Security and IIS

Author: kindong Source: wangwei Network

The Information Server IIS is the most powerful and popular application in the BACKOFFICE series. Like the BACKOFFICE component, IIS is also generated around the windows nt System. It runs as a set of services provided by windows nt server, allowing it to take advantage of various software features of windows nt.

However, ensuring your data integrity remains a critical security issue that must be taken seriously. IIS ensures data integrity with rich and powerful verification, access control, and audit functions, because it is based on windows nt server. In addition, it supports Secure Sockets Layer SSL. it encrypts conversations between IIS and all browsers that support SSL to ensure secure communication.

Hackers know that most WEB and FTP websites allow anonymous access. These websites are often misconfigured, so there are security vulnerabilities. The following describes what measures must be taken to ensure that IIS completely prevents hacker intrusion from your network and data.

1. Use existing windows nt security to protect IIS

ISS provides security through the windows nt Security Model. That is to say, the user accounts and groups defined in the Security Account Manager Database determine what operations a user can perform once accessing the IIS machine. It is important that you not only check the existing account permissions and permissions, but also restrict the account permissions and permissions for anonymous access.

All service programs that record IIS support a wide range of record functions. The record function is important because it can be used to monitor suspicious activities and decide what should be retained and what should be canceled for capacity planning.

It is easy to enable the record function. Events of each service are recorded in the same public file. To enable the record function, open iis maneger and double-click the server on which you want to enable the record function. The PROPERTIES dialog box is displayed. Click the LOGGING tab. A dialog box is displayed. The usage of this label is quite direct. You only need to click the enable logging option, and then choose whether to record to a text file, or to record to the SQL database, and determine how long the log file will be updated.

The prompt is that when you install the server for the first time, you need to set it to daily logging (log) so that you can see the results every day. After a while, you can choose the most appropriate record method.

ADVANCED options: Click the ADVANCED tab in the service propertied dialog box. IIS also supports simple filtering. You can use the advanced options label to restrict or allow some IP addresses to access the WEB server. In the ADVANCED tab that appears, activate By default all computer will be granted access (save time and all computers will gain access) you can use the ADD button to enter some specific IP address ranges that should be denied access.

Or, if you want to enforce strict security protection, you can choose By Default all computer will be den access (lack of time, all computers will be denied access ), then, determine the host table based on the IP address that should be able to access this machine. This is a powerful and valuable tool that helps ensure the security of your website and should not be ignored.

2. IIS Advanced security performance is the same as that of Exchange Server. Internet Information Server provides Advanced security performance, making your Communication absolutely secure. They consist of SSL (Secure Sockets Layer) Version 2.0 and 3.0, as well as PCT (Secure Communication Technology) 1.0. SSL supports data encryption, server verification, and email integration for TCP/IP communications.

Secure Sockets Layer (SSL) is a protocol developed by Netscape Communications and submitted to the World Network Alliance (W3C) as a standard for ensuring Internet communication security. When a client that supports SSL (Internet assumer2.0 and 3. x and Netscape 3.x) when connecting to a server that supports SSL, the "Signal Exchange handover relationship" appears during TCP/IP connection for verification, to determine which level of security protection will be implemented in communications.

After the connection is established, SSL encrypts and decrypts the data of the application protocol in use. All request and response information should be encrypted, including the unified Resource Identifier (URL) and other forms of data (such as your address or card number) for request under the client), any authentication information (username and password) and all data returned by the server to the client.

SSL is located under the Application Protocol (such as HTTP), and SMTP is located above the connection protocol TCP/IP. Microsoft internet Information Server supports Hypertext Transfer Protocol (HTTPS) access. Although SSL can provide the actual undeciphered encryption function, the speed of SSL encrypted transmission is lower than that of non-encrypted transmission. Therefore, to prevent the performance of your entire WEB site from degrading, you can consider using SSL as a virtual folder to process highly confidential information, such as submitting a table containing credit card information.

You can enable SSL security in the root directory of your WEB site (InetPubWwwroot is the default value) or in one or more virtual folders. Once SSL is configured and started, only clients that support SSL can communicate with the WWW folder that supports SSL.

To enable SSL security on a WEB server, perform the following steps:

1. Use the key manager to generate a key pair file and a request file.

2. obtain a certificate from a certification authority.

3. Install the new certificate on your server.

4. Activate the SSL security function in the WEB Service folder.

For confidential and public content, Microsoft recommends that you use public directories. For example, c: InetPubWwwrootSecure and C: InetPubWwwrootPublic.

Pay attention to the following points:

(1) When generating a key pair for IIS, do not use a comma in any domain because the comma is interpreted as the end of the field. They generate invalid requests without warning.

(2) If you have multiple WEB servers with IIS virtual server functions, when installing your certificate, determine the IP address of the specific server, otherwise, the same certificate applies to all virtual services created by the system.

(3) If you start SSL, any URL pointing to a document in the WWW folder that supports SSL must use http: // instead of http: // in the URL ://. Any link using http: // in the URL does not support secure folders.

When you use IIS to publish information to the INTERNET at will, you must ensure network security. In addition to the IIS function after our previous lectures, you must do the following:

(1) generate separate zones for system partitions and various IIS service programs, so that hackers cannot easily access the entire machine from a vulnerability in a service program.

(2) use NTFS for all the partitions of the machine. Ensure that the user permissions are correctly set.

(3) Place the IIS server in its own domain and establish a one-way delegation relationship with your account. If a hacker can obtain information about a valid account, that account cannot access your user domain.

(4) use a separate account for various INTERNET services (if you plan to run more than WEB servers), which makes it easy to track user activities.

(5) Check the permissions and permissions assigned to the specified account for anonymous access. You need to assign the minimum permission to the user, which is usually the read permission.

(6) only store non-confidential information on your IIS machine and place the information in the firewall. In this way, if information security is damaged, hackers must still cross the firewall.

(7) use the TCP/IP filter function of windows nt server on the SERVER to connect to the port that you need to support IIS services. For example, if you only want to run a WEB server, you only need to start port 80.

(8) If you use a non-anonymous account to access the server, you must use an encrypted password for verification.
Iii. Security and WEB Server is a powerful and comprehensive tool in IIS, which is superior to other similar products. Its performance is optimized. As a service running on windows nt server, it can provide fast, convenient, and secure WEB publishing functions for networks of all sizes.

(1) how to protect the security of WEB servers? If you plan to build a WEB site, you must ensure the security of your website and its content, as well as the security of your network and its resources. Apart from the security measures we have mentioned, you need to take other appropriate measures.

** Note **: because the three service configurations provided by IIS are very similar, we will only detail the WEB server configurations, and then only the differences between the FTP server and the Gopher server.

1. User and password verification first, you need to understand the serious consequences of anonymous access, and take preventive measures to ensure that you have the appropriate permissions for the account created for anonymous access. To set the type of access to your WEB server, double-click WWW in iis manager to bring up your WEB server and then double-click the WEB server, the www service properties dialog box is displayed. In the dialog box, you can see that you can use multiple options to set the WEB Server service program. For most IIS installed, the default option is the best. However, there are two key settings that determine the user's access level to the WEB site: Anonymous logon and password verification.

If you want to allow public access, make sure that you agree to anonymous access. According to the default settings, after IIS is installed, a new user account will be created in your user database, whose name is IUSR _, followed by the installed server name. Example: If the server is named SAMUEL-1, the new user account is the IUSR_SAMUE-1. When an account is created, it is granted limited access and added to the domain user, Guest user, and EVERYONE group.

In addition, the IUSR _ account is granted the permission to log on LOCALLY (logon locally ). All WEB users must have this permission because their requests are sent to the WEB server service program, which uses their accounts to log on, next, you can allow windows nt to assign access permissions.

If you want all users to be verified by specific user accounts and passwords, you only need to clear the Anonymous Logon option. Users are required to enter a valid user ID and password before accessing the server resources. If you can enable the inspiration function, you can see who is accessing the WEB server and what they are doing.

Another important setting that determines your website security is the type of password verification you want to use. We will not discuss it further here. To achieve maximum security, You can activate the Windows NT Challenge/Response option, which encrypts your user ID and password before transmitting information to ensure secure network transmission of account information. (Unfortunately, only Microsoft Internet Explorer 2.0 and later versions support this function .)

2. To ensure the security of your website, it is also important to configure the directories that can be viewed on the WEB server and the corresponding access levels. When you install IIS for the first time, according to the default settings, it will create a directory named InetPub on its own (install IIS of earlier versions and create InetPub ), then, create a root directory for the INTERNET service provider. The Web server's root directory is wwwroot by default, which should be the location of your home page. Then you can use the Directories label to add a new directory for storing additional content.

3. Web server security improvement