First in D: root directory to create a new folder below, and used as the root directory of the WEB server site, which contain different site folder, such as the first new directory WebSite1 site storage file, in order to prevent cross-site attack and other related security problems, realize the virtual host directory has independent rights of access mechanism, we want to assign to each directory an anonymous access user account,
In turn, right-click the desktop of my computer -- -- -- -- -- & gt; Management -- -- -- -- -- - & gt; Local users and groups, and then create a new user IISUSER_01, the user can't change password and password never expires, get rid of the remaining two check, (of course, if your WEB SERVER has 50 virtual host, can add some user) in the same way again, can set a password for each new users, of course, in fact is empty also fine, because it is used for IIS anonymous access user, basic won't have influence to system security,
After the new Users for the default within the new User automatically add Users group, respectively to get rid of their User group permissions, and to the group they belong to the Guests only respectively, this step must remember, safety is the key, set up is completed, in order to facilitate unified division WEB site anonymous access to the User, and then create a new User groups, such as IISUSER_GROUP, add IISUSER_01 Users to IISUSER_GROUP group,
Users and groups set up after, we once again open d below, right-click the website1 folder in the configuration properties security options, add IISUSER_01 user permissions (if it is a simple HTML site can give read access only can, if it is ASP + ACESS database or the need for FSO operating sites, at the same time also need to add "write" permissions or general we will "full control" rights to IISUSER_01 users),
If you want to make more strict security configuration, can set IISUSER_01 users in website1 directory permissions to read, need to update or write operation in the image upload directory or on the database directory with write access, it is more safer, finish this step, web directory security is enough? Not, use a few FSO Trojan still can be read for cross-site, although after the cross-site without permission to modify, but with the folder packaging function at the top of the sea, for example, is still able to cross-site browsing system disk and package operation and download! Solution is, right-click the C and D drive selection properties of the security option, add just now, we have set up a group of users (include IISUSER_01 or the addition of other WEB site directory users), banned the group all the operations permissions,
(note the subdirectories inheriting permissions Settings, WebSite1 don't inherit the parent directory of the permissions,)
In this way, each site visitor (anonymous access user) can only be certain permissions on the site directory files, even if the ASP Trojan uploaded to one of the sites directory, will not have any impact on other sites, more won't be there any risk to the server,
After the folder security configuration, we will conduct the IIS configuration, next
First open the IIS manager - "home directory, in order to facilitate unified management, to rename the default as WebSite1 and pointed to the home directory D: \ below \ WebSite1 directory,
Then click on the configuration of this window button to enter the application configuration, the application extension bar to remove any useless mapping, must keep only you really need to use the file type, such as ASP, ASPX, SHTML, such as general WEB server applications have two mapping is enough, the rest of the map in the free Microsoft vulnerability of the past have happened so many security holes, not letter you can go to check before a loophole in the list, one after another, the extension of began to don't have to delete it,
Configuration after this one, and then click the options bar at the top of the window, generally in most of the ASP program, we will call the parent path in the code, we check in the page of [enabled the parent path] checkboxes, of course, if you make sure your program does not have to call the path of the code, it is best not to select this option, the security will become more stronger, finally, bar, then click on the window at the top of the debugging in script error error message options, select [to the client to send the following error message text] or ASP script errors, error messages are likely to show the client that your database path (that is, the hackers often said BaoKu), program code, structure, parameter and other important information,
In order to avoid the cgi vulnerability scanner scans to IIS vulnerability safety hidden trouble, in the heart of the IIS administration panel HTTP404 Object Not Found out the wrong page via the URL to reset to a custom HTM documents, we can change in a more C:/WINDOWS/Help/iisHelp/common/404 b. HTM content is changed to: & lt; META HTTP - equiv="REFRESH" content="5; URL=your homepage "& gt; , or can be custom error bar in the IIS administration panel modify HTML file path of the 404 error pages and make corresponding revision in the end, we have to put in to the site before the anonymous user account is bound to the security of access to the site directory, open the property page in the site of the "directory security" TAB, authentication and access control of "edit" check the enable anonymous access, browse button and click on the toolbar, choose us before for this site (WebSite1) to distribute anonymous user account IISUSER_01, input the user's password, prompt again confirm password input, as nothing can be left blank,
After setting anonymous access account "WebSite1 site users, using ASP FileSystemObject component or its it wooden horse ride sequence into the invasion attack on the server, also only can visit to ask" WebSite1 net station item recorded: "d: \ below \ WebSite1 content, when trying to access other content, will appear, such as" no access ", "hard drive is not ready," "500 internal server error" and other errors (tried the top of the ocean with ASP Trojan 2006 to conduct a comprehensive test, and the server security does not constitute any impact),
Finally, don't forget to back up the IIS configuration, in a catastrophic system crash or a significant error in IIS need to reinstall such as emergency, can quickly restore IIS security configuration, the normal operation of the recovery site, backup function is very simple, the operation of the IIS administration panel toolbar - "all tasks -" for backup,
In fact, the configuration database is refers to the MetaBase. XML and MBSchema. The combination of the XML file and resides with the memory database, IIS with information stored in the MetaBase. The XML documents, and according to the configuration is stored in the library architecture MBSchema. The XML file, when start the IIS, these files will be read by the storage layer, and then by writing to memory management basic object (ABO) the configuration in the database...
Said to MetaBase. The XML, casually mentioned a bit common IIS 6, is the problem can't upload big files, IIS 6 for security reasons, the default maximum request 200 k (which is the largest submit data limitation to be 200 kbyte, 204800 byte), usually the size of the 200 k can't meet the needs of our site, the solution is as follows:
1. Close the IIS Admin Service Service
2. Open the \ Windows \ system32 \ inesrv \ metabase XML
3. Modify ASPMaxRequestEntityAllowed value for their need, the default value is 204800, the largest 200 KB limit to upload file,
4. Start the IIS Admin Service
In fact, if you know about some programming, take a closer look at metabase. The contents of the XML file, you will find that many in IIS configuration can also be modified, of course, unless you are very familiar with, otherwise it is not recommended directly modify,
Configuration to this step, we have successfully configured with a higher security of WEB server