WIN2003 Server Security Configuration Ultimate Skill Map (next)

Set up a new station, with the default wizard, in the settings note the following in the application settings: Execute permissions as the default pure script, application pool using a separate program called 315safe: the pool.

　　

　　

The application pool named 315safe can be appropriately set for "Memory recycling": The maximum virtual memory here is 1000M, the maximum use of the physical memory is 256M, such settings are almost no limit to the performance of this site.

　　

In the application pool there is an "identity" option, you can select the application pool security account, the default to use the Network service this account, we do not move it, can try to the minimum permissions to run large, the hidden trouble is even smaller. In some directories of a site, for example, this "UploadFile" directory, do not need to run ASP programs or other scripts inside, remove the directory's Execute script permissions, "Application Settings" in the "Execute permissions" here, the default is "pure script", we changed to "none", This will only use the static page. By analogy, generally do not need the ASP to run the directory, such as database directory, image directory, etc. can do so, this is mainly to avoid the site application script in the case of bugs, such as the emergence of upfile vulnerabilities from the previous, but can to a certain extent to the role of the vulnerability.

　　

By default, the permissions that we typically give to the web directory for each site are read and written by the IIS user, as shown in the figure:

　　

But we are now in order to inject the SQL, upload vulnerabilities are all driven away, we can take the manual approach to the details of the policy settings.

The IIS user for the Web root is given read-only permissions. As shown in figure:

　　

Then we respond to the uploadfiles/or other need to have the upload file directory additional write permission, and in IIS to this directory no script to run permissions, so even if the site program has a loophole, the intruder can not be written into the directory ASP trojan, hehe, But it is not so easy to prevent the attack, there is a lot of work to be done. If it is Ms-sql database, this is OK, but Access database, the directory where its database, or database files also have to write permission, and then the database file does not need to be changed. ASP's. This kind of consequence everybody also knows to put, once your database path is exposed, this database is a big trojan, enough terrible. In fact, it's all a rule. Use the MDB suffix only, this directory does not give script permissions in IIS. Then set up a mapping rule in IIS Riga, as shown in figure:

　　

　　

This is resolved using any DLL file. MDB suffix name Mapping, as long as you do not need to Asp.dll to resolve, so that others even get the database path can not download. This method can be said to prevent the database is downloaded the ultimate solution.

Zebian: Bean Technology Application