Security Analysis for IIS (revised version) _win server

Based on the security mechanism of the Windows NT kernel

1.web file directory should be NTSF partition mode

The NTFS file system can manage files and directories, and the FAT file system provides only shared-level security, while Windows NT security is built on the NTFS file system, so it is best to use the NTFS file system when installing Windows NT. Otherwise, the NT security mechanism will not be established.

2. Modify Share Permissions

By default, everyone has a "Full Control" share permission to create a new share, so it's a good idea to change everyone's default permissions immediately after a new share is established and to remove everyone from the security settings.

3. Change the system administrator account name

The specific setting method is as follows: Select "Start" menu → "program" → start "domain User Manager" → select "Administrator account (adminstrator)" → select "User" menu → "rename", modify it. It should be noted that this step is best done at the beginning of the server Setup, otherwise in Windows Server 2003 and earlier versions, some of the permissions settings are lost.

4. Cancel the NetBIOS bindings on TCP/IP

An NT system administrator can manage the Internet or other servers on an intranet by constructing an image between the target station's NetBIOS name and its IP address, but illegal users can also find an opportunity to do so. If this remote administration is not required, it should be canceled immediately (through the binding options for network properties to remove the binding between NetBIOS and TCP/IP).


to set the security mechanism for IIS

1. Safety issues to be noted when installing

1 Avoid installing on the primary domain controller

After you install IIS, the IUSR_computername anonymous account is generated on the installed computer. This account is added to the domain user group to provide access to the domain user group to each anonymous user who accesses the Web server, which poses a potential danger not only to IIS, but also to the security of the entire domain resource. So try to avoid installing the IIS server on the domain controller, especially on the primary domain controller.

2 Avoid installation on the system partition

Installing IIS on the system partition will also make system files illegally accessible to IIS, making it easy for illegal users to invade system partitions, so you should avoid installing IIS servers on the system partition.

2. Security for users

1 Control of anonymous user access rights

Anonymous user IUSR_computername (which is randomly generated) after IIS is installed has a potential security problem with the Web server and should be controlled by its permissions. If you do not have anonymous access, you can cancel the anonymous access service for the web. Specific methods:

Select Start menu → programs → Microsoft Internet Server (public) → Internet Services Manager → start Microsoft Internet service manager→ Double click WWW Start the WWW service property page → Cancel its anonymous access service.

2) control of general user access rights

You can manage a general user account by using passwords that combine numbers with letters (including capitalization), using long passwords (typically over 6 digits), frequently modifying passwords, blocking unsuccessful logon attempts, and setting the expiration date of an account.

Security of 3.IIS Three forms of authentication

1 Anonymous user access: Allow anonymous access to anyone, in these three kinds of security is the lowest.

2 Basic authentication: Username and password are transmitted on the network in plaintext, security can be general.

3 Windows NT Request/Response mode: Browser encrypted with the IIS server to communicate, effectively prevent the eavesdroppers, is the security of a relatively high form of authentication (need IE 3.0 version support).

4. Access Rights control

1 To set access permissions for folders and files: folders and files placed on NTFS file systems, on the one hand, have control over their permissions, set different permissions on different groups and users, and can also use NTFS's auditing capabilities to audit members of certain groups for reading, writing files, and so on, by monitoring the File access "," the use of User objects "and other actions to effectively detect illegal users of illegal activities of the precursor, timely to prevent and stop. Specific methods:


Select the Start menu → programs → start the domain User Manager → Select the audit option under the Rules Tab → set audit rules.

2 Set up access to the WWW directory: A folder that has been set up as a web directory, you can control the access to the WWW directory by manipulating the Web site property pages, and all files and subfolders under that directory will inherit these security mechanisms. The WWW service provides read access in addition to the permissions provided by the NTFS file system--allows users to read or download files in the WWW directory, execute permissions--allowing users to run programs and scripts in the WWW directory. The specific settings are as follows:


Select Start menu → programs → Microsoft Internet Server (public) → Internet Services Manager → start Microsoft Internet service manager→ Double click WWW Start WWW Service Properties page → Select Directory tab → Select the www directory you want to edit → choose directory properties in Edit properties to set.

5.IP Address Control

IIS can set up permission or deny service requests from specific IP, selectively allow user access to specific nodes. You can set up to block network users outside of the specified IP address from accessing your Web server. The specific settings are as follows:

Select Start menu → programs → Microsoft Internet Server (public) → Internet Services Manager → start Microsoft Internet service manager→ Double click WWW Start the WWW service Properties page → Launch the Advanced tab in the Web Properties page; Control settings for IP addresses.

6. Implementation of port security

For IIS services, whether it is a WWW site, a FPT site, or a NNPT, smpt service, or a TCP port number (Post) that listens to and receives a browser request, the commonly used port number is: www is 80,fpt 21,smpt is 25, You can improve the security of your IIS server by modifying the port number. If you modify the port settings, only users who know the port number can access it, but the user needs to specify a new port number when accessing it.

Security for 7.IP forwarding

The IIS service provides forwarding of IP packets, at which point the IIS server acting as a router will forward the IP packets received from the Internet interface to the intranet, disabling this feature will increase the security of the IIS service. Set the method as follows:

Select Start menu → programs → Microsoft Internet Server (public) → Internet Services Manager → start Microsoft Internet service manager→ Double click WWW Start the WWW service Properties page → Select the protocols tab → remove routing in TCP/IP properties.

8.SSL Security mechanism

SSL (Cryptographic Sockets Layer) is located between the HTPT layer and the TCP layer, establishes the encrypted communication between the user and the server, and ensures the security of the information transmission. SSL works on the basis of public and private keys. Any user can obtain a public key to encrypt the data, but the decryption data must pass the corresponding private key. When using the SSL security mechanism, first, the client and the server to establish a connection, the server to its digital certificate and public key one concurrent to the client, the client randomly generated session key, with the public key from the server to encrypt the session key, and the session key on the network passed to the server, The session key can only be decrypted with a private key on the server side, thus creating a unique secure channel on both the client and server side. The specific settings are as follows:

Select Start menu → programs → Microsoft Internet Server (public) → Internet Services Manager → start Microsoft Internet service manager→ Double click WWW Start WWW Service Properties page → Select Directory security tab → Click the Key Manager button → generate key file through Key Manager and request files → apply for a certificate from the authentication permission → Install the certificate on the server through the Key Manager → Activate the SSL security for the Web site.

Once SSL security is established, only SSL-enabled customers can communicate with SSL-allowed Web sites, and when using a URL resource Locator, note that the input is "htpts://" rather than "htpt://".

The implementation of SSL security mechanism will increase system overhead and increase the additional burden on the server CPU, which will reduce the system performance to some extent. The author recommends that you consider using SSL security only for highly sensitive web directories when planning your network.