10招步驟保護IIS伺服器安全

餘二五發表於2017-11-15
伺服器
問題
IISInternet Information Server)是黑客特別喜歡的目標。因此,對於管理IIS網頁伺服器的管理員來說,確保伺服器安全是一件至關重要的事。IIS 4.0IIS 5.0的預設值安裝尤其容易受到攻擊。
解決方案
採取下面的10個步驟來確保IIS的安全:
1.      專門為IIS應用和資料設定一個NTFS磁碟驅動器。如果可能的話,不允許IUSER(或者無論什麼匿名使用者)存取任何其它的磁碟驅動器。如果應用遇到任何由於匿名使用者沒有許可權存取位於其它磁碟驅動器上的程式而造成的問題,那麼,使用SysinternalsFileMon來尋找哪一個檔案該使用者不能存取,然後把該程式移至IIS磁碟驅動器上。如果這樣不可行的話,則允許IUSER僅可存取該檔案。
  1. 設定磁碟驅動器上的NTFS許可權:
Developers = Full
IUSER = Read and execute only
System and admin = Full
  1. 使用一個軟體防火牆確保沒有終端使用者(只有研發人員)可以存取IIS機器上除了port 80之外的其它埠。
  2. 使用微軟的工具來保護機器:IIS LockdownUrlScan
  3. 啟動使用IIS的日誌檔案(logging)功能。除了IIS紀錄外,如果可能的話,同時也使用防火牆日誌檔案功能。
  4. 把記錄的日誌(log)從預設地點移開,並確保已經進行備份。為日誌檔案夾建立一個備份,這樣在另一個位置總是有一個可以使用的備份檔。
  5. 啟動機器上的Windows監督功能(auditing),因為在試圖反向追查攻擊者的行為的時候總會發現資料不足。利用監督日誌,你可藉著執行指令碼來檢查任何可疑的行為,然後傳送報告給管理員。這聽起來好像有一點極端,但是如果貴公司非常重視安全的話,這種作法可說十分值得鼓勵。建立監督功能來報告所有的失敗賬號登入事件。另外,就跟先前的IIS日誌一樣,請將預設值位置 c:winntsystem32configsecevent.log)改變為另一個不同的位置,並且確保你有一個備份而且有一個複製的拷貝檔案。
  6. 經常多閱讀一些安全文章(各種來源的)。最好是儘可能多瞭解IIS,並進行全面的安全作法,而不僅僅是按照其它人(比如我)告訴你的經驗來實現。
  7. 加入IIS漏洞郵件清單(mailing list),並要確實加以閱讀以掌握最新狀態。這種列表有來自因特網安全系統的X-Force Alerts and Advisories
  8. 最後,確保你經常執行Windows Update,並重複檢驗修補程式真的已經有安裝妥當。
下面是IIS工具
Log Parser is one cool tool. Created by Gabriele Giuseppini, a software engineer at Microsoft, the original Log Parser 1.0 was developed for Microsoft`s internal testing purposes. It proved so popular that a public version, Log Parser 2.0, was released in 2001, and it has gone through two iterations, the current version being 2.2 and available from the Microsoft Download Center.
Log Parser operates as a kind of data pipeline. Into this pipe you can send information from IIS logs, Windows Event logs, Active Directory information, file system data, Registry data, Network Monitor traces, and so on. Once the data is in the pipe, you can process it using SQL statements; for example, to select certain portions of the data by a SELECT query. Then, as the processed data comes out of the pipeline, you can output it to text files, HTML files, Excel-style charts, or a SQL database table, or simply to the console as raw output. Putting these into proper syntax, a typical Log Parser command looks something like this:
Things can get a bit more complicated, but that`s the basic idea.
Of course, the best way to learn about Log Parser is to actually use it, so let`s see what we can do, using the Windows Event logs as a data source. After installing Log Parser, open a command prompt and change to the C:Program FilesLog Parser directory, where the logparser.exe executable resides. Let`s begin with a simple query to select all records from the System log:
Since there`s no output format specified, Log Parser writes the output to the console. The result is a series of messy-looking records like this:
This event, for example, is an event of type Information that has an event ID of 7035 and an event source of Service Control Manager. Log Parser will display these events ten at a time, prompting you for a keystroke to continue or Ctrl-C to abort.
Let`s focus in on events of type Error, as these are likely to be of some importance to us:
We still get messy-looking results, but now they`re all Error events:
What kinds of Error events are we getting in our machine`s System log? Let`s output only the event sources this time:
The screen output now looks like this:
What are the different kinds of Error events in our System log, and how many of each source type were recorded? Log Parser can easily tell us this:
And here`s what we get:
NETLOGON errors may be important, so let`s key in on those and display the event IDs for these events plus the date and time they were generated (sorted in descending order): 











The output now looks like this:













What`s the description for an event that has event ID 5719? Let`s use Log Parser to find out:





This gives us:














Uh-oh, could be a problem. Was the network down? Did the domain controller go offline? We need to investigate this further, but if you want a good source of help for understanding events like this, search EventID.net for information on events with this event ID.


Additional Resources


This brief look at Log Parser only scratches the surface of what it can do. How can you learn how to do more with this tool?



First, you obviously need a good knowledge of SQL syntax to construct SELECT statements. A good resource for learning the basics is SQL Tutorial from FirstSQL.



Next, check out this Professor Windows article on Microsoft`s web site, which gives you an excellent bird`s-eye view of what Log Parser can do.



After that, you can familiarize yourself with the syntax of Log Parser by typing logparser -h and viewing the Help information displayed.



Once you`ve started to rock and roll with Log Parser, check out The Unofficial Log Parser Support Site, where you can find tons of resources and a thriving online community that can answer any questions you might have about using the tool.


Finally, pick up a copy of the Microsoft Log Parser Toolkit (Syngress) and kick your learning into high gear. You`ll soon be an expert and wonder how you ever managed your Windows systems before Log Parser came around.









 














本文轉自 張善友 51CTO部落格,原文連結:http://blog.51cto.com/shanyou/75267,如需轉載請自行聯絡原作者










相關文章