Six basic security risks easily overlooked by IIS Web servers

Attacks against Web servers can be said to be at a low level. Even if the preventive measures are the best, hackers may still miss it. However, based on my experience, most attacks can be prevented. The main reason why so many websites are hacked is that administrators ignore some basic security options.

1. Do not use the default WEB site

After the IIS Web server is installed and deployed, the system creates a default Web site. Some users directly use this Site for website development. This is a very irrational practice and may bring great security risks. Because many attacks are targeted at the default Web site.

For example, the default Web site contains an inetpub folder. Some attackers like to place some hacking tools in this folder, such as password theft and Dos attacks. So that they can remotely control these tools, resulting in paralysis of the server. Because the configuration information of the default site and folder is basically the same, this facilitates attackers to execute tools on the server. You can skip this step. Some hacker tools that scan through IP addresses and services use the default site.

 

Preventive measures:

In fact, this risk is easy to avoid. The simplest way is to do not use this default site when creating a website. Disable the site. In fact, this method is the most basic security measure. For example, for a vro or other network device, the Administrator must disable the Default User Name for security purposes. This is the same principle. Do not use the original folder. You can direct a real Web site to a specific location. To further improve security, you can also Set NTFS permissions for this folder. It can be seen that it is easy to prevent this security risk. However, in reality, users may think they are small, but do not pay enough attention to them. Therefore, attackers can take advantage of this vulnerability.
2. strictly control the write access permissions of the server

In some Web servers with many contents and complex structures, multiple users usually have the write permission on the server. For example, on the sina website, there are special personnel responsible for news sections, special personnel responsible for blogs, and special personnel responsible for forums. Many users have write permissions on the website server, which may pose some security risks. If a user's password is disclosed, the server will be damaged by the host. In fact, although they all have write permissions to the server, their division of labor is different. Everyone has their own fields.

For another campus network, a Web server may have multiple websites and administrators. For example, colleges have their own websites. The Administrator has the permission to modify the server. If the permission control is not strict, the folder on the server may be in a very dangerous situation.

Preventive measures:

This preventive measure is also relatively simple. The basic principle is to grant users the minimum permissions. For example, you can place related content in the corresponding folder Based on the Website Section. Then, each specific user can only access the folder of the content that he is responsible. In this case, even if the password of an administrator user is disclosed, only a folder is affected. It will not adversely affect the folders of other users.

Second, we recommend that you do not place the Web server together with other application services. Especially for enterprises, they may like to deploy Web servers and file servers on the same server to save costs. This is a very dangerous method. For the file server, each user may have the permission to write data to the server. This provides opportunities for Trojans and viruses. This will also affect the security of Web servers.

In short, the Administrator must strictly restrict the write permission of the Web server. When assigning user permissions, if you want to grant the write permission to the user, you 'd better combine the NTFS permission management to only provide the write permission for the user's specific folder. Second, it is best to separate the Web server from the file server, so that only a small number of users can write data to the server.

Iii. Check the bat and exe files on the server from time to time

Most attackers use bat or exe files to launch attacks. Some attackers may exploit the task manager of the operating system. Let the system call a program every day or every other period of time. These programs end with bat or exe, or end with reg. These files are very destructive. For example, hackers can use these files to change the registry, create an invisible account, and send files to hackers.

Preventive measures:

Sometimes it is difficult to find these files even if the Administrator has adopted measures such as virus firewalls or virus attacks on the server every day. In this case, the administrator can use the original method to search for these files by using the extension. Then check whether there is any suspicious. The author's practice is that after the Web server is deployed, the extension exe, bat, reg and so on are used as search conditions to find the relevant files. Then, store the file name in a table. Search again every day or every week and compare it with the original table to see if some files are added. If there is an increase, the added files may be problematic files. You can use Notepad (note that you cannot double-click it) to open these files and check their code. You can also delete these files directly to avoid future problems.

4. Strict access policies for IIS Directories

The IIS directory is an important Directory on the Web server. It is equivalent to a human brain that controls the running of Web servers. Therefore, we should pay special attention to this when planning Web server security. However, in actual work, this directory does not attract high user attention. Some of them even use the system's default settings directly without tracking. This may be the cause of website hacking and server paralysis in the future.

Preventive measures:

For IIS Directory Security, I think at least two things need to be done. First, you must restrict IP addresses, subnets, and domain names. If you find that an unknown IP address is often pinged to the Web server, you need to immediately blacklist the IP address to prevent it from accessing the IIS directory. Second, we need to do a good job of tracking and analysis. Administrators can use software to record users' access to the IIS directory. For example, whether a user attempts to access a directory that is not permitted by unauthorized access. Restrictions and post-event tracking cannot be left empty for IIS Directory Security.

5. upgrade servers

If only one Web Service is deployed on the server, we recommend that you upgrade the operating system and IIS server as soon as possible. Patching systems and services is one of the best ways to improve Web server security. After all, many hackers are attacking existing vulnerabilities. If you add these discovered vulnerabilities, the possibility of being attacked is much lower.

But pay attention to the upgrade process. If there are third-party services or non-Microsoft products on the Web server, perform tests before the upgrade. Determine whether the latest patches for the operating system and IIS services conflict with other existing services and products. Although the probability of this conflict is still relatively small, this test is indispensable.

6. disable unnecessary services

After the IIS server is deployed, it may also have other application services. Such as FTP and SMTP. These services carry large security risks. For example, FTP is designed to meet simple read/write access requirements. If you take strict security measures on the Web server. But not on the FTP service. Attackers can use the FTP server to download some hacker tools. Then use these tools to launch attacks on the Web server from the inside. The attack success rate is much higher.

Therefore, if some services are not needed, you must immediately disable them. I 'd rather spend time opening it later if necessary. Every service is like a door in the room. If you do not need to block the door, the security work will be much easier. Because the number of "Doors" to be concerned is greatly reduced.

Although the above six points are not very smooth, they are often overlooked in daily work. From an early perspective, your Web server can take a big step forward in terms of security.