Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞
Related Settings for IIS: Delete the virtual directory of the default established site, stop the default Web site, delete the corresponding file directory c:inetpub, configure the public settings for all sites, and set up the relevant number of connection limits, bandwidth settings, and other settings such as performance settings. Configures application mappings, removes all unnecessary application extensions, and retains only asp,php,cgi,pl,aspx application extensions. For PHP and CGI, it is recommended to use ISAPI parsing, and EXE parsing has an impact on security and performance. User program debug Settings send text error message to customer. For the database, try to use the MDB suffix, do not need to change to ASP, you can set up an MDB extension mapping in IIS, this mapping using an unrelated DLL file such as C:winntsystem32inetsrvssinc.dll to prevent the database from being downloaded. Set the log Save directory for IIS, and adjust logging information. Set to send text error messages. Modify the 403 error page and turn it to another page to prevent some scanners from probing. In addition, to hide system information, to prevent the release of the system version information from Telnet to port 80 can modify IIS banner information, you can use Winhex manual modification or use related software such as banneredit modification.
For the directory where the user site is located, here is a description of the user's FTP root directory corresponding to three files good, wwwroot,database,logfiles, respectively, storage site files, database backup and the site's log. If an intrusion event can set specific permissions on the directory where the user's site resides, the directory in which the picture resides is given permission only to the column directory, and the directory where the program resides does not require write access if the file is not required to generate the files, such as HTML-generated programs. Because it is a virtual host of the usual script security can not be nuanced to the point, more only in the method user from the script to elevate permissions:
Security Settings for asp:
After setting permissions and services, prevent ASP Trojan also need to do the following work, in the CMD window run the following command:
You can Wscript.Shell, Shell.Application, Wscript.Network component Uninstall, can effectively prevent ASP Trojan horse through WScript or shell.application execute commands and use Trojans to view some system sensitive information. Alternatively: You can cancel the permissions of the users user of the above file and restart IIS to take effect. However, this method is not recommended.
In addition, for the FSO because the user program needs to use, the server can not log off the component, here only to mention the prevention of FSO, but do not need to open space in the virtual Business Server use, only suitable for manually opened the site. You can set up two groups for sites that require FSO and do not need FSO, and give C:winntsystem32scrrun.dll to the user group that requires the FSO
The execution permission of the file, does not need to give the permission. Restarting the server can take effect.
For such settings combined with the above permission settings, you will find that the Haiyang Trojan has lost its role here!
Security Settings for PHP:
The default installation of PHP requires the following issues to be noted:
C:\winnt\php.ini only gives users read access. The following settings are required in php.ini:
Register_globals = Off
Allow_url_fopen = Off
Display_errors = Off
MAGIC_QUOTES_GPC = on [default is on, but need to check again]
Open_basedir =web Directory
The default setting Com.allow_dcom = True is modified to remove the front before the false[modification;]
MySQL Security settings:
If the MySQL database is enabled on the server, the security settings that the MySQL database needs to be aware of are:
Delete all default users in MySQL, keep the local root account only, and add a complex password to the root user. Give ordinary users Updatedeletealertcreatedrop permissions, and limit to a specific database, especially to avoid ordinary customers have permissions on MySQL database operations. Check the Mysql.user table to remove unnecessary user Shutdown_priv,relo Ad_priv,process_priv and File_priv permissions that may leak more server information including non-MySQL information. You can set up a startup user for MySQL that only has permissions on the MySQL directory. Set permissions on the data database for the installation directory (this directory holds the MySQL database information). For the MySQL installation directory, add read, column directories, and execute permissions to users.
serv-u Security issues: The installer will use the latest version as far as possible, avoid using the default installation directory, set the permissions of the Serv-u directory, and set up a complex administrator password. Modify the Serv-u banner information and set the passive mode port range (4001-4003)
Do the relevant security settings in the local server settings: including checking anonymous passwords, disabling the scheduling of the go-ahead, intercepting "FTP bounce" attacks and FXP, and intercepting 10 minutes for users who have connected more than 3 times in 30 seconds. The settings in the domain are: complex passwords are required, directories only use lowercase letters, and the advanced setting cancels the date that allows the file to be changed using the Mdtm command.
To change the startup user for Serv-u: Create a new user in the system, set a complex password, and not belong to any group. Give the user Full control of the SERVU installation directory. To create an FTP root directory, you need to give this user full control of the directory, because all FTP users upload, delete, change files are inherited from the user's permissions, otherwise unable to manipulate the file. Additionally, you need to give the user Read permission to the parent directory above the directory, otherwise it will appear 530 not logged in, home directory does not exist at the time of the connection. For example, when testing the FTP root directory for D:soft, must give the user D disk Read permission, in order to safely cancel other folders in D disk inherited permissions. The general use of the default system startup does not have these problems, because system generally has these permissions.
Security settings for the database server
For dedicated MSSQL database servers, open only 1433 and 5631 ports, as described above, to set up TCP/IP filtering and policy. For MSSQL, first you need to set a strong password for the SA, use mixed authentication, strengthen the logging of the database log, and audit the "success and failure" of the database login events. Remove unwanted and dangerous ole automatic stored procedures (which can cause some of the features in Enterprise Manager to not be used) These processes include the following:
sp_OACreate sp_OADestroy sp_OAGetErrorInfo sp_OAGetProperty
sp_OAMethod sp_OASetProperty sp_OAStop
Remove unwanted registry access procedures, including:
Xp_regaddmultistring Xp_regdeletekey Xp_regdeletevalue
Xp_regenumvalues Xp_regread xp_regremovemultistring
Remove other system stored procedures, if you think there is a threat, of course, be careful to drop these processes, can be tested on the test machine to ensure that the normal system to complete the work, these processes include:
xp_cmdshell Xp_dirtree Xp_dropwebtask sp_addsrvrolemember
Xp_makewebtask Xp_runwebtask xp_subdirs sp_addlogin
Select the properties of the TCP/IP protocol in the instance properties. Choosing to hide the SQL Server instance prevents detection of port 1434 and modifies the default 1433 port used. Remove the Guest account from the database to exclude unauthorized users. Exceptions are the master and tempdb databases, because they are required for their Guest account. Also note that you set the permissions for each database user, and that these users only give some permissions to the database in which they reside. Do not use the SA user to connect to any database in your program. The network has recommended that you use the protocol encryption, do not do so, otherwise you can only reload the MSSQL.
Part II intrusion detection and data backup
§1.1 Intrusion Detection work
As the day-to-day management of the server, intrusion detection is a very important work, in the ordinary detection process, mainly include routine server security routine inspection and intrusion inspection, which is divided into the intrusion in the security check and before and after the invasion of security. The security of the system follows the principle of cask, the barrel principle refers to: a wooden bucket consists of many pieces of wood, if the composition of the wooden barrels of the length of the wood, then the maximum capacity of the bucket does not depend on the length of the plank, but depending on the shortest piece of wood. Applying to security means that the security of the system depends on the most vulnerable parts of the system, and these places are the focus of everyday security testing.
Daily safety Testing
The daily safety inspection is mainly aimed at the security of the system, and the work mainly follows the following steps:
1. View Server Status:
Open the Process Manager, view server performance, and observe CPU and memory usage. See if there are any exceptions, such as CPU and memory usage.
2. Check the current process situation
Switch Task Manager to the process to find any applications or background processes that are suspicious or running. When you view a process with the process manager, there is a taskmgr, which is the process manager's own process. If you are running a Windows Update, there is a wuauclt.exe process. For a unsure process or a process that doesn't know which application is on the server, you can search the process name on the network to determine the process Knowledge Base: http://www.dofile.com/. Usually the back door if there is a process, generally take a similar to the system process name, such as Svch0st.exe, at this time to carefully distinguish [usually confusing means is variable letter O for the number 0, variable letter L for the number 1]
3. Check the SYSTEM account number
Turn on Computer Management, expand Local user and group options, view group options, see if a new account is added to the Administrators group, and check for a cloned account.
4. View current Port Opening
Use Activeport to view current port connections, especially with externally connected ports to see if there are unauthorized ports communicating with the outside world. If so, close immediately
Close the port and record the corresponding program for the port, and transfer the program to another directory for later analysis. Turn on Computer Management = = "Software Environment = =" Running tasks [
Here you can see hidden processes that are not visible in the process manager], view the currently running programs, and, if there is an unknown program, record the location of the program, open Task Manager to end the process
, for the daemon using the backdoor and other programs can try to end the process tree, such as still unable to end, search the registry in the name of the program, delete the key values, switch to safe mode to delete
get rid of relevant program files.
5. Check System Services
Run services.msc, check the service in the started state, see if there is a new unknown service and determine the purpose of the service. For unclear services, open the properties of the service, check
Look at the service's corresponding executable file, if it is determined that the file is a normal use of the system files, can be roughly spared. See if there are other normal open service dependencies in this service
On, if there is, can be roughly spared. If you cannot determine whether the execution file is a normal system file and there is no other normal open service dependency on the service, you can temporarily stop the
Service, and then test that the various applications are normal. For some backdoor because of the use of the Hook system API technology, added service items in the Service Manager is not visible, then need to hit
Open the registry to find the Hkey_local_machinesystemcurrentcontrolsetservices items, by looking at the name of each service, the corresponding execution file to determine whether the back door
, Trojans and other programs.
6. View related log
Run Eventvwr.msc to roughly check the related log records in the system. Right-click Properties on the corresponding log record while viewing, set a log filter in filter
, select only errors, warnings, and view the source and description information of the log. For errors that occur if a workaround is found in the server's common troubleshooting, the question is handled in accordance with the method
, if there is no solution to record the problem, detailed record of the event source, ID number and specific description information, in order to find solutions to the problem.
7. Check System files
Mainly check the system disk EXE and DLL files, recommend the system after installation with Dir *.exe/s >1.txt all the exe file list to save, and then each check
Then use this command to generate a copy of the current list, using FC to compare two files, and so on the DLL file to do related checks. Note that patching or installing the software will regenerate the original
The start list. Check if the related system files are replaced or if the system is installed a Trojan door and other malicious programs. If necessary, run an antivirus program to scan the system disk once.
8. Check to see if security policy changes
Open the properties of the local area connection to see if only the TCP/IP protocol is selected in general, open the TCP/IP protocol settings, click Advanced = = options, and view IP security
Mechanism is a set IP policy to see if the port allowed by the TCP/IP filter has been changed. Open the Administrative Tools = "Local Security policy" to view the IP security currently in use
Whether the policy has changed.
9. Check directory Permissions
Focus on whether the system directory and important application permissions have been changed. The directory that needs to be viewed has c:;c:winnt;
Settings, and then check the Serv-u installation directory to see if the permissions for these directories have been changed. Check to see if some of the important files under System32 have changed permissions, including: CMD,
Net,ftp,tftp,cacls and other documents.
10. Check Startup Items
Mainly check the current boot from the program. You can use Areporter to check for a startup program.
Countermeasures to discover the invasion
For an instant-discovered intrusion event, the following are the cases where the system has been compromised, the system has not been compromised or is temporarily unaware of the damage. First, follow the above inspection steps
Check again and consider the following measures as appropriate. The following measures should be taken immediately after the system has been compromised:
The manner in which decisions are taken, depending on the circumstances, is handled either remotely or through the field. If the situation is seriously recommended for field treatment. If field processing is used, the first time that an intrusion is detected
Know the computer room shut down the server, when the processing staff rushed to the computer room disconnect the network cable, and then enter the system for inspection. If the use of remote processing, such as the case of serious first stop all application services, change I
P policy is to only allow remote management ports to connect and then reboot the server, reboot and then connect to the remote for processing, before restarting with Areporter check boot from boot
Program. And then proceed to the security check.
The following processing measures for user site intrusion but not endanger the system, if the user requirements to enhance the security of their site, you can strengthen the security of the user site as follows:
The site root----only Read permissions to the administrator, and permissions inherit.
wwwroot------Read and Write permissions to Web users. Advanced inside has delete subfolders and file permissions
LogFiles------Write permission to system.
The database------Read and Write permissions to Web users. Advanced inside does not delete subfolders and file permissions
If further modification is required, the characteristics of the user site for ordinary file storage directory such as HTML, JS, pictures folder only to read permissions, ASP and other script files to give the permissions of the above table
。 Also view the security log of the user's site, identify the cause of the vulnerability, and assist the user with patch vulnerabilities.
§1.2 data backup and data recovery
Data backup work is roughly as follows:
1. Back up the system data once a month.
2. Back up the system two weeks after a separate backup of the application data, mainly including IIS, Serv-u, databases and other data.
3. Ensure the security of backup data and classify and place these data backups. Because the total backup method is basically used, the retention period for the data can be retained only for that second backup and last standby
Two copies of the data.
Data Recovery work:
1. When the system crashes or encounters other unrecoverable system normal state condition, first after the last system backup occurred some change events such as application, security policy and so on to make the backup, restore
Restore these changes after you have completed the system.
2. Applications, and other errors with the most recent backup data recovery related content.
Part III Server performance optimization
§3.1 Server Performance Optimization
System performance Optimization
Organize system space:
Delete the system backup files, delete the drive backup, remove the unused input method, delete the system's Help files, uninstall the infrequently used components. Minimize the C-disk file.
Remove redundant boot autorun programs, reduce pre-read, reduce progress bar wait time; Let the system automatically shut down programs that stop responding; disable error reporting, but notify when a critical error occurs
; Turn off automatic Updates to manually update the computer;
Enable hardware and DirectX acceleration; disable shutdown event tracking; Disable the Configure Server Wizard; Reduce boot disk scan latency, and transfer processor planning and memory usage to the application
, adjusting virtual memory, memory optimization, modifying the CPU's level two cache, and modifying the disk cache.
IIS Performance Tuning
1. Adjust the IIS cache
The Memorycachesize range is from 0 4GB and the default is 3072000 (3MB). In general, this value should be set to 10% of the server memory. IIS passes cache system handles, directories
Lists and other common data values to improve system performance. This parameter indicates the amount of memory allocated to the cache. If the value is 0, that means "no caching is done
”。 In this case, the performance of the system may be reduced. If your server network traffic is busy, and you have enough memory space, you can consider increasing the value. It is important to note that the modification note
Table, a reboot is required for the new value to take effect.
2. Do not shut down the system service: "Protected Storage"
3. Restrictions on Access traffic
A. Restrictions on the number of site visits
B. Site bandwidth limits. Keep the HTTP connection.
C. Process constraints, enter the percentage of CPU consumption
4. Improve the processing efficiency of IIS
Application settings and Application Protection Drop-down button, from the Drop-down list that pops up, select the low (IIS process) option to increase the efficiency of the IIS server handler by 20%
Around. However, this setting poses a serious security issue and is not worth recommending.
5. Set the IIS server as a stand-alone server
A. Improving the hardware configuration to optimize IIS performance
Hard disk: Hard disk space is used by NT and IIS services in the following two ways: one is simply storing the data, and the other is used as virtual memory. If you are using a ULTRA2 SCSI hard drive, you can
Significantly improve the performance of IIS
B. You can distribute the paging file of an NT Server to multiple physical disks, note that multiple "physical disks" are not available on multiple partitions. In addition, do not put the page Exchange file
In the same partition as the Windows NT boot zone
C. Using disk mirroring or disk stripe sets can improve disk read performance
D. It is best to store all the data in a separate partition. Then run the Disk Defragmenter on a regular basis to ensure that there is no fragmentation in the partition where the Web server data is stored. Using NTFS has
Help to reduce fragmentation. It is recommended that you use Norton's SpeedDisk to quickly organize NTFS partitions.
6. HTTP Compression
Use Pipeboost to set it up.
7. Resource Recovery
Use IIS5Recycle to periodically recycle process resources.
Troubleshooting Common §3.2 Servers
1. ASP "Requested resources in use" solution:
This problem is generally related to anti-virus software, installed on the server personal version of antivirus software. This error can be resolved by uninstalling the antivirus software or by trying to re-register VBSCRIPT.DL
L and Jscript.dll to resolve, run at the command line: regsvr32 vbscript.dll and regsvr32 jscript.dll.
2.ASP500 Error Resolution:
First determine whether the problem is a single site exists or all sites exist, if the problem is a single site, the site is the problem of the program, you can open the site error prompts, ie
The "Show friendly HTTP Error" message is canceled, view the specific error message, and then modify the associated program. If this problem exists for all sites, and the HTML page does not appear,
Related log appears the server could not load application '/lm/w3svc/1/root '. The error is ' do not support this interface '. That's ten to one. asp-related components in the server system
There is a problem, restart the IIS service, try to resolve the problem, unable to resolve the reboot system attempt to resolve the problem, such as the inability to fix the ASP components can be repaired
: First delete Three things about IIS in a COM component, and you need to first remove the "Prohibit deletion" check in the advanced in the attribute.
Command line, enter the "CD winnt\system32\inetsrv" string command, click the ENTER key, then execute the rundll32 wamreg.dll,createiispackage command, and then
Then execute the "regsvr32 asptxn.dll" command, "iisreset" command, and finally restart the computer operating system, so that the IIS server will be able to respond correctly to the ASP script
3. IIS appears with 105 errors:
In the system log the server was unable to register the Administration tool discovery information. Administrative tools may not see this server source: W3SVC id:105
WORKAROUND: Reinstall the NetBIOS Protocol in the network connection, and then cancel the check out after the installation is complete.
4.MySQL Service failed to start error code 1067 workaround
When you start the MySQL service, the error occurs halfway through! Content: Unable to start MySQL service on local computer error 1067: Process aborted unexpectedly.
Workaround: Look for the My.ini file in the Windows directory, edit the content (if there is no file, create a new one), at least
Basedir,datadir these two basic configurations.
# set Basedir to installation path, e.g., c:/mysql
# set to MySQL installation directory
# set DataDir to location of data directory,
# e.g., C:/mysql/data or D:/mydata/data
# set to MySQL data directory
Note that I have also experienced this problem when I change the system's temp directory without giving the user permission to the changed directory.
5.DLLHOTST process consumes CPU 100% problem
Server normal CPU consumption should be below 75%, and CPU consumption should be up and down, the server with this problem, the CPU will suddenly be at 100% level, and will not drop.
Viewing Task Manager, you can find that DLLHOST.EXE consumes all the CPU idle time, in which case the administrator has to restart the IIS service and, strangely, restart IIS
Everything is fine after the service, but it may be some time before the problem comes up again.
One or more Access databases are corrupted during multiple reads and writes, and the MDAC system is in block state when writing to this corrupted access file, resulting in other threads having to wait only
IIS is deadlocked, and all CPU time is consumed in dllhost.
Download the database locally, and then use access to open the repair operation. and upload it to the website. If not, just create a new Access database and then guide it from the original database
into all tables and records. Then upload the new database to the server.
6.Windows Installer Error:
"You cannot access the Windows Installer service when you install the software." Maybe you run Windows in Safe mode, or Windows Installer does not have the correct Ann
Loaded Please contact your support for help. If you try to reinstall InstMsiW.exe, you are prompted: "The specified service already exists."
For installer errors, there may be other error prompts to try the following solutions:
First confirm whether is the permission aspect question, the prompt information may provide the related information, if is the permission question, gives the Winnt directory everyone permission to be able to [installs the authority to change back to be able
]。 If you are prompted with this information, you can try the following workaround: Run "msiexec/unregserver" Uninstall windows
Installer service, if you cannot uninstall, you can uninstall using SRVINSTW, and then download windows
Installer Installer [address: Http://www.newhua.com/cfan/200410/instmsiw.exe], extract the file with WinRAR, find MS in the unpacked folder
I.inf file, right-click to select Install, restart the system and run "msiexec/regserver" to re-register the Windows Installer service.
Part IV Server Management
§4.1 Server daily Management arrangement
Server management must be disciplined, especially when there is not only one administrator, but the day-to-day management of the work includes:
1. Timed reboot of the server. Each server is guaranteed to reboot once a week. After reboot to review, confirm that the server has been started, to confirm that all services on the server are restored
Re normal. Measures should be taken in cases where the failure to start up or the service fails to recover in time. The former may request the trustee's related staff to help the manual reboot, if necessary, may request
Let the monitor on the connection confirm that it is started, and the latter requires a remote login on the server for cause lookup and tries to recover the service based on the reason.
2. Server security, performance checks, at least every server to ensure that the landing two times a week a rough check two times. The results of each inspection are required to be registered. If you need to use some tools to check
Check, you can find the relevant tools directly in the E:tools. For the temporary need to look for tools from the network, first of all, ie security level to high, and then on the network to find, do not DeMatha
Unknown site download, as far as possible to choose such as Huajun, Sky and other large Web sites to download, after downloading to ensure that the current anti-virus software has been upgraded to the latest version, upgraded after the download of the software to carry out a
Second anti-virus, confirm the normal use of the rear. For new tools that are downloaded to be used for future maintenance, save the tool under E:tools and do so in the Readme.txt file in the directory
Good records, record the tool name, function, use method. And in the folder in the RAR folder to keep a copy of the tool's WinRAR compressed file backup, set the decompression password.
3. Server data backup work, each server at least to ensure a monthly backup of the system data, system backup using Ghost Way, for ghost file fixed in e:ghost file directory
, the file name is named after the date of the backup, such as 0824.gho, each server at least guaranteed to back up the application data every two weeks, at least every month to ensure that the server backup user data, Standby
The data is fixed in the E:databak folder, the corresponding subfolder is set up for various data, such as Serv-u user data is placed under the Servu folder under this folder, the number of IIS sites
It is stored under the folder under the IIS folder.
4. The monitoring of the server, every day during the normal work must ensure that all server monitoring status, once the service stopped to take appropriate measures. For discovery service stop, first check
Check that the same type of service on the server is interrupted, such as all of the same types of services have been interrupted in a timely manner to log on to the server to see the cause and try to reopen the corresponding service for that reason.
5. Server-related log operations, each server to ensure that the relevant log once a month to clean up the corresponding logs such as application log, security log, system log, etc. should be
Select Save Log. All log files are uniformly saved under E:logs, the application log is saved in E:logsapp, the System program log is saved in E:logssys, and the security log
exists in E:logssec. For other applications, the log is also processed in this way, such as the FTP log stored in e:logsftp. All of the backup log files are
Name the date of the backup, such as 20050824.EVT. For a log that is not a single file, create a date-named folder under the corresponding record location, and store the files in the text
6. Server patch patching, application update work, for new vulnerabilities patches, application security updates must be the first time the discovery of the application to each server
7. The server's hidden trouble inspection work, mainly includes the security hidden danger, the performance and so on. Each server must ensure that the monthly focus is individually checked once. The results of each inspection must be well documented.
8. In the case of uncertain work, each server must be informed of all administrators because of the need to install new applications or uninstall applications, due to the application of software changes or other reasons.
9. Regular management password change work, each server to ensure that at least every two months to change the password, for SQL Server because if the SQL Mixed authentication Change system administrator password will affect
The use of the database is not modified.
Related suggestions: Set up a server management records per server, the administrator every login system should be in this detailed record, the total need to record the following items: Login time, exit
Time, login server status [contains unknown process record, port connection status, System account status, Memory/cpu State], detailed operation record [detailed record of admin login system]
After each step of the operation]. Both remote logon operations and physical contact operations are recorded, and these records are archived according to each server, and the documents are sorted in chronological order.
It is recommended to group servers for data backup, server timed restart, for example, in four groups, to back up a set of server data every Saturday night of the month, one day a week to restart a
Group of servers, this is more convenient for the work, these belong to the fixed work. Other work can be done synchronously, such as a monthly data backup, security check, and management
Password modification work, the first data backup, and then conduct security checks, and then modify the password. For immediate actions that are required such as server patch installation, server uncertainty
These are immediate tasks, but in principle immediate work does not affect the arrangement of fixed work.
§4.2 Administrator Daily Considerations
During server management, administrators need to be aware of the following considerations:
1. For each operation of their own should be a detailed record, see the above recommendations, in order to later check.
2. Efforts to improve their own level and strengthen learning
This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or
reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or
complaint, to email@example.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
and provide relevant evidence. A staff member will contact you within 5 working days.