Ten simple steps to protect IIS Web Server Security

Don't worry. The following 10 simple steps can reassure you. The following is a detailed description of the article.

Use the following 10 steps to protect IIS:

1. install an NTFS device for IIS applications and data. If possible, do not allow IUSER (or any other anonymous user name) to access any other device. If the application fails because the anonymous user cannot access the program on other devices, use the FileMon of Sysinternals to check which file cannot be accessed, and transfer the program to the IIS device. If you cannot do this, IUSER is allowed to access this file only.

2. Set NTFS permissions on the device:

Developers = Full (all permissions)

IUSER = Read and execute only (Read and execute permissions)

System and admin = Full (all permissions)

3. Use a software _ blank "> firewall to check that no end user can access ports other than port 80 on the IIS computer.

4. Use Microsoft tools to lock your computer: IIS Lockdown and UrlScan.

5. Enable IIS Event Logs. In addition to IIS Event Logs, if possible, enable Event Logs for _ blank "> firewall.

6. Remove log files from the default storage location and ensure that they are backed up. Create a duplicate copy for the log file to ensure that the copy at the second position is available.

7. Enable Windows Audit on the computer, because when we try to track the actions of those attackers, we always lack enough data. By using audit logs, you may even have a script to review suspicious behaviors. This script then sends a report to the Administrator. This may sound a bit extreme, but it is the best choice if security is critical to your organization. Establish an audit system to report any failed account logon behavior. In addition, the default storage location (c: \ winnt \ system32 \ config \ secevent. log) to another place, and make sure it has a backup and a duplicate copy.

8. In general, do your best to find articles on Security (from different places) and follow them for practice. In terms of IIS and security practices, they are generally better understood by you, and do not trust what others (such as me) tell you.

9. subscribe to an IIS defect list email and read it on time. One list is the X-Force Alerts and Advisories of Internet Security Systems.

10. Finally, make sure that you update Windows on a regular basis and check whether the patch is successfully installed.