1. Preface
(Thanks to my friend Bigeagle for this article only. It’s not him, I may not have to worry so much about win2000 security issues. Haha!)
People say that once you are bitten by a snake, you will be afraid for ten years...that's it. In early 2000, when I finally got rid of the terrible patch journey of winnt 4.0 server and headed to win2000 server. I can finally feel more at ease with my server. But with the SQL SERVER patch appearing. I know that the patch with Microsoft has begun to reincarnate again. But it's fine. The automated management of win2000 still makes me feel much more at ease, and the insomnia symptoms after managing winnt before gradually disappear. I can occasionally see my "Dream" brother. But all of this was lost in a close conversation between the bigegle and the bigegle. Once, bigegle sent me a code. I knew at a glance that this was not a code written by bigegle, so bad, but it was a bit familiar. Look again, ah? ! Isn't this my database connection string? ! GOD. I suddenly felt an ominous sign. Fortunately, this is just an access, and I also used some means to prevent him from being downloaded. But this is enough to make me suffer from a long period of insomnia again. (Again, bigegle is not a snake, he is an eagle)
2. IIS and ASP security protection during installation
(This is only considered as a web server, not a web development platform on the local machine.)
There are several difficult days in the next few days. I started to redeploy the security policy of win2000 web server. Find the reason why the ASP code was leaked. It turns out that my patches are timely every time. But once I reinstalled IIS when I was uninstalling FTP, and after that, I did not patch it again, resulting in the latest vulnerability web parsing error. (It's the newer vulnerability Translate:f, you can see the ASP code by adding some tools.)
First, start reinstalling IIS.
The strategy for this installation is to be safe and sufficient. Remove some extra stuff.
1. Don’t install FTP, it has poor functions, is prone to errors, and has a large vulnerability. The process of Ftp's default password transmission is plain text transmission and is easily intercepted. (Third-party tools may be considered.)
2. Don’t install any examples and documents. This is on a web server, it is best not to have these examples, and it turns out that you can break through the IIS defense line from these example sites.
3. When installing, select the site directory. It is recommended not to use the default directory c:\inetpub. It is best to install the channel not on the system disk. like:
d:\IISWEB, you can consider building your own directory. In this way, even if IIS is broken, the system files can be protected as much as possible.
4. Do not install remote management of html. The remote management of html is still useful in winnt 4.0, but the vulnerabilities are relatively large and dangerous. Although the port number is random, it is easy to be scanned, leaving hidden dangers. In fact, we can manage it through IIS on another server. This is safer.
5. Don’t install any extra services, such as NNtp, if you don’t work as a news group. Don't worry. smtp, if there is a better mail service, don't install it.
6. Index server. This index is really useful, but I haven't used it. Otherwise, you can use it to create a file for the entire site to search, but now it seems that most ASP web pages are a web page, which are dynamically queried from the database. So the index server is not used at all (it is not that the index is bad, but the ASP file structure above is not suitable). So you can do not install it.
3. Confirm security configuration with a purpose
①. Work before development.
First, after starting IIS, see if there are any \iissamples,\IIShelp,\msadc\, these directories. If there are, most of them are used as examples to help install, delete them, and delete the script library, until the web directory only leaves a newly created virtual directory. If there is a managed web site, delete it. Without it, we can still work better. Also check if there are any printer folders. Most of them access printers through the web. MS is weird. To show that I have strong skills, I allow remote printing through the web. I believe no network company prints it through the web. It is impossible for netizens to use your computer. OK, remove it.
Then. Start configuring the security of each web virtual directory in detail. The rough strategy is this. Classify each folder management. If you can assign the extension to the same directory, such as *.ASP, and *.inc, try to separate it. If it is *.ASP, the virtual directory permissions will be opened, but the actual directory permissions will be granted to administrator, system (full control) everyone (rc). This allows reading via the web. But in fact you can increase security efforts if you think it is relatively confidential. If it is *.inc, directory permissions are open, but direct access is not allowed. Another trick here. For example, you can allow the actual directory to be accessed by everyone, but in IIS, you remove the directory browsing item, and the included files can only be read by the source file, but they are not allowed to be read directly. In this way, it is impossible for hackers to download to your stand-alone database, and your *.inc file will not be read directly by the browser.
My brother "Dream" was asking me just now, is there any way to prevent others from seeing your connection string? You can try the following method!
1. First create the connection string and create a separate file *.inc (if *.inc, not *.ASP). You copy your connection string in with variables.
For example: connstr=""Provider=SQLOLEDB.1;Password=passw;..............."
2 Then create a folder include and place it in the root directory.
3 Then open the connection for each file using the following method.
like:
set conn=("")
connstr
4. Finally, protect the include folder in iis by refusing to read. You will find that your connection can be opened as usual, but if the other party sees your source code, he cannot see the connection string, even if he sees the containing file path and name. He can't download it, or open it with ie. So, you can protect your connection string.
The method used here is to jointly audit NT permissions and IIS permissions. We know that in order to allow users to access the files of the server from the web, each server after IIS is installed will have two built-in accounts. I_USExxxxxx, I_WAMxxxxxx (x is your machine name), so you can target the prevention of certain users who view your necessary information from your web network.
Of course, there are some better file strategies you can refer to:
For example: CGI (.exe, .dll, .cmd, .pl)Everyone (X) does not allow reading and can only be run. Administrators System (full control).
So, when you write an ASP application, try to classify your directory as much as possible. Convenient to manage with IIS and NT.
For example, it is better to use the following structure
d:\web\ASPtest\static (Put *.htm)
d:\web\ASPtest\script (Put *.ASP)
d:\web\ASPtest\include(Put *.inc)
d:\web\ASPtest\images (Put *.gif,*.jpg)
In this way, you can use the above method to achieve safety goals.
②. Enable log monitoring
This is a great tool for fixing the dead, at least you can use it to monitor who did what through the web. Of course, you also need to protect the permissions of this log that can only be controlled by the system administrator and super management. This will prevent some people from doing something without leaving any trace. In order to keep the site well without affecting the response speed of IIS, it is recommended to choose the w3c extension log format. (I used to introduce me to use ODBC, which seems to be more convenient, but in fact it is not. It is greatly affected by the database and is slower).
You can consider recording the on-site data:
Customer IP address
username
method
URI Resources
HTTP Status
Win32 Status
User Agent
Server IP address
Server Port
The latter two properties are very useful if you have multiple Web servers on a computer. The Win32 state attribute is very useful for debugging.
When checking the log, pay close attention to error 5, which means access is denied. Enter net helpmsg err on the command line to find out the meaning of other Win32 errors, where err is the error number to be found.
③. Configure appropriate script mapping
Trust me, most ASP source code leaks are caused by unsafe or incorrect script mapping. And most of them may not be able to use them, as I said below:
1 *.htr This is a relatively powerful file, it is a type of web application. Same as hta. These are some powerful features, but there are very few introductions. hta is an html format application with relatively powerful functions. The cutting safety is lower than that of htm. So it may lead to powerful operations. For example, ht can reset the password through the web. I believe that most of our ASP programmers and NT network administrators do not need this. OK, delete his corresponding options. Otherwise, anyone can use your web to perform illegal operations, or even format your hard drive.
2 *.hta I have already said this. It is a double-edged sword. It is well used. You can access many operations of nt through it. It is also possible to open nt users on ASP. But most jobs can be done without the web. *.hta is rarely used on the web, although it was launched in iis4.0. For example, if you save a file as *.hta, you can open it with ie. Look, it's a very strange interface. I heard from the MS engineer that the .net changed the statement *.hta and its function was increased. It seems that the work of network management should be increased again. If you want to be safer, delete it.
3 *.idc This thing is an old database connection method, and most of them use ASP files directly. No idc is needed, so delete him.
4*.printer is a printer file, please remove it
5 *.htw , *.ida *.idq These are index files and can also be removed.
④. Good safety habits
Pay attention to the number of sites on MS and check the security announcement. (This is how MS visits are ranked among the top three in the world for a long time!) You must also prepare some third-party tools. Such as scanning tools, simulation attack tools. Go to more secure sites to see.
If you can deal with some better underworld friends (my other senior brother’s method for every family), it is also better. (The underworld is the path that hackers take!)
⑤. Prevent ASP code from being leaked
I can only say that it is to prevent it. I can only start with the vulnerabilities of the ASP method that I have discovered. There are almost 20 or more methods for iis4.0, but after installing sp6a, there are two types. You can download patches from 2000 to August to solve it by downloading the patch from 2000 to 8 in Microsoft's website security announcement. But if you use the above method in this article. You can install it in sp6.
If it is win2000 server, there are two methods. After installing sp1, there is another type, so you must turn on the Microsoft security bulletin board to download the corresponding hotfix. Can be solved.
⑥. Prevent malicious destruction
This function can deal with some bad molecules you monitor. You can see in the log or in third-party tools who are constantly detecting and destroying your IIS. Then list it as a blacklist that is not welcome, so that you can deny access to its IP or domain when configuring the site, but this process comes at a cost. Your IIS must serve as the reverse search function. It may be time-consuming.
⑦. Safety topic
The above are only from IIS and ASP. If you want to use databases, remote management, and remote connection to databases, you should pay attention to them separately. As I said, there is no absolute security, and this is the need for security. The topic of security is not over, only to be continued.
(Thanks to my friend Bigeagle for this article only. It’s not him, I may not have to worry so much about win2000 security issues. Haha!)
People say that once you are bitten by a snake, you will be afraid for ten years...that's it. In early 2000, when I finally got rid of the terrible patch journey of winnt 4.0 server and headed to win2000 server. I can finally feel more at ease with my server. But with the SQL SERVER patch appearing. I know that the patch with Microsoft has begun to reincarnate again. But it's fine. The automated management of win2000 still makes me feel much more at ease, and the insomnia symptoms after managing winnt before gradually disappear. I can occasionally see my "Dream" brother. But all of this was lost in a close conversation between the bigegle and the bigegle. Once, bigegle sent me a code. I knew at a glance that this was not a code written by bigegle, so bad, but it was a bit familiar. Look again, ah? ! Isn't this my database connection string? ! GOD. I suddenly felt an ominous sign. Fortunately, this is just an access, and I also used some means to prevent him from being downloaded. But this is enough to make me suffer from a long period of insomnia again. (Again, bigegle is not a snake, he is an eagle)
2. IIS and ASP security protection during installation
(This is only considered as a web server, not a web development platform on the local machine.)
There are several difficult days in the next few days. I started to redeploy the security policy of win2000 web server. Find the reason why the ASP code was leaked. It turns out that my patches are timely every time. But once I reinstalled IIS when I was uninstalling FTP, and after that, I did not patch it again, resulting in the latest vulnerability web parsing error. (It's the newer vulnerability Translate:f, you can see the ASP code by adding some tools.)
First, start reinstalling IIS.
The strategy for this installation is to be safe and sufficient. Remove some extra stuff.
1. Don’t install FTP, it has poor functions, is prone to errors, and has a large vulnerability. The process of Ftp's default password transmission is plain text transmission and is easily intercepted. (Third-party tools may be considered.)
2. Don’t install any examples and documents. This is on a web server, it is best not to have these examples, and it turns out that you can break through the IIS defense line from these example sites.
3. When installing, select the site directory. It is recommended not to use the default directory c:\inetpub. It is best to install the channel not on the system disk. like:
d:\IISWEB, you can consider building your own directory. In this way, even if IIS is broken, the system files can be protected as much as possible.
4. Do not install remote management of html. The remote management of html is still useful in winnt 4.0, but the vulnerabilities are relatively large and dangerous. Although the port number is random, it is easy to be scanned, leaving hidden dangers. In fact, we can manage it through IIS on another server. This is safer.
5. Don’t install any extra services, such as NNtp, if you don’t work as a news group. Don't worry. smtp, if there is a better mail service, don't install it.
6. Index server. This index is really useful, but I haven't used it. Otherwise, you can use it to create a file for the entire site to search, but now it seems that most ASP web pages are a web page, which are dynamically queried from the database. So the index server is not used at all (it is not that the index is bad, but the ASP file structure above is not suitable). So you can do not install it.
3. Confirm security configuration with a purpose
①. Work before development.
First, after starting IIS, see if there are any \iissamples,\IIShelp,\msadc\, these directories. If there are, most of them are used as examples to help install, delete them, and delete the script library, until the web directory only leaves a newly created virtual directory. If there is a managed web site, delete it. Without it, we can still work better. Also check if there are any printer folders. Most of them access printers through the web. MS is weird. To show that I have strong skills, I allow remote printing through the web. I believe no network company prints it through the web. It is impossible for netizens to use your computer. OK, remove it.
Then. Start configuring the security of each web virtual directory in detail. The rough strategy is this. Classify each folder management. If you can assign the extension to the same directory, such as *.ASP, and *.inc, try to separate it. If it is *.ASP, the virtual directory permissions will be opened, but the actual directory permissions will be granted to administrator, system (full control) everyone (rc). This allows reading via the web. But in fact you can increase security efforts if you think it is relatively confidential. If it is *.inc, directory permissions are open, but direct access is not allowed. Another trick here. For example, you can allow the actual directory to be accessed by everyone, but in IIS, you remove the directory browsing item, and the included files can only be read by the source file, but they are not allowed to be read directly. In this way, it is impossible for hackers to download to your stand-alone database, and your *.inc file will not be read directly by the browser.
My brother "Dream" was asking me just now, is there any way to prevent others from seeing your connection string? You can try the following method!
1. First create the connection string and create a separate file *.inc (if *.inc, not *.ASP). You copy your connection string in with variables.
For example: connstr=""Provider=SQLOLEDB.1;Password=passw;..............."
2 Then create a folder include and place it in the root directory.
3 Then open the connection for each file using the following method.
like:
set conn=("")
connstr
4. Finally, protect the include folder in iis by refusing to read. You will find that your connection can be opened as usual, but if the other party sees your source code, he cannot see the connection string, even if he sees the containing file path and name. He can't download it, or open it with ie. So, you can protect your connection string.
The method used here is to jointly audit NT permissions and IIS permissions. We know that in order to allow users to access the files of the server from the web, each server after IIS is installed will have two built-in accounts. I_USExxxxxx, I_WAMxxxxxx (x is your machine name), so you can target the prevention of certain users who view your necessary information from your web network.
Of course, there are some better file strategies you can refer to:
For example: CGI (.exe, .dll, .cmd, .pl)Everyone (X) does not allow reading and can only be run. Administrators System (full control).
So, when you write an ASP application, try to classify your directory as much as possible. Convenient to manage with IIS and NT.
For example, it is better to use the following structure
d:\web\ASPtest\static (Put *.htm)
d:\web\ASPtest\script (Put *.ASP)
d:\web\ASPtest\include(Put *.inc)
d:\web\ASPtest\images (Put *.gif,*.jpg)
In this way, you can use the above method to achieve safety goals.
②. Enable log monitoring
This is a great tool for fixing the dead, at least you can use it to monitor who did what through the web. Of course, you also need to protect the permissions of this log that can only be controlled by the system administrator and super management. This will prevent some people from doing something without leaving any trace. In order to keep the site well without affecting the response speed of IIS, it is recommended to choose the w3c extension log format. (I used to introduce me to use ODBC, which seems to be more convenient, but in fact it is not. It is greatly affected by the database and is slower).
You can consider recording the on-site data:
Customer IP address
username
method
URI Resources
HTTP Status
Win32 Status
User Agent
Server IP address
Server Port
The latter two properties are very useful if you have multiple Web servers on a computer. The Win32 state attribute is very useful for debugging.
When checking the log, pay close attention to error 5, which means access is denied. Enter net helpmsg err on the command line to find out the meaning of other Win32 errors, where err is the error number to be found.
③. Configure appropriate script mapping
Trust me, most ASP source code leaks are caused by unsafe or incorrect script mapping. And most of them may not be able to use them, as I said below:
1 *.htr This is a relatively powerful file, it is a type of web application. Same as hta. These are some powerful features, but there are very few introductions. hta is an html format application with relatively powerful functions. The cutting safety is lower than that of htm. So it may lead to powerful operations. For example, ht can reset the password through the web. I believe that most of our ASP programmers and NT network administrators do not need this. OK, delete his corresponding options. Otherwise, anyone can use your web to perform illegal operations, or even format your hard drive.
2 *.hta I have already said this. It is a double-edged sword. It is well used. You can access many operations of nt through it. It is also possible to open nt users on ASP. But most jobs can be done without the web. *.hta is rarely used on the web, although it was launched in iis4.0. For example, if you save a file as *.hta, you can open it with ie. Look, it's a very strange interface. I heard from the MS engineer that the .net changed the statement *.hta and its function was increased. It seems that the work of network management should be increased again. If you want to be safer, delete it.
3 *.idc This thing is an old database connection method, and most of them use ASP files directly. No idc is needed, so delete him.
4*.printer is a printer file, please remove it
5 *.htw , *.ida *.idq These are index files and can also be removed.
④. Good safety habits
Pay attention to the number of sites on MS and check the security announcement. (This is how MS visits are ranked among the top three in the world for a long time!) You must also prepare some third-party tools. Such as scanning tools, simulation attack tools. Go to more secure sites to see.
If you can deal with some better underworld friends (my other senior brother’s method for every family), it is also better. (The underworld is the path that hackers take!)
⑤. Prevent ASP code from being leaked
I can only say that it is to prevent it. I can only start with the vulnerabilities of the ASP method that I have discovered. There are almost 20 or more methods for iis4.0, but after installing sp6a, there are two types. You can download patches from 2000 to August to solve it by downloading the patch from 2000 to 8 in Microsoft's website security announcement. But if you use the above method in this article. You can install it in sp6.
If it is win2000 server, there are two methods. After installing sp1, there is another type, so you must turn on the Microsoft security bulletin board to download the corresponding hotfix. Can be solved.
⑥. Prevent malicious destruction
This function can deal with some bad molecules you monitor. You can see in the log or in third-party tools who are constantly detecting and destroying your IIS. Then list it as a blacklist that is not welcome, so that you can deny access to its IP or domain when configuring the site, but this process comes at a cost. Your IIS must serve as the reverse search function. It may be time-consuming.
⑦. Safety topic
The above are only from IIS and ASP. If you want to use databases, remote management, and remote connection to databases, you should pay attention to them separately. As I said, there is no absolute security, and this is the need for security. The topic of security is not over, only to be continued.