Windows2003 Server IIS Web site security settings diagram

Source: Internet
Author: User
Tags anonymous file upload ftp readable access database ntfs permissions

Basic Web Site Security Configuration

To set the security of the site's partition, allow only two groups of users, administrators and system, to have secure access, as shown in the following figure:
jquery110205402204316312018= "1" data-original= "/wp-content/uploads/2009/12/iis_d.png"/>

Set site information all put in D: In the Wwwroot folder, where the attention can not directly put the site information in the root directory, need to establish a folder (for the safety of the site, the following need to use the permissions of this folder)

Here's an example of creating a asdf.cn site
1. First create a site folder, file name ASDFCN, inside the creation of Web,logs,data and error folders, mainly used to store different data information, such as error can be used to store this site for the wrong page such as 404,500 page.
Log is used to store the access logs for this site, the default in IIS stored in the C disk, this need to pay attention.
Data is used to store some of the user's backup information
The web is primarily used to store Web site program files, such as php,asp,asp.net,html,jsp files.

2. Set permissions on a folder
Create a wwwroot directory in the D: partition that automatically inherits access to this partition (the top is already set up), and in the following application, different user access rights based on different sites.

Suppose we have added a user to the SiteUser user, the user group is set to guest, never expires, and does not allow the password to be modified, we create the site below to set this user to access execution.
3. Set the permissions of the D:/WWWROOT/ASDFCN folder through the right key property, add "SiteUser" user, the permissions through "Advanced" settings, in the Pop-up Advanced Security Settings dialog box selected "SiteUser" User, click "Edit" for permission settings,
Select only this folder in the top application to, and select only the following in the following permission:
1. List Folder/Read data
2. Read properties
3. Read Extended Properties
4. Read permission
These four options, others do not choose, pay attention to the rejection of a column can not be selected. At this point can be implemented to the site's user access restrictions to this folder, so even if the site was uploaded Trojan, other sites will not be affected. As shown in the picture:
The permissions after setting are completed are shown in the following illustration:

4. Set permissions for Web folders below
In a similar way above, open the Advanced Security Settings dialog box for the "SiteUser" User, and select "folder, subfolder, and file" in "User to" above.
In the Allow column, select one or more of the following two items to reject the column:
1. Full Control
2, traverse folder/Run file
As shown in the following illustration:
When finished, as shown in the figure:

The permissions in several other directories are set in the same way as permissions in the Web directory.
After setting the above settings, the site is basically already safe

Security configuration for the server

The system user situation is:
Administrators Super Admin (Group)
System User (built-in security principal)
Guests Guest Account (group)
IUSR_ server name anonymous access Web user
IWAM_ Server name Start IIS process user
Www_cnnsc_org added to the user, add after delete users (group), delete add to guests Guest Account (group)
Users are disabled for enhanced system security, (guest) users and (IUSR_ server name)
Set all accounts that access the web directory as Guests group, remove other groups
Disk Security access Permissions
c:/disk Administrators (group) Full Control permissions, System (built-in security principals) Full Control permissions
d:/disk (if user site content is placed in this section), Administrators (group) Full Control permissions
e:/disk Administrators (group) Full Control permissions, System (built-in security principals) Full Control permissions
f:/disk Administrators (group) Full Control permissions, System (built-in security principals) Full Control permissions
If there is another letter to the analogy.

Directory Security access Permissions
▲c:/windows/
Administrators (group) Full Control permissions, System (built-in security principals) Full Control
▲c:/windows/system32/
Administrators (group) Full Control permissions, System (built-in security principals) Full Control permissions, IWAM_ server name (user) Read + Run permissions
▲c:/windows/temp/
Administrators (group) Full Control permissions, System (built-in security principals) Full Control permissions, guests (group) Full Control permissions
▲c:/windows/system32/config/
Administrators (group) Full Control permissions, System (built-in security principals) Full Control
▲c:/program files/
Administrators (group) Full Control permissions, System (built-in security principals) Full Control
▲c:/program Files/common files/
Administrators (group) Full Control permissions, System (built-in security principals) Full Control permissions, guests (group) Read + run permissions
▲c:/documents and settings/
Administrators (group) Full Control permissions, System (built-in security principals) Full Control
▲c:/documents and Settings/all users/
Administrators (group) Full Control permissions, System (built-in security principals) Full Control
▲c:/documents and Settings/all users/application data/
Administrators (group) Full Control permissions, System (built-in security principals) Full Control
▲c:/documents and Settings/all users/application data/microsoft/
Administrators (group) Full Control permissions, System (built-in security principals) Full Control
▲c:/documents and Settings/all users/application data/microsoft/html help/
Administrators (group) Full Control permissions, System (built-in security principals) Full Control

Prohibit EXE files under System disk:
Net.exe, Cmd.exe, Tftp.exe, Netstat.exe, Regedit.exe, Regedt32.exe, At.exe, Attrib.exe, Cacls.exe
Some files are set to administrators Full Control permissions

New www (web site) root "Administrators (group) Full Control permissions, System (built-in security principals) Full Control permissions"
▲ New Wwwroot directory in root directory
▲ Site root directory, Web page please upload to this directory
Administrators (group) Full Control permissions
www_cnnsc_org (user) Full Control permissions
▲ New logfiles directory in root directory
▲ Web site access log files, this directory does not occupy yourSpace
Administrators (group) Full Control permissions
▲ New database directory in root directory
▲ database directory, used to store Access databases
Administrators (group) Full Control permissions
▲ New others directory in root directory
▲ for storing your other files, this type of file will not appear on the website
Administrators (group) Full Control permissions
www_cnnsc_org (user) Full Control permissions
▲ IIS Log description in FTP (Login message file):
〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓
You are welcome to use this virtual host.
Please use software such as CuteFTP or leaftp to upload your Web page.
Note that if you cannot upload, please turn off the FTP software PASV mode and try again.
The root directory you log in is the FTP root directory
/--wwwroot website root directory, Web page please upload to this directory.
/--logfiles Web site access to log files, this directory does not occupy your space.
/--database database directory, which is used to store Access databases.
/--others is used to store your other files, which do not appear on the site.
In order to ensure high speed and stable operation of the server, do not upload Lake games, advertising exchange,
Gaming websites, large forums, software downloads and other programs that consume system resources.
IIS Log Description
/--date the date when the action occurred
The time when the/--time action occurs
/--s-sitename customer access to Internet services and instance numbers
/--s-computername the name of the server that generated the log entry
/--S-IP the IP address of the server that generated the log entry
/--cs-method an action that the client attempts to perform (for example, get method)
/--cs-uri-stem access to resources, such as Default.asp
/--cs-uri-query customer-Executed queries
/--s-port the port number of the client connection
/--cs-username user name to access the server through authentication, excluding anonymous users
/--C-IP Access server's client IP address
Browsers used by/--cs (user-agent) Customers
/--sc-status the State of action described in HTTP or FTP terms
/--sc-win32-status the action status described in Microsoft Windows terminology
〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓

Disable downloading of Access databases
Internet Information Services (IIS) Manager → web site → properties → main directory → configuration → add
Executable file: C:/windows/twain_32.dll
Name extension:. mdb
▲ If you want to stop downloading other stuff,
Internet Information Services (IIS) Manager → web site → properties → main directory → configuration → add
Executable file: C:/windows/twain_32.dll
Name extension:. (Change to the file name you want to prohibit)
▲ and then remove the extension: shtml stm shtm CDX IDC CER

Prevent listing of user groups and system processes:
Start → procedures → management tools → services
Find Workstation Stop it, disable it

To uninstall the least secure components:
Start → run →cmd→ enter
▲cmd Input:
Regsvr32/u C:/windows/system32/wshom.ocx
Del C:/windows/system32/wshom.ocx
Regsvr32/u C:/windows/system32/shell32.dll
Del C:/windows/system32/shell32.dll
can also be set to prevent Guests user group access

Release FSO upload program less than 200k limit:
To turn off the IIS Admin Service in service
Open C:/windows/system32/inetsrv/metabase.xml
Find aspmaxrequestentityallowed
Modify it to the desired value, default to 204800, or 200K, modify it to 51200000 (50M), and then reboot
IIS Admin Service

disabling IPC connections
Start → Run →regedit
Found in the following build (Hkey_local_machine/system/currentcontrolset/control/lsa)
(restrictanonymous) Child keys
Change its value to 1, which is

To empty a remote accessible registry path:
Start → Run →gpedit.msc
Expand Computer Configuration →windows settings → security settings → Local policies → security options
"Network access: Remotely accessible registry path" found in the right window
Then, in the open window, set all the remotely accessible registry paths and child path contents to null

To turn off unnecessary services
Start → procedures → management tools → services
Telnet, TCP/IP NetBIOS Helper

Ways to resolve Terminal Services license expiration
If you have Terminal Services on your server, remove Terminal Services and terminal licensing in the Add removal program
Service
My Computer--right key properties--Remote---Remote Desktop, tick, apply
Reboot the server, OK, no longer prompt for expiration

Cancel shutdown cause prompt
Start → Run →gpedit.msc
Open Group Policy Editor, expand in sequence
Computer Configuration → admin template → system
Double-click the right window to appear (Show Shutdown Event Tracker)
Change (not Configured) to (disabled)

Security Configuration for Site directory (file upload directory permissions settings)

Here is a summary of my experience in the configuration process, I hope to help. The permissions settings for the IIS Web Server are two places, one is the permission settings for the NTFS file system itself, and the other is the site-> site-> Properties-> the home directory (or the site below directory-> Properties-> directory) panel under IIS. These two places are closely related. Below I'll explain how to set permissions as an example.

The site-> site-> Properties-> the home directory (or the following directory-> properties-> directory) panel under IIS are:

    • Scripting resource access
    • Read
    • Write
    • Browse
    • Record access
    • Index Resources

6 options. Of these 6 options, "Record Access" and "Index resources" are not related to security, and are generally set. However, if none of the previous four permissions are set, these two permissions are not required. When you set permissions, remember this rule, and the following example no longer specifically describes the settings for these two permissions.

In addition, below the 6 options, the Execute permission Drop-down list also has the following:

    • No
    • Pure Script
    • Pure scripts and executable programs

3 options. and the Site directory if in the NTFS partition (recommended this), you also need to set the appropriate permissions on the NTFS partition of this directory, many places are introduced to set everyone's permissions, in fact, this is not good, in fact, as long as the Internet Guest account set up (IUSR_ XXXXXXX) or the IIS_WPG group's account permissions are OK. If you set the ASP, PHP program directory permissions, then set the Internet Guest account permissions, and for the ASP.net program, you need to set the IIS_WPG group account permissions. When you refer to NTFS permission settings, it is stated explicitly that the permissions on the IIS properties panel are not explicitly stated.

Example 1--asp, PHP, asp.net program directory permissions settings:
If these programs are to be executed, you need to set the Read permission and set execution permissions to "pure script." Do not set write and script resource access, and do not set execute permissions to "scripts and executable programs." Do not set write and modify permissions for IIS_WPG user groups and Internet Guest accounts in NTFS permissions. If you have a special profile (and the configuration file itself is an ASP, PHP program), you need to configure the Write permissions for the Internet Guest account in NTFS permissions for these specific files (the ASP.net program is the IIS_WPG group) instead of configuring write in the IIS properties panel Permissions.

The "write" permission in the IIS panel is actually the processing of the HTTP put instruction, which is not normally open for ordinary Web sites.

Script resource access in the IIS panel is not a permission to execute a script, but a permission to access the source code, which is very dangerous if you open the Write permission at the same time.

The "Script and executable" permission in the Execute permission can execute any program, including EXE executable program, if the directory also has "write" permission, then it is very easy to upload and execute Trojan horse program.

For a directory of ASP.net programs, many people like to set up Web sharing in the file system, which is actually not necessary. You only need to ensure that the directory is an application in IIS. If your directory is not an application directory in IIS, you can simply create the application Settings section point in its Properties-> directory panel. Web sharing gives it more permissions and can cause insecurity.

That is to say, do not normally open-home directory-(write), (script resource access) and do not select (scripts and executable programs), select (Pure script) on it. Applications that need to be asp.net if the application directory is more than one program can be on the Application folder (properties)- Directory-point creation on it. Do not make a Web share on a folder.

Example 2--permission settings for uploading directories:
The user's website may set up one or several directories to allow uploading files, the way to upload is generally through ASP, PHP, asp.net and other programs to complete. At this point, we must be aware that the upload directory to the implementation of permissions set to "None", so even upload the ASP, PHP and other script programs or EXE program, also will not trigger the implementation in the user's browser.

Also, do not open the Write permission for the upload directory if the user is not required to upload with the put command. Instead, set the Write permissions for the Internet Guest account in NTFS permissions (the asp.net program's upload directory is the IIS_WPG group).

If you download the contents of the file and then forward it to the user through the program, you do not even have to set the Read permission. This ensures that the files uploaded by the user can only be downloaded by the authorized user in the program. Rather than a user who knows where the file resides is downloaded. Do not open the "browse" right, unless you want users to be able to browse your upload directory and choose what they want to download.  

A general number of asp.php and other programs have an upload directory. For example, a forum. They inherit the above attributes to run the script. We should set these directories to a new property. Change (Pure script) to (none).

Example 3--access the permissions settings for the directory where the database resides:
Many IIS users often use a method of renaming an Access database (either an ASP or an ASPX suffix, etc.) or outside the publishing directory to prevent viewers from downloading their access databases. In fact, this is not necessary. In fact, you just need to remove the "read" and "write" permissions from the directory in which access is located (or the file) to prevent people from downloading or tampering with it. You don't have to worry that your program will not be able to read and write to your Access database. Your program needs the permissions of the Internet Guest account or IIS_WPG group account on NTFS, and you can make sure your program runs correctly by simply setting the user's permissions to readable and writable.

The permissions of the Internet Guest account or the IIS_WPG group account are readable and writable. Then access to the directory (or to the file) of the "read" and "write" permissions are removed to prevent people from downloading or tampering with the

Example 4--permission settings for other directories:
Your site may also have a pure picture directory, pure HTML template directory, pure client JS file directory or style table directory, and so on, these directories only need to set the "read" permission, the executive authority set to "none" can be. No other permissions need to be set.

Well, I think some of the above examples already contain the permissions set in most cases, and in other cases, I think you can figure out how to set it up.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.