Today I'm going to go a little deeper and talk about website security and stability. For many friends who have contacted Linux and Windows, it should be clear that IIS is very unstable compared to the Linux Apache. What dead loops, stack overflows, and so on. As soon as IIS hangs out, other sites are affected. So why do I have to talk about the security and stability of IIS? or that sentence, for the current market to write articles to share.
The following are suggestions for deploying Web sites using IIS
1, the IIS directory & data and system to open the disk, such as C-disk system, D disk put data, e-disk only put the Web page files.
2, the Site directory only administrators/system/web users/ftp user rights, except for special directories.
3. Enable Parent Path
4, in IIS Manager to remove any unnecessary mappings (keep ASP, ASPX, etc. necessary mappings), if you do not understand do not delete.
5, in IIS, HTTP404 and other error pages are redirected to a custom HTML file via URL
6, the proposed use of the expansion of the log file format, the client IP address per hour, the user name and other records of all categories, and every day to review the log, available diary tools to read. (The IIS log is not stored in the default C disk, it is recommended to replace the path to a non-system disk log, and to set access permissions for the log, allowing only administrators and system for full Control).
7. Program Security:
1 involves the user name and password of the program is best encapsulated in the server side, as little as possible in the ASP file, involving the database connection with the user name and password should be given the minimum authority;
2 need to verify the ASP page, you can track the file name of the previous page, only from the previous page to enter the session to read this page.
3 Prevent ASP homepage. inc File leakage problem;
4) to prevent the UE and other editors to generate Conn.asp.bak file leakage problem.
8, set up the service recovery of IIS, reduce IIS problems, automatically restart the service.
1 The first failure to restore the IIS Admin service is set to restart the service, the second failure and subsequent failures are set to run a program, the Reset failure count is 1 days later, the service startup service is 0 minutes, and then the following address is replicated in the running program c:/windows/ System32/iisreset.exe Command Line Arguments/start
2) The first failure of world Wide Web Publishing Services, the second failure, subsequent failures set to restart service, reset failure count to 1 days after the restart service for 0 minutes
9, delete the Adsiis.dll user permissions under the C:/windows/system32/inetsrv directory, you can prevent traversing IIS.
10, Web site permissions settings (recommended)
Write not allowed
Script source access is not allowed
Directory browsing recommended shutdown
Log access recommended shutdown
Index Resource recommended shutdown
11, control the Site Directory permissions, the following detailed description.
First, create a new Web Access user
0, right click My Computer--Computer Management--Local Users and Groups/users--right-click the new user
1, such as user name web001, password: 123abc!@# (if it is true to run as far as possible using 32-bit complex password, in addition to save with Notepad)
2, the user can not change the password and password never expire tick.
Ii. Modify Web user permissions
1, right click web001 Attribute--------delete users, add IIS_WPG (www.111cn.net)
2, switch to the Environment page, the client device three tick off
3, switch to the remote control page, will enable remote control cancellation tick.
Third, create a new application pool and set permissions
1, open Internet Information Services (IIS) Manager right-click the application pool new--Application pool
2, fill in the name of the new application pool, such as web001 or default AppPool #1 (for Web site independent use of the application pool will be better, a problem other sites will not be affected by it, but also recommend different types of sites do not use the same application pool)
3, right-click AppPool #1 Properties--identity--Application pool identification/configuration--fill out the newly created Web User: web001 and Password: 123abc!@# application--again Password input: 123abc!@#--OK. (Recommended server-related accounts and passwords saved in Notepad)
Iv. setting the application pool and directory security permissions for the Web site
1. Right-click the properties of the Www.paipat.com Web site--Home directory--Application pool--Select the newly created AppPool #1
2. Switch to Directory security--authentication and access control/edit--Enter the user and password you just created, and then enter the password once you click OK
3, into the site directory, such as d:/wwwroot/web001, right-click web001 Properties--security--add web001 user--permission to leave only read and write, click Advanced-Select web001--Edit--Add Delete permission.