10招步骤保护IIS服务器安全
2017-05-25 21:19
260 查看
问题IIS(Internet Information Server)是黑客特别喜欢的目标。因此,对于管理IIS网页服务器的管理员来说,确保服务器安全是一件至关重要的事。IIS4.0和IIS 5.0的默认值安装尤其容易受到攻击。解决方案采取下面的10个步骤来确保IIS的安全:1. 专门为IIS应用和数据设置一个NTFS磁盘驱动器。如果可能的话,不允许IUSER(或者无论什么匿名用户)存取任何其它的磁盘驱动器。如果应用遇到任何由于匿名用户没有权限存取位于其它磁盘驱动器上的程序而造成的问题,那么,使用Sysinternals的FileMon来寻找哪一个档案该用户不能存取,然后把该程序移至IIS磁盘驱动器上。如果这样不可行的话,则允许IUSER仅可存取该档案。设置磁盘驱动器上的NTFS权限:Developers = FullIUSER = Read and execute onlySystem and admin = Full使用一个软件防火墙确保没有终端用户(只有研发人员)可以存取IIS机器上除了port80之外的其它埠。使用微软的工具来保护机器:IIS Lockdown和UrlScan。启动使用IIS的日志文件(logging)功能。除了IIS纪录外,如果可能的话,同时也使用防火墙日志文件功能。把记录的日志(log)从预设地点移开,并确保已经进行备份。为日志档案夹建立一个备份,这样在另一个位置总是有一个可以使用的备份档。启动机器上的Windows监督功能(auditing),因为在试图反向追查攻击者的行为的时候总会发现资料不足。利用监督日志,你可借着执行脚本来检查任何可疑的行为,然后发送报告给管理员。这听起来好像有一点极端,但是如果贵公司非常重视安全的话,这种作法可说十分值得鼓励。建立监督功能来报告所有的失败账号登录事件。另外,就跟先前的IIS日志一样,请将默认值位置 (c:\winnt\system32\config\secevent.log)改变为另一个不同的位置,并且确保你有一个备份而且有一个复制的拷贝文件。经常多阅读一些安全文章(各种来源的)。最好是尽可能多了解IIS,并进行全面的安全作法,而不仅仅是按照其它人(比如我)告诉你的经验来实现。加入IIS漏洞邮件清单(mailinglist),并要确实加以阅读以掌握最新状态。这种列表有来自因特网安全系统的X-ForceAlerts and Advisories。最后,确保你经常执行Windows Update,并重复检验修补程序真的已经有安装妥当。下面是IIS工具Log Parser is one cool tool. Created by Gabriele Giuseppini, a software engineer at Microsoft, the original Log Parser 1.0 was developed for Microsoft's internal testing purposes. It proved so popular that a publicversion, Log Parser 2.0, was released in 2001, and it has gone through two iterations, the current version being 2.2 and available fromthe Microsoft Download Center.Log Parser operates as a kind of data pipeline. Into this pipe you can send information from IIS logs, Windows Event logs, Active Directory information, file system data, Registry data, Network Monitor traces,and so on. Once the data is in the pipe, you can process it using SQL statements; for example, to select certain portions of the data by a
SELECTquery.Then, as the processed data comes out of the pipeline, you can output it to text files, HTML files, Excel-style charts, or a SQL database table, or simply to the console as raw output. Putting these into proper syntax, a typical Log Parser command looks somethinglike this:
logparser -i:<Input_Format> -o:<Output_format> <SQL_statement>Things can get a bit more complicated, but that's the basic idea.Of course, the best way to learn about Log Parser is to actually use it, so let's see what we can do, using the Windows Event logs as a data source. After installing Log Parser, open a command prompt and changeto the C:\Program Files\Log Parser directory, where the logparser.exe executable resides. Let's begin with a simple query to select all records from the System log:
logparser "SELECT * FROM System" -i:EVTSince there's no output format specified, Log Parser writes the output to the console. The result is a series of messy-looking records like this:
System 2096 2005-06-17 05:01:14 2005-06-17 05:01:14 7035
4 Information event 0 None Service Control Manager
Fax|stop BOX15 S-1-5-18 The Fax service was successfully
sent a stop control.This event, for example, is an event of type
Informationthathas an event ID of
7035and an event source of
Service Control Manager. Log Parser will display these events ten at a time, prompting you for a keystroke to continue or Ctrl-C to abort.Let's focus in on events of type
Error,as these are likely to be of some importance to us:
logparser "SELECT * FROM System WHERE EventTypeName='Error event'" -i:EVTWe still get messy-looking results, but now they're all
Errorevents:
System 975 2005-05-10 16:40:09 2005-05-10 16:40:09
10010 1 Error event 0 None DCOM
{601AC3DC-786A-4EB0-BF40-EE3521E70BFB} BOX15
S-1-5-21-2696947089-119843295-2143939133-500
The server {601AC3DC-786A-4EB0-BF40-EE3521E70BFB}
did not register with DCOM within the required
timeout.What kinds of
Erroreventsare we getting in our machine's System log? Let's output only the event sources this time:
logparser "SELECT SourceName FROM System WHERE
EventTypeName='Error event'" -i:EVTThe screen output now looks like this:
SourceName
-----------------------
DCOM
Service Control Manager
Service Control Manager
Service Control Manager
Service Control Manager
Service Control Manager
Service Control Manager
Service Control Manager
W32Time
W32Time
Press a key...What are the different kinds of
Erroreventsin our System log, and how many of each source type were recorded? Log Parser can easily tell us this:
logparser "SELECT SourceName, COUNT(*) FROM System WHERE
EventTypeName='Error event' GROUP BY SourceName" -i:EVTAnd here's what we get:
SourceName COUNT(ALL *)
----------------------- ------------
DCOM 5
Service Control Manager 43
W32Time 8
NETLOGON 3
NETLOGONerrors may be important, so let's key in on those and display the event IDsfor these events plus the date and time they were generated (sorted in descending order):
logparser "SELECT TimeGenerated,EventID FROM System WHERE
EventTypeName='Error event' AND SourceName='NETLOGON' ORDER BY
TimeGenerated DESC" -i:EVTThe output now looks like this:
TimeGenerated EventID
------------------- -------
2005-06-18 16:44:00 5719
2005-06-18 16:39:19 5719
2005-05-19 08:12:33 5719What's the description for an event that has event ID
5719?Let's use Log Parser to find out:
logparser "SELECT EventID,Message FROM System WHERE EventID=5719" -i:EVTThis gives us:
5719 No Domain Controller is available for domain MTIT
due to the following: There are currently no logon servers
available to service the logon request. Make sure that the
computer is connected to the network and try again. If the
problem persists, please contact your domain administrator.Uh-oh, could be a problem. Was the network down? Did the domain controller go offline? We need to investigate this further, but if you want a good source of help for understanding events like this, search EventID.net forinformation on events with this event ID.
Additional Resources
This brief look at Log Parser only scratches the surface of what it can do. How can you learn how to do more with this tool?First, you obviously need a good knowledge of SQL syntax to constructSELECTstatements.A good resource for learning the basics is SQL Tutorial from FirstSQL.Next, check out this ProfessorWindows article on Microsoft's web site, which gives you an excellent bird's-eye view of what Log Parser can do.After that, you can familiarize yourself with the syntax of Log Parser by typing
logparser -handviewing the Help information displayed.Once you've started to rock and roll with Log Parser, check out The UnofficialLog Parser Support Site, where you can find tons of resources and a thriving online community that can answer any questions you might have about using the tool.Finally, pick up a copy of the MicrosoftLog Parser Toolkit (Syngress) and kick your learning into high gear. You'll soon be an expert and wonder how you ever managed your Windows systems before Log Parser came around.Mitch Tulloch is the author of Windows2000 Administration in a Nutshell, Windows Server2003 in a Nutshell, and Windows Server Hacks.
Related ReadingMicrosoftLog Parser Toolkit[b]By Gabriele Giuseppini,Mak Burnett[/b] |
相关文章推荐
- 10招步骤保护IIS服务器安全
- 10招步骤保护IIS服务器安全
- 10招步骤保护IIS服务器安全
- 简单十大步骤保护IIS Web服务器的安全
- 10个步骤保护IIS Web服务器安全
- 10个步骤保护IIS Web服务器安全
- 保护IIS Web服务器安全的十大步骤
- 10个步骤保护IIS Web服务器安全
- 网络安全之小技巧保护(IIS)Web服务器
- IIS和服务器安全设置的步骤
- 系统安全之小技巧保护(IIS)Web服务器
- 保护(IIS)web服务器安全的15个技巧
- Windows Server2003 防木马权限设置IIS服务器安全配置整理
- Windows Server 2003 防木马、权限设置、IIS服务器安全配置整理
- Windows Server2003 防木马权限设置IIS服务器安全配置整理
- 给WIN2003 IIS SQL服务器安全加固
- IIS与SQL服务器安全加固详解
- [转]Windows IIS WEB服务器配置安全规范
- Windows Server2003 防木马权限设置IIS服务器安全配置整理
- ASP中FSO对象对IIS WEB服务器数据安全的威胁及对策