iis配置安全策略(IIS configuration security policy)Web server security settings and application WEB server settingsFirst, this is about some of the settings of IIS, because of using Win2K server version in the other brother, I will not, at the same time before I manage the server only when two months here, never touched like is, even in the commissioning of the machine is not. As a result of a lot of friends ask IIS settings, I will write out my accumulated two months of experience, please don't laugh at me. There is a shortage of places to point out. Well, not many words, here we go!Two, first of all, we open audit strategyOpening security audit is the most basic method of intrusion detection in win2000. When someone tries to invade your system in some ways (such as trying user passwords, changing account policies, unauthorized access to files, etc.), it will be recorded by security audits. Many administrators have been hacked into the system for months without knowing until the system is broken. The following audits must be opened, and others can be added as needed:Policy settingIn turnSuccess, failurefailSuccess, failurefailfailSuccess, failurefailfailSkill attack, failureClose unnecessary portsClosing ports means reducing functionality, and you need to make a little bit of a decision on security and functionality. If the server is installed behind the firewall, the risk will be less, but never think you can sit back and relax. Using the port scanner to scan the open ports of the system and determine which services are open is the first step in hacking your system. The reference table of the well-known ports and services in the \system32\drivers\etc\services file is available for reference. The concrete method is:Online neighbor > property > local connection >property >internet protocol (tcp/ip) > attribute > Advanced > option >tcp/ip Filter > attribute open tcp/ip filter, add TCP, UDP, protocol.Then turn off the default sharing, many of them, like IPC is the default share ah, you can in the computer management inside the shared list can see ah, right click to turn off Gongheng, or you can play in CMD net share view sharing list.. this thing is the trouble. Because every time these are automatically restart, sharing and open ah. Now there are some batch file, but it can not completely solve the default sharing problem. The need to increase this batch file at the start, as long as the system operation, automatically run this batch file to delete this sharing effect.Then we build the web site, the management tool, the --Internet Service Manager - a new web site, or the default web site. Well, we built a site next to the site to bind a domain name, usually we are parsing international top-level domain to their own server, as long as you where the domain name service provider domain name resolution to this server can be IPWell, we open the properties of the web site built, hey hey, that host head to fill your top-level domain name on the OK, you have a few fill a few. It's very simple. Next, configure the appropriate script mappings. Inside the execution permission configuration of the home directory.First, we'll delete some useless scripts that might cause the server to be attacked!1 *.htr this is a more powerful document, delete it. Otherwise, anyone can do illegal operations through your web, and even format your hard disk.Delete it at 2 *.hta.3 *.idc, so delete him.4 *.printer this is a printer file. Get rid of him5 *.htw, *.ida *.idq, these are index files that can be removed. In fact, as long as the useful reservations, such as ASP, ASA, php,CGI, to keep, delete all other go:)The executable file you can configure ah, if not to support ASP will delete ASP script map on the line, to support CGI, PHP (the interpreter installed), the configuration of program execution of these documents can be.. For example, to perform PHP, your PHP installation in c:\php, you are in the main directory configuration in the application configuration, add executable c:\php\php.exe, extension of.Php, so the site can run PHP, if you want him to run PHP3, repeat the above work, just an.Php3 extension line. Oh. CGI is the sameAdd the CGI executable file. The extension is.Cgi.The next thing we need to do is to delete some default virtual directories from the default site (you can choose to stop or not run), such as iisadmin, or you might die miserably!! Oh, it's simple.. As you create a virtual directory is very simple ah, right click on the web site, create a virtual directory, for example to build a new fantasy deification arena, a jxqyvirtual directory name, and then point to your program where you can use the www.*****.com/ jxqy to access your fantasy myth the.Also, if you build this web site to send friends or sell to customers, do you want to make some restrictions on his website? (don't be stingy ah, too many restrictions on yo), to open the web site, there is a link, see? One is infinite, one is limited, and we choose the following restrictions. How many people should we limit? Come on, 150 people, then fill in the 150 link, link timeout? General 150 is enough!! Let's make some restrictions on the performance of the website. That's the property of the web site. Here's the performance here, huh?. How much do you want to click on this site every day? How much do you want? Choose your own, the following choice to start broadband restrictions.. General 20kb/s is fine... What is the maximum CPU occupation?2% is ok. Well, I have to think about the service station on the server: do you see that document in the properties of the web site? That is set the site default home page, your station want to use what file for home page, here in tune. Ha-ha。
