webutm

The following checklist is a summary of the security points which should be checked prior to bringing an IIS server online. In cases where these points are not followed, the admin may want to securely document the known security issues for referral should a security compromise occur.

下面是安全要点的简要清单，在检查这些安全要点之前需要确保IIS服务器在线。在违反下面安全要点的情况下，管理员可能需要了解安全文档中对已知的安全问题应该发生的安全危害的介绍。

General assumptions:

q No IIS on a domain controller

1.域控制器上没有IIS。

q Install only services needed (ftp, www, smtp, nntp). Mailing out does NOT require smtp; use CDOSYS.DLL (a COM based method native to Windows) or a 3^rd party executable like blat.exe for web applications that require outgoing mail.

2.仅安装需要的服务( FTP,WWW,SMTP,NNTP)发送邮件不需要SMTP服务；可以使用CDOSYS.DLL（一个Windows提供的COM组件）或者使用第三方的Web应用程序例如：blat.exe来发送邮件。

q Virtual directories are NEVER used across servers.

3.从不使用跨服务器的虚拟目录。

q The underlying Windows OS has been secured.

4.底层的Windows操作系统是可以靠的。

q Only system administrators are local administrators.

5.仅系统管理员是本地管理员。

Design Guidelines

q Setup SSL if transmitted information is sensitive. Require SSL (Remove ability to access via port 80) if SSL is enabled.

2.如果传播的信息是敏感的需要安装SSL，如果SSL已经启用则请求SSL（通过访问端口 80 的删除能力）。

q All FTP sites, and as needed WWW sites should enable IP filtering for stanford-only sites. Ipsec filters can be used to accomplish this.

3.所有的FTP站点和需要的万维网站点需要启用对“stanford-only”的站点进行IP筛选。IPSec筛选器可用于实现这一目标。

q Virtual directories should be used as little as possible. They aren’t needed unless you need to span drives. And if you need to span drives reconsider based on the security implications.

4.虚拟目录应尽少使用， 除非您需要跨驱动器否则不需要使用虚拟目录。 如果需要跨驱动器，需要基于安全隐患重新考虑。

q Remove NTFS write perms everywhere possible.

5.移除NTFS驱动器下所有可移除的写入权限。

q Don’t make it easy to find your scripts and code. Hackers target code seeking vulnerabilities they can use to take control of the server. Good ideas include:

6.不要让其他人很容易地找到脚本和代码。黑客通过这些代码寻找漏洞，他们可以使用这些漏洞来控制服务器。下面是一些好的防范方法：

o Don’t use an obvious name for your scripts directory. ‘Scripts’, ‘cgi-bin’, ‘exchange’, and ‘bin’ are so common that automated tools look for them.

不要为您的Scripts目录使用明显的名称。 'Scripts' ， 'cgi-bin' ， 'exchange' 和'bin'这些关键字很容易被扫描器等自动化工具找到。

o Consider renaming the extension on all of your scripts to something uncommon. For example, rename myscript.asp to myscript.dum. This will require adding an ISAPI extension mapping for .dum to the appropriate code handler (asp.dll in this case). This makes your scripts harder to find. Incidentally, specifically renaming all .asp scripts to .html works fine without modifying the ISAPI extension mapping.

考 虑重命名您的脚本的扩展名为不寻常的字符。 例如，将 myscript.asp 重命名为 myscript.dum。 这将需要在ISAPI 扩展名映射（MIME）增加一个映射.dum到特定的代码处理器（在这种情况下是改变到“asp.dll”代码处理器）。 这样会使您的脚本难以找到。 顺便说一下一种特殊情况，重命名所有的.asp为.html 不需要修改 ISAPI 扩展名映射。

o Consider compiling scripts into dll files. This not only protects the code from analysis, but it also results in a major performance gain. Compiled code runs about 20 times faster.

考虑编译所有的到DLL文件中。这不仅保护了源代码，也大大提高了性能。编译过的代码运行比原来的脚本将近快20倍。

o Web applications (i.e. scripts and executables) only need a limited amount of permissions to run properly. Giving more permissions than is necessary allows a malicious hacker to download and analyze your code for vulnerabilities. The minimum permissions needed are: NTFS: Read, IIS: Execute. IIS: Read is NOT required, and will allow a hacker to download your code.

Web 应用程序 （即脚本和可执行文件） 只需要有限的权限就能正常运行。 提供更多的权限将会被黑客利用来下载文件和分析您的代码的漏洞，以及允许黑客下载你的代码。 所需的最低权限是：NTFS： 读取，IIS：执行，IIS：不需要读取。

q Be careful when using the Add/Remove control panel on an IIS Server. If you open the Windows components, Windows will inadvertently reset all ISAPI filter and extensions to the default, and may reset other things. This is a poor design by Microsoft that you need to be careful with.

7.小心使用 IIS 服务器上的添加/删除控制面板。 如果您打开 Windows 组件，Windows 会无意中重置所有 ISAPI 筛选器和扩展为默认值并可以重置其它事情。这是Microsoft的其中一个你需要小心的有问题的设计。

Installation configuration

q Delete all default virtual directories (icon w/ world on top of folder) and application roots (icon w/ green ball in box)

1.删除所有默认虚拟目录 （带有世界顶部的文件夹的图标） 和应用程序根 （带有绿球在框中的图标）

o Delete iisadmin

删除iisadmin

o Delete iissamples

删除iissamples

o Delete msadc.

删除msadc

o Delete iishelp

删除iishelp

o Delete scripts

删除scripts

o Delete printers

删除printers

q Delete ALL default content.

2.删除所有默认内容

o Delete %systemdirectory%\inetsrv\iisadmin

删除%systemdirectory%\inetsrv\iisadmin

o Delete %systemdirectory%\inetsrv\iisadmpwd

删除%systemdirectory%\inetsrv\iisadmpwd

o Delete inetpub\wwwroot (or \ftproot or \smtproot)

删除inetpub\wwwroot (or \ftproot or \smtproot)

o Delete inetpub\scripts

删除inetpub\scripts

o Delete inetpub\iissamples

删除inetpub\iissamples

o Delete inetpub\adminscripts

删除inetpub\adminscripts

o Delete %systemroot%\help\iishelp\iis

删除%systemroot%\help\iishelp\iis

o Delete %systemroot%\web\printers

删除%systemroot%\web\printers

o Delete %systemdrive%\program files\common files\system\msadc. Only websites that integrate with Microsoft Access databases need msadc.

删除%systemdrive%\program files\common files\system\msadc.只有使用Microsoft Access 数据库的网站需要 msadc。

q Configure Default Website with extremely secure settings (e.g. require ssl, Integrated Windows auth only, accessible from only one IP, NTFS perms to none on an empty home directory, etc.), then stop the site. This results in a broken default website that 80% of hackers will blindly attack, instead of your real website.

3.配置默认网站为极为安全设置（例如，需要SSL，仅集成Windows验证，只可从一个IP访问，NTFS权限主目录不能为空等） ，然后停止该网站。这样的结果是破坏默认网站，80%黑客会盲目地攻击，而不是您的真实网站。

q Configure all website(s) with host header matching the DNS name of the site. Go to ISM, Web Site tab, Advanced button, Select “All Unassigned” (or the specific IP) and Edit Button, and designate the host header in the appropriate field. Do this for both http and https. Do NOT configure default website with host header. This will prevent 90% of all automated hacking tools from working by sending them to your crippled default website.

4. 配置所有与主机头的DNS名称相匹配的网站。 打开ISM，网站选项卡，点击高级按钮，选择对话框 “ 全部未分配 ” （或特定的 IP) 然后点击编辑按钮，并指定了主机头在适当的栏位。对HTTP和HTTPS进行同样的操作。不配置默认网站的主机头。这将把90 ％的自动化黑客工具的工作转到瘫痪掉的默认网站上。

q Home directory IIS perms: Enable Read and Log. TURN OFF Write, Index, Browsing, Script Source Access (only WebDAV uses this), and Frontpage Web permissions. Set execute permissions to None. Enable execute permissions for the directory that holds your scripts.

5.主目录的IIS权限：启用“读取”和“记录访问”。禁用"写入"，"索引资源"，"目录浏览"，“脚本资源访问”（仅WebDAV使用此权限）以及Frontpage Web权限。执行权限选择“无”。对目录包含脚本文件的目录启用执行权限。

q Disable all unnecessary ISAPI filters. Do this under ISM, ISAPI filters tab.

6.禁用所有不必要的ISAPI筛选器，执行此操作打开ISM，ISAPI筛选器选项卡。

o Delete the Frontpage ISAPI filter (or extensions on older IIS servers), if you have a choice. If Frontpage ISAPI (extensions) is required, make them read only. On older IIS servers, you disable Frontpage extensions with the following command: “c:\program files\common files\microsoft shared\web server extensions\40\bin\fpsrvadm –o uninstall –p all”.

删 除 Frontpage ISAPI 筛选器 （或较早的 IIS 服务器上的扩展）在不需要这些情况下。 如果需要 Frontpage ISAPI （扩展），设置它为只读。 较早的 IIS 服务器上禁用 Frontpage 扩展使用以下命令：“ c \common\microsoft shared\web server extensions\40\bin\fpsrvadm –o uninstall –p all”。

o Digest Authentication. This authentication method requires support for reversibly encrypted passwords—which is a bad idea. Reversible encrypted passwords aren’t supported in the Stanford Windows Infrastructure. Delete this filter.

摘要式身份验证。 此身份验证方法需要支持可逆加密的密码，这是一个坏主意。 可逆加密的密码在斯坦福 Windows 结构中不被支持。 删除此筛选器。

o HTTP Compression. This filter allows compression of the http stream. This is a nice feature, but might be at the expense of security.

HTTP 压缩。 此筛选器允许 HTTP 流的压缩。 这是一个很好的功能，但可能会导致安全性降低。

o SSL. It’s unlikely you wouldn’t want SSL support, but if you don’t need it, then delete it.

SSL。 ’不大可能您不需要 SSL 的支持，但如果你真不需要它请删除它。

q Delete the dll files associated with ISAPI filters that you disabled. Frontpage: fpexdll.dll, Digest: md5filt.dll, Compression: compfilt.dll, SSL: sspifilt.dll.

7.删除与 ISAPI 筛选器禁用相关联的 DLL 文件。 Frontpage： fpexdll.dll，摘要： md5filt.dll，压缩： compfilt.dll，SSL： Sspifilt.dll。

q Unmap the following extensions (if possible):
.asa, .asp, .bat, .cdx, .cer, .htr, .htw, .ida, .idc, .idq, .printer, .shtm, .shtml, .stm
Within ISM, go to the Home Directory tab, and choose Configuration button.

8.（如果可能） 取消映射下列扩展名：.asa、.asp、.bat、.cdx、.cer、.htr、.htw、.ida、.idc、.idq、.printer、.shtm、.shtml、.stm 在 ISM，主目录选项卡，并选择配置按钮。

q Disable “Enable Parent Paths” setting. Go to ISM, Home Directory tab, Configuration button, App Options tab, uncheck checkbox. This prevents malicious web traversal without knowing the underlying directory structure. Web developers can not use paths like ..\..\default.htm and must use fully qualified paths.

9.禁用“启用父路径”设置。 在 ISM，主目录选项卡，点击 配置按钮，打开应用程序选项选项卡，取消选中复选框。 这样可以防止不知道目录的基础结构情况下恶意的 Web目录遍历。 Web 开发人员不能使用像路径..\..\Default.htm，必须使用完全合格的路径。

Patch level

q Apply Service Packs and hotfixes. UpdateExpert makes this very easy or Microsoft’s HfCheck tool can be used.

1.应用 Service Pack 和修补程序。可以使用 UpdateExpert，Microsoft ’s HfCheck 工具。

q Install high encryption pack (comes with Windows 2000 SP2) so 128 bit encryption is available.

2.安装高加密包 （附带 Windows 2000 SP 2) ,可以使用128 位加密。

Authentication model:

q Basic authentication disabled at site level, virtual directory level, directory level –Everywhere!

1.在网站层级、 虚拟目录层级、 目录层级 等所有地方禁用基本身份验证。

q Digest authentication disabled everywhere.

2.在任何地方禁用摘要式身份验证。

q IUSR & IWAM accounts should not be domain users nor should they be guests. If no anonymous access is required, delete these accounts.

3.IUSR & IWAM 帐户不应是域用户，也不应是Guests用户。 如果不需要匿名访问则删除这些帐户。

q If web data is ultra-sensitive consider placing server outside a domain.

4.如果web 数据是 ultra-sensitive（超灵敏）数据，考虑将服务器放置在域之外。

Authorization Changes

q Enable IIS auditing, change to W3 extended logging, and check that the info that is being logged is appropriate. (e.g. Is username needed?) Consider enabling the following items: Date and time, IP address of the client, IP address of the server, Server port, Username, HTTP method used to access your site, URI Stern, URI Query, Status of the request.

1.启用 IIS 审计，变更为W3号扩展日志记录，并检查信息被正确记录。 （例如：需要用户名吗？） 考虑启用下列项目： 日期和时间，客户端的IP地址，服务器的IP地址，服务器端口，用户名， 用于访问网站的HTTP方法，URI 尾，URI 查询，请求的状态。

q Set permission to IIS logs to system and local administrators only.

2.设置只允许系统和本地管理员能访问IIS日志。

q Remove write perms to hklm\software for non-admin accounts. Administrators & System: FULL, Everyone: Read/Execute

3.删除"hklm\software"的非管理员帐户的写入权限 。 管理员和系统帐户：完全控制，所有人： 读取或执行。

q Restrict NTFS perms to ALL executables on system. NTFS perms: Administrators & System: FULL, Users: Read/Execute. Give IUSR account execute permissions sparingly.

4.限制 系统上所有可执行程序的NTFS权限。 NTFS 权限：管理员和系统帐户：完全控制、 用户： 读取或执行。 给 IUSR 帐户谨慎执行权限。

q Restrict perms to any script interpreters such as perl. NTFS perms: Administrators & System: FULL, Everyone: Read/Execute. Give IUSR account execute permissions sparingly.

# 发贴者：梦游 : 3/08/2009 12:50:00 上午