Secure an IIS Web server with these 10 steps

原创 2005年06月02日 08:44:00


Internet Information Services (IIS) is a favorite target of hackers. Thus, it's critical for administrators who manage IIS Web servers to make sure that they are locked down. The default installations of IIS 4.0 and IIS 5.0 are particularly vulnerable.


Take these 10 steps to secure IIS:

  1. Set up an NTFS drive just for the IIS application and data. If possible, don't allow IUSER (or whatever the anonymous username is) access to any of the other drives. If the application runs into any problems because the anonymous user doesn't have access to programs on the other drive(s), then use FileMon from Sysinternals to troubleshoot which file it can't access and try working around it by moving the program to the IIS drive. If that is impossible, then allow IUSER access just to that file.
  2. Set the NTFS permissions on the drive:
    Developers = Full
    IUSER = Read and execute only
    System and admin = Full
  3. Use a software firewall to make sure that none of the end users (only the developers) have access to any other port on the IIS machine besides port 80.
  4. Use the Microsoft tools for locking down the machine: IIS Lockdown and UrlScan.
  5. Enable logging using IIS. In addition to the IIS logging, if possible, use logging from the firewall as well.
  6. Move the logs from the default location, and make sure that they are being backed up. Set up a replication for the log folders so that a copy is always available in a second location.
  7. Enable Windows auditing on the machine, because there is never enough data when trying to backtrack any attacker's activity. It's even possible to have a script run to check for any suspicious activity using the audit logs, and then send a report to an administrator. Now this might sound a bit extreme, but if security is really important in your organization, this type of action is a good practice. Set up auditing to report any failed account logons. Plus, as with the IIS logs, change the default location (c:/winnt/system32/config/secevent.log) to a different location, and make sure that you have a backup and a replicated copy.
  8. On a regular basis, go through as many security articles (from various sources) as you can. It is always better that you understand as much as possible about IIS and general security practices and not just follow what others (like me) tell you.
  9. Sign up to a mailing list for IIS bugs and stay up to date in reading it. One such list is X-Force Alerts and Advisories from Internet Security Systems.
  10. Finally, make sure that you regularly run Windows Update and verify that the patches actually get deployed.

How to Install NoCat Splash and Link it to an External Web Server

Compile NoCatSplash: goto and download the latest stable ...
  • zx824
  • zx824
  • 2012年07月09日 11:11
  • 3029

Asp Web Server调试工具(简易IIS)

  • 2010年01月27日 01:22
  • 712KB
  • 下载

[pySpark][note]Web Server Log Analysis with Apache Spark

version 1.0.1 + Web Server Log Analysis with Apache SparkThis lab will demonstrate how easy it is to...

Setting up Django and your web server with uWSGI and nginx

设置Django和基于uWSGI和nginx的Web服务器概念the web client the web server the socket uwsgi Django创建Django项目pi...

Indy10 WEB Server Demo代码

  • 2014年07月15日 15:17
  • 64KB
  • 下载

Host an ASP.NET Site Web in IIS7 with Postgresql

做了.net这么久,终于要做点ASP.NET的东西了。开始这份.NET的工作这么久,其实我.NET一点都没学过,纯自学,基本靠GOOGLE,好现在开始建站,我上司说自己也没做过,好吧,自己弄吧。 首先...
  • wzjiao
  • wzjiao
  • 2011年02月25日 22:33
  • 502

Application Server Role, Web Server (IIS) Role: configuration error

I’m installing SharePoint 2013 on Windows 2012 ‘offline’ – the server has no Internet access.  Withi...

WINDOWS10环境下apache2.4+php5.6.30(nts)+mysql5.7- web server环境手动配置

WINDOWS10环境下apache2.4+php5.6.30(nts)+mysql5.7- web server环境手动配置-windows10 professional...
  • tdwcn
  • tdwcn
  • 2017年06月04日 16:19
  • 364
您举报文章:Secure an IIS Web server with these 10 steps