15 Tips for Securing your IIS Server

Source: Internet
Author: User

Intermediary transaction SEO diagnosis Taobao guest Cloud host technology Hall

In the past few years, the increasing number of hackers, viruses and worms security problems have seriously affected the accessibility of the site, although the Apache server is often the target of attackers, but Microsoft's Internet Information Services (IIS) Web server is the real target.

Microsoft's products have always been a target, so IIS servers are particularly vulnerable to attackers. With this in mind, the network administrator must be prepared to perform a number of security measures. What I'm going to provide you with is a checklist that server operators may find useful.

1. Keep Windows upgraded:

You must update all the upgrades in time and make all the patches for the system. Consider downloading all updates to a dedicated server on your network and publishing them as Web on the machine. With this work, you can prevent your Web server from accepting direct Internet access.

2. Use the IIS Precaution tool:

This tool has many practical advantages, however, please use this tool with caution. If your Web server interacts with other servers, first test the precaution tool to make sure it is configured correctly so that it does not affect communication between the Web server and other servers.

3. Remove the Default Web site:

Many attackers target the Inetpub folder and place some sneak attacks on it, causing the server to be paralyzed. The easiest way to prevent this attack is to disable the default site in IIS. Then, because Web bugs are accessing your site via IP addresses (they may have to visit thousands of IP addresses a day), their requests may be in trouble. Point your real web site to a Back-section folder, and you must include secure NTFS permissions, which will be elaborated in the sections that follow NTFS.

4. If you do not need FTP and SMTP services, please uninstall them:

The easiest way to get into a computer is through FTP access. FTP itself is designed to meet simple read/write access, if you perform identity authentication, you will find that your username and password are in the form of clear text on the network spread. SMTP is another service that allows write access to a folder. By disabling both services, you can avoid more hacker attacks.

5. Regularly check your Administrators group and services:

One day I entered our classroom and found one more user in the Admin group. This means that when someone has successfully entered your system, he or she may throw it into your system, which will suddenly destroy your entire system or take up a lot of bandwidth for hackers to use. Hackers also tend to leave a help service, once this happens, taking any action may be too late, you can only reformat your disk, from the backup server restore your daily backup files. Therefore, checking the list of services on the IIS server and keeping as few services as possible must be your daily task. You should remember which service should exist and which service should not exist. Windows2000 Resource Kit brings us a useful program called Tlist.exe, which lists the services that run under Svchost in each case. Run this program to find some hidden services you want to know. Let me give you a hint: Any service that contains a few words daemon may not be a service that Windows itself contains, and should not exist on an IIS server. To get a list of Windows services and know what their respective roles are, click here.

6. Strict control of the server's write access rights:

It sounds easy, however, on a college campus, a Web server actually has a lot of "authors". Faculty members want their classroom information to be accessible to remote students. Staff members want to share their work information with other employees. The folders on the server may have extremely dangerous access rights. One way to share or propagate this information is to install a 2nd server to provide dedicated sharing and storage purposes, and then configure your Web server to point to a shared server. This step allows the network administrator to restrict the write permissions of the Web server itself to the Administrators group only.

7. Set a complex password:

I recently entered the classroom and found a number of possible hackers from the Event Viewer. He or she entered the lab's domain structure deep enough to be able to run the password cracking tool on any user. If a user uses a weak password (such as "password" or "changeme" or any dictionary word), the hacker can quickly and simply invade the user's account.

8. Reduce/exclude sharing on Web servers:

If the network administrator is the only person who has write access to the Web server, there is no reason to have any shared presence. Sharing is the biggest temptation for hackers. In addition, by running a simple cyclic batch file, a hacker can look at a list of IP addresses and use the \ command to find everyone/Full control of the share.

8. Disable NetBIOS in the TCP/IP protocol:

It is cruel. Many users want to access the Web server through a UNC path name. As NetBIOS is disabled, they cannot do so. On the other hand, as NetBIOS is disabled, hackers cannot see the resources on your local area network. This is a double-edged sword, and if the network administrator deploys the tool, the next step is how to educate web users about how to publish information in the event of NetBIOS failure.

9. Use TCP port blocking:

This is another cruel tool. If you are familiar with each TCP port that accesses your server through legitimate reasons, you can access the Properties tab of your network interface card, select the bound TCP/IP protocol, and block all ports that you do not need. You have to be careful about using this tool because you don't want to lock yourself out of the Web server, especially if you need to remotely log on to the server. To get detailed details of the TCP port, click here.

10. Careful examination of *.bat and *.exe documents:

Search the *.bat and *.exe files once a week and check the server for executable files that hackers like best and that will be a nightmare for you. In these destructive files, there may be some *.reg files. If you right-click and choose Edit, you can find that the hacker has made and can get access to your system's registry files. You can remove the primary key that doesn't make any sense but will bring convenience to intruders.

11. Managing IIS Directory Security:

IIS directory security allows you to deny specific IP addresses, subnets, or even domain names. As a choice, I chose a software called Whoson that enabled me to understand which IP addresses are trying to access specific files on the server. Whoson lists a series of exceptions. If you find a guy trying to access your Cmd.exe, you can choose to deny this user access to the Web server. Of course, in a busy Web site, this may require a full-time employee! However, in the intranet, this is really a very useful tool. You can provide resources to all intranet users, or to specific users.

12. Use NTFS security:

By default, your NTFS drives use everyone/Full Control unless you manually turn them off. The key is not to lock yourself out, different people need different permissions, administrators need full Control, background management account also need full control, system and service each need a level of access, depending on the different files. The most important folder is System32, and the smaller the access to the folder, the better. Using NTFS permissions on a Web server can help you protect important files and applications.

13. Manage User accounts:

If you have installed IIS, you may have generated a TsInternetUser account. Unless you really need this account, you should disable it. The user is easily infiltrated and is a notable target for hackers. To help manage your user account, make sure your local security policy is fine. IUSR user permissions should be as small as possible.

14. Audit your Web server:

Auditing has a big impact on your computer's performance, so if you don't see it regularly, don't audit it. If you can really use it, audit the system events and join the Audit tool when you need it. If you are using the Whoson tool mentioned earlier, auditing is less important. By default, IIS always records access, and Whoson places the records in a very readable database that you can open through Access or Excel. If you often look at the anomaly database, you can find the server's vulnerabilities at any time.

Last tip: Log on to your Web server and run netstat at the command line. Observe how many IP addresses are trying to connect to your port, and then you will have a whole bunch of investigation and research to do.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.