, or after the system is installed, with a tool). At the same time the use of permissions on everyone's write, modify the permissions removed, key directory: such as Winnt\repair access to the right to remove.

2 change of share permissions. In the NT down to Start menu--"program-" management tool-"System Policy Editor, and then open the System Policy in the File menu in the" Open registry "Modify the Windows NT network to remove it. 2 k can write a net share C $/delete bat file, placed in the start-up task of the machine.

3 Rename the system administrator account. At the same time the system administrator password changed to strong encryption: password length of more than 10 digits, and password to include numbers, letters,! And all kinds of characters.

4) to revoke NetBIOS on TCP/IP. Revoke the binding between NetBIOS and TCP/IP through the binding options for network properties.

5 Install other services. Should try not to install the database on the same server other services, if installed, the most important point is that the database password can not be the same as the system login password.

Ii. setting up security mechanisms for IIS

1 Resolve IIS4 and previous versions of the D.O.s attack will stop the service. Run Regedt32.exe in:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W3SVC\Parameters

Add a value of: value Name:maxclientrequestbuffer Data Type:reg_dword set to Decimal, the specific value set to the IIS you want to set the maximum length of the URL allowed to accept. The CNNs is set to 256.

2 Delete the HTR script map.

3 Set the/_vti_bin directory under IIS Web server to prohibit remote access.

4 in the IIS management console, click Web Site, properties, select Home directory, configuration (starting point), application mapping, remove HTW and webhits.dll mappings.

5 If the installed system is 2K, install q256888_w2k_sp1_x86_en. Exe.

6) Delete: C:\Program Files\Common Files\system\msadc\msadcs.dll.

7 If you do not need to use the index Server, disable or uninstall the service. If you use the index Server, disable the option "Index this resource" for directories that contain sensitive information.

8 to solve the Unicode vulnerability: 2K installation 2kunicode.exe, NT installation Ntunicode86.exe.

After the above settings, I still dare not say it is completely safe, you do not go back to sleep Ah! But you can relax!

Microsoft's products, although easy to use, but its vulnerabilities and similar to the most vulnerable one. As a network management to pay attention to the emergence of new vulnerabilities, timely take the appropriate measures to be prepared!