ASP tutorial: Issues to note when configuring IIS server
1. Installation of operating system
The operating system I am talking about here takes Windows 2000 as an example. Higher versions of Windows also have similar functions.
When formatting the hard drive, it must be formatted as NTFS and never use FAT32 type.
C drive is the operating system disk, D drive is for commonly used software, and E drive is for websites. Set disk permissions immediately after formatting is completed. C drive is the default. D drive security settings are Administrator and System full control. Other users can delete them. E drive is for websites. , if there is only one website, set Administrator and System full control, Everyone reads, if a certain piece of code on the website must complete the writing operation, then individually change the permissions of the folder where the file is located.
During the system installation process, the principle of minimum services must be followed. Useless services are not selected to achieve the minimum installation of the system. During the installation of IIS, only the most basic and necessary functions are installed. Those unnecessary and dangerous services must not be installed. For example: FrontPage 2000 server extension, Internet Service Manager (HTML), FTP service, document, indexing service, etc.
2. Network security configuration
The most basic thing about network security is port settings. In the local connection properties, click Internet Protocol (TCP/IP), click Advanced, and then click Options-TCP/IP Filtering. Only open the ports required for website services. The configuration interface is as shown below.
After making the following settings, domain name resolution will not be available from your server, so you can access the Internet, but external access will be normal. This setting is mainly to prevent general-scale DDOS attacks.
3. Security template settings
Run MMC, add independent management unit security configuration and analysis, import the template basicsv.inf or securedc.inf, and then click Configure Computer Now, the system will automatically configure account policies, local policies, system services and other information in one step, but these configurations It may cause some software to fail to run or run incorrectly.
4. WEB server settings
Taking IIS as an example, never use the WEB directory installed by IIS by default. Instead, you need to create a new directory on the E drive. Then right-click the host in IIS Manager->Properties->WWW Service Edit->Home Directory Configuration->Application Mapping, keep only asp and asa, and delete all the rest.
5. ASP security
On the IIS system, most Trojans are written by ASP. Therefore, the security of ASP components is very important.
In fact, most of the ASP Trojans realize their functions by calling Shell.Application, WScript.Shell, WScript.Network, FSO, and Adodb.Stream components. Except for FSO, most others can be directly disabled.
Use this command to delete the WScript.Shell component: regsvr32 WSHom.ocx /u
Use this command to delete the WScript.Network component: regsvr32 wshom.ocx /u
Shell.Application can prevent Guest users from using shell32.dll to prevent calling this component. Use the command: cacls C:/WINNT/system32/shell32.dll /e /d guests
The command to prohibit guests from executing cmd.exe is: cacls C:/WINNT/system32/Cmd.exe /e /d guests
Disabling the FSO component is troublesome. If the website itself does not need to use this component, then disable it through the RegSrv32 scrrun.dll /u command. If the website itself also needs to use FSO, please see this article.