您的位置:首页 > 其它

10招步骤保护IIS服务器安全

2005-08-19 19:09 591 查看
问题
IIS(InternetInformationServer)是黑客特别喜欢的目标。因此,对于管理IIS网页服务器的管理员来说,确保服务器安全是一件至关重要的事。IIS4.0和IIS5.0的默认值安装尤其容易受到攻击。
解决方案
采取下面的10个步骤来确保IIS的安全:
1.专门为IIS应用和数据设置一个NTFS磁盘驱动器。如果可能的话,不允许IUSER(或者无论什么匿名用户)存取任何其它的磁盘驱动器。如果应用遇到任何由于匿名用户没有权限存取位于其它磁盘驱动器上的程序而造成的问题,那么,使用Sysinternals的FileMon来寻找哪一个档案该用户不能存取,然后把该程序移至IIS磁盘驱动器上。如果这样不可行的话,则允许IUSER仅可存取该档案。设置磁盘驱动器上的NTFS权限:Developers=Full
IUSER=Readandexecuteonly
Systemandadmin=Full使用一个软件防火墙确保没有终端用户(只有研发人员)可以存取IIS机器上除了port80之外的其它埠。使用微软的工具来保护机器:IISLockdown和UrlScan。启动使用IIS的日志文件(logging)功能。除了IIS纪录外,如果可能的话,同时也使用防火墙日志文件功能。把记录的日志(log)从预设地点移开,并确保已经进行备份。为日志档案夹建立一个备份,这样在另一个位置总是有一个可以使用的备份档。启动机器上的Windows监督功能(auditing),因为在试图反向追查攻击者的行为的时候总会发现资料不足。利用监督日志,你可借着执行脚本来检查任何可疑的行为,然后发送报告给管理员。这听起来好像有一点极端,但是如果贵公司非常重视安全的话,这种作法可说十分值得鼓励。建立监督功能来报告所有的失败账号登录事件。另外,就跟先前的IIS日志一样,请将默认值位置(c:/winnt/system32/config/secevent.log)改变为另一个不同的位置,并且确保你有一个备份而且有一个复制的拷贝文件。经常多阅读一些安全文章(各种来源的)。最好是尽可能多了解IIS,并进行全面的安全作法,而不仅仅是按照其它人(比如我)告诉你的经验来实现。加入IIS漏洞邮件清单(mailinglist),并要确实加以阅读以掌握最新状态。这种列表有来自因特网安全系统的X-ForceAlertsandAdvisories。最后,确保你经常执行WindowsUpdate,并重复检验修补程序真的已经有安装妥当。下面是IIS工具LogParserisonecooltool.CreatedbyGabrieleGiuseppini,asoftwareengineeratMicrosoft,theoriginalLogParser1.0wasdevelopedforMicrosoft'sinternaltestingpurposes.Itprovedsopopularthatapublicversion,LogParser2.0,wasreleasedin2001,andithasgonethroughtwoiterations,thecurrentversionbeing2.2andavailablefromtheMicrosoftDownloadCenter.LogParseroperatesasakindofdatapipeline.IntothispipeyoucansendinformationfromIISlogs,WindowsEventlogs,ActiveDirectoryinformation,filesystemdata,Registrydata,NetworkMonitortraces,andsoon.Oncethedataisinthepipe,youcanprocessitusingSQLstatements;forexample,toselectcertainportionsofthedatabya
SELECT
query.Then,astheprocesseddatacomesoutofthepipeline,youcanoutputittotextfiles,HTMLfiles,Excel-stylecharts,oraSQLdatabasetable,orsimplytotheconsoleasrawoutput.Puttingtheseintopropersyntax,atypicalLogParsercommandlookssomethinglikethis:
logparser-i:<Input_Format>-o:<Output_format><SQL_statement>

Thingscangetabitmorecomplicated,butthat'sthebasicidea.Ofcourse,thebestwaytolearnaboutLogParseristoactuallyuseit,solet'sseewhatwecando,usingtheWindowsEventlogsasadatasource.AfterinstallingLogParser,openacommandpromptandchangetotheC:/ProgramFiles/LogParserdirectory,wherethelogparser.exeexecutableresides.Let'sbeginwithasimplequerytoselectallrecordsfromtheSystemlog:
logparser"SELECT*FROMSystem"-i:EVT

Sincethere'snooutputformatspecified,LogParserwritestheoutputtotheconsole.Theresultisaseriesofmessy-lookingrecordslikethis:
System20962005-06-1705:01:142005-06-1705:01:147035
4Informationevent0NoneServiceControlManager
Fax|stopBOX15S-1-5-18TheFaxservicewassuccessfully
sentastopcontrol.

Thisevent,forexample,isaneventoftype
Information
thathasaneventIDof
7035
andaneventsourceof
ServiceControlManager
.LogParserwilldisplaytheseeventstenatatime,promptingyouforakeystroketocontinueorCtrl-Ctoabort.Let'sfocusinoneventsoftype
Error
,asthesearelikelytobeofsomeimportancetous:
logparser"SELECT*FROMSystemWHEREEventTypeName='Errorevent'"-i:EVT

Westillgetmessy-lookingresults,butnowthey'reall
Error
events:
System9752005-05-1016:40:092005-05-1016:40:09
100101Errorevent0NoneDCOM
{601AC3DC-786A-4EB0-BF40-EE3521E70BFB}BOX15
S-1-5-21-2696947089-119843295-2143939133-500
Theserver{601AC3DC-786A-4EB0-BF40-EE3521E70BFB}
didnotregisterwithDCOMwithintherequired
timeout.

Whatkindsof
Error
eventsarewegettinginourmachine'sSystemlog?Let'soutputonlytheeventsourcesthistime:
logparser"SELECTSourceNameFROMSystemWHERE
EventTypeName='Errorevent'"-i:EVT

Thescreenoutputnowlookslikethis:
SourceName
-----------------------
DCOM
ServiceControlManager
ServiceControlManager
ServiceControlManager
ServiceControlManager
ServiceControlManager
ServiceControlManager
ServiceControlManager
W32Time
W32Time
Pressakey...

Whatarethedifferentkindsof
Error
eventsinourSystemlog,andhowmanyofeachsourcetypewererecorded?LogParsercaneasilytellusthis:
logparser"SELECTSourceName,COUNT(*)FROMSystemWHERE
EventTypeName='Errorevent'GROUPBYSourceName"-i:EVT

Andhere'swhatweget:
SourceNameCOUNT(ALL*)
-----------------------------------
DCOM5
ServiceControlManager43
W32Time8
NETLOGON3

NETLOGON
errorsmaybeimportant,solet'skeyinonthoseanddisplaytheeventIDsfortheseeventsplusthedateandtimetheyweregenerated(sortedindescendingorder):
logparser"SELECTTimeGenerated,EventIDFROMSystemWHERE
EventTypeName='Errorevent'ANDSourceName='NETLOGON'ORDERBY
TimeGeneratedDESC"-i:EVT

Theoutputnowlookslikethis:
TimeGeneratedEventID
--------------------------
2005-06-1816:44:005719
2005-06-1816:39:195719
2005-05-1908:12:335719

What'sthedescriptionforaneventthathaseventID
5719
?Let'suseLogParsertofindout:
logparser"SELECTEventID,MessageFROMSystemWHEREEventID=5719"-i:EVT

Thisgivesus:
5719NoDomainControllerisavailablefordomainMTIT
duetothefollowing:Therearecurrentlynologonservers
availabletoservicethelogonrequest.Makesurethatthe
computerisconnectedtothenetworkandtryagain.Ifthe
problempersists,pleasecontactyourdomainadministrator.

Uh-oh,couldbeaproblem.Wasthenetworkdown?Didthedomaincontrollergooffline?Weneedtoinvestigatethisfurther,butifyouwantagoodsourceofhelpforunderstandingeventslikethis,searchEventID.netforinformationoneventswiththiseventID.
AdditionalResources
ThisbrieflookatLogParseronlyscratchesthesurfaceofwhatitcando.Howcanyoulearnhowtodomorewiththistool?First,youobviouslyneedagoodknowledgeofSQLsyntaxtoconstruct
SELECT
statements.AgoodresourceforlearningthebasicsisSQLTutorialfromFirstSQL.Next,checkoutthisProfessorWindowsarticleonMicrosoft'swebsite,whichgivesyouanexcellentbird's-eyeviewofwhatLogParsercando.Afterthat,youcanfamiliarizeyourselfwiththesyntaxofLogParserbytyping
logparser-h
andviewingtheHelpinformationdisplayed.Onceyou'vestartedtorockandrollwithLogParser,checkoutTheUnofficialLogParserSupportSite,whereyoucanfindtonsofresourcesandathrivingonlinecommunitythatcanansweranyquestionsyoumighthaveaboutusingthetool.Finally,pickupacopyoftheMicrosoftLogParserToolkit(Syngress)andkickyourlearningintohighgear.You'llsoonbeanexpertandwonderhowyouevermanagedyourWindowssystemsbeforeLogParsercamearound.MitchTullochistheauthorofWindows2000AdministrationinaNutshell,WindowsServer2003inaNutshell,andWindowsServerHacks.
RelatedReading
MicrosoftLogParserToolkit
[b]ByGabrieleGiuseppini,MakBurnett[/b]

                                            

                                        

                        
                        内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息 
                    

                    

                    

                        

                         标签: 
                                                

                        

                    


                

            


            

                
相关文章推荐

                

                
            

        

        

            

            
            

                

                    
新的分享

                    

                        
                    

                

            


            

                

                    
章节导航