IIS (Internet Information Server) one of Web servers that serve as current popularity, provided powerful Internet and Intranet service function, how to strengthen the safe mechanism of IIS, build the Web server of a high safety performance, already made the main component that cannot ignore in IIS setting.

The article will be passed the following two respects will elaborate the method that strengthens IIS safe mechanism.

One, it is a foundation with the safe mechanism of Windows NT

As the IIS that moves below environment of Windows NT operating system, its security also should build the base in Windows NT security over.

1. Use NTFS file system

NTFS can undertake administrative to file and catalog, and FAT (file allocation is expressed) file system can provide the security that shares stage only, the proposal uses NTFS system when installing Windows NT.

2. Share the modification of attributive

Below default circumstance, every build to be shared newly, its Everyone user can be enjoyed " complete control " share jurisdiction, accordingly, building after sharing, want newly to revise Everyone default attributive instantly.

3. For systematic manager Zhang date more renown

Region user manages implement although can limit the number that guesses countersign, but to systematic manager Zhang date is not used however, this may bring the opportunity that atttacks countersign of administrator Zhang date to illegal user, manage through region user implement to administrator Zhang date more renown can yet be regarded as a kind of tweak. Specific setting is as follows:

(1) start " region user manages implement " ;

(2) pitch on administrator Zhang date;

(3) start " user " those who choose sheet to fall " name again " undertake modification to its.

4. The NetBIOS on revocatory TCP/IP

The administrator can carry the image between name of NetBIOS of tectonic target station and its IP address, the other server that goes up to Internet undertakes administrative, illegal user also can find an opportunity that can be exploited to sbs advantage from which. If this is planted,long-range management is not must, should abolish instantly (pass network property tie calm option, between revocatory NetBIOS and TCP/IP bind calm) .

2, the safe mechanism that sets IIS

1. Safe problem of the attention answers when installation

(1) avoid installation to be in advocate on region controller

After installing IIS, IUSR_Computername anonymous account will be made on the computer of installation, this account is added in region user group, provide the visit limits of authority that uses at region user group to every faceless user that visits Web server thereby, this brings huge potential risk to IIS not only, and likely still embroil is whole the safety of region resource, want to avoid to install IIS on region controller as far as possible, especially advocate region controller.

(2) avoid installation to be on systematic partition

Put IIS on systematic partition, can make systematic file and IIS face illegal visit likewise, make illegal user invades systematic partition easily.

2. User pilot security

(1) faceless user

The faceless user IUSR_Computername of the generation after installing IIS (the password arises randomly) , its are faceless the visit brings potential security problem to Web server, answer its attributive to try to control. If do not have faceless visit need, can cancel the faceless service of Web. Specific means:

① starts ISM (Internet Server Manager) ;

② starts WWW to serve attribute page;

③ cancels his faceless visit serves.

(2) average user

Through using number and letter (include big small letter) combinative countersign, increase the frequency of modification password, of the entry attempt that block fails and account live period wait to undertake administrative to average user account.

3. The security of entry attestation

IIS server provides pair of users the identity attestation of 3 kinds of forms.

Faceless visit: Do not undertake between need and user alternant, allow anyone faceless visit site, the security in attestation of these 3 kinds of identities is lowest.

Basic (Basic) test and verify: The user name that below this means the user inputs and countersign upload in the network with means of proclaimed in writing be defeated, do not have any adding close, illegal user can come through be being monitored on the net intercept data bag, get user name and password from which, safety performance is average.

Windows NT requests / answer way: The browser undertakes communicating through adding close means and IIS server, prevented listener-in effectively, it is the attestation form with higher security. The defect of this kind of means is only IE3.0 and above version just support.

4. Visit attributive control

(1) the visit attributive of folder and file: Place the folder on NTFS file system and document, want to try to control to its attributive on one hand, undertake to different user group and user different limits of authority is installed; Additional, the respect such as the purpose that still can use the member that the function of examine and verify of NTFS is comprised to certain and specific user to read a document undertakes examine and verify, the discovery such as the use that is like object of file visit, user effectively through surveillance is illegal what the user has illegal activity is augural, try in time to prevent check. Specific means:

① is started " region user manages implement " ;

② is started " regular " choose sheet to fall " examine and verify " option;

③ is installed " examine and verify is regular " .

(2) the visit attributive of WWW catalog: Had installed the folder of Web catalog, can come true to visit the control of attributive to WWW catalog through operating page of Web site attribute, and all files below this catalog and child folder will accede these security. WWW serves besides providing the limits of authority that NTFS file system provides, early childhood to take limits of authority for reading, allow an user to read the document in take or downloading WWW catalog; Executive attributive, allow an user to run the program below WWW catalog and scenario. Specific setting method: