Windows Server Security-HTTP Service Security

Part 1ArticleHttp://www.cnblogs.com/Leung/archive/2009/10/29/1592328.html we talked about how to build a system environment with basic security.

This section describes how to provide security services based on this platform. The platform has a certain degree of security. We should continue this feature in all future work. Therefore, all our operations must take security into account and are they changed? If the platform is secure and the service is insecure, it will be infiltrated and the preliminary work will be abandoned. The security of the entire service platform is a bucket. For more information about cask, see: Introduction to cybersecurity awareness

Now, let's take a look at http service security. Windwos server2003 has become a selection of HTTP service carriers due to its built-in IIS components and the ease-of-use of Windows operating systems. However, it is also because the Windows operating system is easy to understand and has a lot of knowledge about its deep technology, including the security of the system. Therefore, the win-system HTTP server is also the operating system platform of the server that has suffered the most attacks and intrusions. How can we make IIS safer?
Now we have a safer underlying platform, and its security configuration fully complies with the content mentioned by xiantian Server Security (2. Take an IIS Site as an example (for details about how to create a website using IIS, please search for the information on your own because it is not included in the scope of this series of serialization discussions ), the script of the site is Microsoft's own, and the small and medium-sized enterprise market share of more than 90% ASP written. Such a website seems safe. Really? No. It is not safe until you have not configured the security of the site. OK. Let's create a new secure IIS Site, follow me.

Permissions are the most important consideration for Jarry's experience in creating an IIS Site. In IIS, the Administrator must specify the system account used by the web monitor to access the web site. Therefore, the idea is: specify a special account to access the website content, and the account permissions must be small enough. After you install IIS6, the win system generates two accounts: iusr_xxx and iwam_xxx. Microsoft defines them as Internet guest accounts, which are built-in accounts for anonymous access to Internet Information Services. Their permissions are relatively low. But not least. If your server has only one website, it is feasible to specify an iusr_xxx account for web visitor. If your server has multiple websites, new problems may occur.

If you create another website in IIS, the specified account is still iusr_xxx. In this way, the problem arises. If multiple websites share one account for users to access, once a website is infiltrated, the crisis will affect all websites.

Therefore, you must change this iusr_xxx. In addition, you can set a dedicated account for each website and assign it to the web visitor through IIS. At the same time, the directory where the website is located on the hard disk must also grant the appropriate access permission to the account, and deny all accounts other than this account and the Administrator account to access this resource. The implementation process is as follows:

Create a dedicated account: xtitvisitor, set a password, and make it impossible to change the password. The password will never expire.

Double-click the user to open the xtitvisitor attribute dialog box. Click the affiliated label. The win system automatically places this user in the user group. This is not safe, because many files in drive C are assigned a user group for access, so remove the user group and add the user group with the lowest permissions. The renamed Guest group can also be left unspecified. Therefore, xtitvisitor is only an independent system account and does not belong to any user group.

At this time, you may find that the Jarry user attribute dialog box has only four labels, and you have 7 or 8 of them. This is because Jarry disables many unnecessary system services. To ensure security, some services must be disabled. See the last period of fresh and sweet server security (II ).

Now, you have created a dedicated account. Next is the directory permission. Find the website directory on your hard disk, such as xtit.net. Now let's set the permission for it. Right-click the website directory and choose Properties. Open the security tag. Now we can see that the existing permission settings of this directory inherit the parent directory. As mentioned in the previous article, each disk partition only grants the Administrator Group read and write permissions. Therefore, this directory also inherits this permission. In order for the web visitor to access this website smoothly, we need to set it up.

Add the dedicated account just created to this directory permission:

The xtit.net directory is now fully accessed by the Administrator group. The xtitvisitor user has only the read permission. OK. The entire website directory only supports this permission. First.

Next, we will combine the sub-directories of the website to refine the permissions. Generally, small and medium ASP websites use the accese database, which is an MDB file. The system will continue to occupy and modify this file, such as the access statistics on your website. Every time a user visits your website, the system adds 1 to the corresponding table in your website database. This is an add operation for the database. But for MDB files, this is a modification operation. Therefore, you should also grant the modified and written permissions to the xtitvisitor account for this mdb database file. In this way, the database files can work normally.

 

Let's talk about the security issues caused by the files in the accese database. If the default extension is used, the file may be downloaded by hackers. Then your website background account will be guessed by hackers. Therefore, you must change the file name. Add some valid symbols to the file name. For example, if the # number is used, the extension must be changed or removed. Modify the link file of the website database.

Sub-directory permissions also need to be adjusted one by one according to actual needs. For example, many websites may have the upload directory. Used to store files uploaded through the website. The write permission must be granted to the directory. Otherwise, an error is reported during the FSO file upload operation. In short, based on your needs. Or follow the principle of minimizing permissions under normal service conditions.

If You Want To idealize the permissions, you can even delete the permissions assigned to the administraotrs group in the entire xtit.net directory. Then, only the xtitvisitor account on the server has the permission to access this directory. This may also cause some trouble. For example, you cannot open the directory yourself.