王鹏 Peng
如果你的电脑新安装了nt4/win2000以后,并不是说就可以直接用来作Internet服务器了。 If your new computer installed nt4/win2000 later, does not mean that it can be directly used for Internet servers. 尽管微软的补丁打了一大堆,但还是有些漏洞。 Despite Microsoft's patch to play a lot, but still some loopholes. 现在我们就简单的谈一下如何使用IIS建立一个高安全性能的服务器。 Now we simply talk about how to use IIS to create a high-security servers.
一、 以Windows NT的安全机制为基础 First, the security mechanism of Windows NT-based
1)NT打SP6补丁、2K打SP2补丁。 1) NT SP6 patch to play, 2K SP2 patch to play. 把磁盘的文件系统转换成NTFS(安装系统的分区可以在安装系统的时候转换,也可以安装完系统以后,用工具转换)。 The disk's file system into NTFS (you can install the system partition when installing the system conversion, you can install the system after the conversion tool). 同时把使用权限里有关Everyone的写、修改的权限去掉,关键目录:如Winnt\Repair连读的权限也去掉。 The same time in the Everyone permissions to write, modify permissions to remove the key directory: If Winnt \ Repair tonal permissions are removed.
2)共享权限的修改。 2) The share permissions changes. 在NT下到开始菜单--》程序--》管理工具--》系统策略编辑器,然后打开系统策略里文件菜单里的“打开注册表”修改其中的windows NT 网络把其中勾去掉。 To the Start menu under Windows NT - "Programs -" Administrative Tools - "System Policy Editor, then open the System Policy in the File menu in the" open registry "to modify one of the windows NT network to which the hook removed. 2K下可以写个net share c$ /delete的bat文件,放到机器的启动任务里。 2K can write the next net share c $ / delete of the bat file, put the machine in the start task.
3)为系统管理员账号更名。 3) for the system administrator account renamed. 同时把系统管理员的密码改成强加密:密码长度在10位以上,并且密码要包括数字、字母、! While the system administrator's password into a strong encryption: password length in 10 or more, and the password should include numbers, letters,! 等各种字符。 Other characters.
4)废止TCP/IP上的NetBIOS。 4) The repeal of TCP / IP on a NetBIOS. 通过网络属性的绑定选项,废止NetBIOS与TCP/IP之间的绑定。 Binding properties of the network options, repeal NetBIOS and TCP / IP between the bindings.
5)安装其他服务。 5) Install the other services. 应该尽量不在同台服务器上安装数据库的别的服务,如果装了的话,最主要一点是数据库密码不能跟系统的登陆密码一样。 Should not on the same server as the database is installed on another service, if installed, then the most important point is that the database password is not the same as with the system login password.
二、 设置IIS的安全机制 Second, the set of IIS security
1)解决IIS4以及之前的版本受到DOS攻击会停止服务。 1) solve IIS4 and earlier by the DOS attacks will stop the service. 运行Regedt32.exe 在:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w3svc\parameters 增加一个值: Value Name: MaxClientRequestBuffer Data Type: REG_DWORD 设置为十进制具体数值设置为你想设定的IIS允许接受的URL最大长度。 Run Regedt32.exe to: HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ w3svc \ parameters add a value: Value Name: MaxClientRequestBuffer Data Type: REG_DWORD set to specific value is set to decimal you want to set IIS to allow the maximum acceptable length of the URL. CNNS的设置为256。 CNNS set to 256.
2)删除HTR脚本映射。 2) Delete the HTR script mapping.
3)将IIS web server下的/_vti_bin 目录设置成禁止远程访问。 3) the IIS web server under the / _vti_bin directory set to disable remote access.
4)在IIS管理控制台中,点web站点,属性,选择主目录,配置(起始点),应用程序映射,将htw与webhits.dll的映射删除。 4) In the IIS Manager console, point web sites, properties, select the main directory, configuration (starting point), application mapping, the mapping will htw and webhits.dll deleted.
5)如果安装的系统是2K的话,安装Q256888_W2K_SP1_x86_en.EXE。 5) If the installed system is 2K, then install Q256888_W2K_SP1_x86_en.EXE.
6)删除:c:\Program Files\Common Files\System\Msadc\msadcs.dll。 6) Delete: c: \ Program Files \ Common Files \ System \ Msadc \ msadcs.dll.
7)如果不需要使用Index Server,禁止或卸载该服务。 7) If you do not need to use the Index Server, prohibit or uninstall the service. 如果你使用了Index Server,请将包含敏感信息的目录的“Index this resource”的选项禁止。 If you use the Index Server, add the directory containing sensitive information "Index this resource" option disabled.
8)解决unicode漏洞: 2K安装2kunicode.exe、NT安装ntunicode86.exe。 8) to solve the unicode flaw: 2K installation 2kunicode.exe, NT installation ntunicode86.exe.
经过以上的设置之后,我还是不敢说它就完全安全了,你可不要回去睡大觉呀!不过你可以放松一下了! After the above settings, I still can not say it completely safe, you can not go back to sleep ah! But you can relax a little!
微软的产品虽然好用,但是它的漏洞和同类比起来是漏洞最多的一个.作为一个网管要时刻的注意新漏洞的出现,及时的采取相应的措施,做到有备无患! (2001-06-04) Although easy to use Microsoft products, but its vulnerability and similar vulnerabilities than it is one of the largest as a network management point of attention to the emergence of new vulnerabilities and timely take appropriate measures, so be prepared! (2001-06-- 04)
Tidak ada komentar:
Posting Komentar