澳门新葡亰网址10导致步骤保护IIS服务器安全

澳门新葡亰网址10导致步骤保护IIS服务器安全

问题

IIS(Internet
Information Server)是黑客特别喜欢的对象。因此,对于管理IIS网页服务器的组织者来说,确保服务器安全是同一宗重点的行。IIS
4.0暨IIS
5.0之默认值安装更为爱被攻击。

釜底抽薪方案

动用下的10个步骤来确保IIS的安全:

1.      专门为IIS应用与多少设置一个NTFS磁盘驱动器。如果可能的话,不同意IUSER(或者无什么匿名用户)存取任何其他的磁盘驱动器。如果运用遇到任何由于匿名用户并未权力存取位于其它磁盘驱动器上的次一旦造成的题目,那么,使用Sysinternals的FileMon来探寻哪一个档该用户不能够存取,然后将欠次移至IIS磁盘驱动器上。如果如此不可行的话,则允许IUSER仅只是存取该档案。

  1. 设置磁盘驱动器上之NTFS权限:

Developers
= Full

IUSER
= Read and execute only

System
and admin = Full

  1. 采取一个软件防火墙确保无极限用户(只有研发人员)可以存取IIS机器上除port
    80外面的其他埠。

  2. 采用微软的家伙来保护机械:IIS
    Lockdown和UrlScan。

  3. 启航以IIS的日志文件(logging)功能。除了IIS纪录外,如果可能吧,同时为使用防火墙日志文件功能。

  4. 拿记录之日记(log)从预设地点换开,并保证已经进展备份。为日志档案夹建立一个备份,这样于任何一个岗位连续发出一个可以以的备份档。

  5. 启航机器上的Windows监督功能(auditing),因为以盘算反朝追查攻击者的表现的时刻总会发现资料不足。利用监控日志,你而借着执行下本来检查外可疑之一言一行,然后发送报告让管理员。这任起好像有好几最好,但是要是贵公司非常重视安全吧,这种作法可说老值得鼓励。建立监督力量来告诉有的挫败账号登录事件。另外,就与以前底IIS日志一样,请以默认值位置
    (c:\winnt\system32\config\secevent.log)改变也其他一个例外之职位,并且保证您产生一个备份而且出一个复制的正片文件。

  6. 时常多看有安全文章(各种源之)。最好是硬着头皮多了解IIS,并进行完善的平安作法,而不光是遵照其它人(比如自己)告诉你的经历来实现。

  7. 参加IIS漏洞邮件清单(mailing
    list),并而实在加以阅读以控制最新状态。这种列表有来因特网安全体系的X-Force
    Alerts and
    Advisories。

  8. 终极,确保您时实行Windows
    Update,并重复检查修补程序真的就起安妥当。

下面是IIS工具

Log Parser is one cool tool. Created by Gabriele
Giuseppini, a software engineer at Microsoft, the original Log Parser
1.0 was developed for Microsoft’s internal testing purposes. It proved
so popular that a public version, Log Parser 2.0, was released in 2001,
and it has gone through two iterations, the current version being 2.2
and
available
from the Microsoft Download Center.

Log Parser operates as a kind of data pipeline. Into
this pipe you can send information from IIS logs, Windows Event logs,
Active Directory information, file system data, Registry data, Network
Monitor traces, and so on. Once the data is in the pipe, you can process
it using SQL statements; for example, to select certain portions of the
data by a SELECT query. Then, as the
processed data comes out of the pipeline, you can output it to text
files, HTML files, Excel-style charts, or a SQL database table, or
simply to the console as raw output. Putting these into proper syntax, a
typical Log Parser command looks something like this:

logparser -i:<Input_Format> -o:<Output_format> <SQL_statement>

Things can get a bit more complicated, but that’s the
basic idea.

Of course, the best way to learn about Log Parser is
to actually use it, so let’s see what we can do, using the Windows Event
logs as a data source. After installing Log Parser, open a command
prompt and change to the C:\Program Files\Log Parser directory,
where the logparser.exe executable resides. Let’s begin with a simple
query to select all records from the System log:

logparser "SELECT * FROM System" -i:EVT

Since there’s no output format specified, Log Parser
writes the output to the console. The result is a series of
messy-looking records like this:

 

System   2096   2005-06-17 05:01:14   2005-06-17 05:01:14   7035

   4   Information event   0   None   Service Control Manager

   Fax|stop   BOX15   S-1-5-18   The Fax service was successfully 

   sent a stop control.

This event, for example, is an event of type
Information that has an event ID of
7035 and an event source of
Service Control Manager. Log Parser will
display these events ten at a time, prompting you for a keystroke to
continue or Ctrl-C to abort.

Let’s focus in on events of type Error, as these are likely to be of some importance to
us:

logparser "SELECT * FROM System WHERE EventTypeName='Error event'" -i:EVT

We still get messy-looking results, but now they’re
all Error events:

 

System   975   2005-05-10 16:40:09   2005-05-10 16:40:09   

  10010   1   Error event   0   None   DCOM   

  {601AC3DC-786A-4EB0-BF40-EE3521E70BFB}   BOX15   

  S-1-5-21-2696947089-119843295-2143939133-500   

  The server {601AC3DC-786A-4EB0-BF40-EE3521E70BFB} 

  did not register with DCOM within the required 

  timeout.

What kinds of Error
events are we getting in our machine’s System log? Let’s output only the
event sources this time:

logparser "SELECT SourceName FROM System WHERE 

    EventTypeName='Error event'" -i:EVT

The screen output now looks like this:

SourceName

-----------------------

DCOM

Service Control Manager

Service Control Manager

Service Control Manager

Service Control Manager

Service Control Manager

Service Control Manager

Service Control Manager

W32Time

W32Time

Press a key...

What are the different kinds of Error events in our System log, and how many of each source type
were recorded? Log Parser can easily tell us this:

logparser "SELECT SourceName, COUNT(*) FROM System WHERE 

    EventTypeName='Error event' GROUP BY SourceName" -i:EVT

And here’s what we get:

SourceName              COUNT(ALL *)

----------------------- ------------

DCOM                    5

Service Control Manager 43

W32Time                 8

NETLOGON                3

NETLOGON errors may be important, so let’s key in
on those and display the event IDs for these events plus the date and
time they were generated (sorted in descending order):

logparser "SELECT TimeGenerated,EventID FROM System WHERE 

    EventTypeName='Error event' AND SourceName='NETLOGON' ORDER BY 

        TimeGenerated DESC" -i:EVT

The output now looks like this:

TimeGenerated       EventID

------------------- -------

2005-06-18 16:44:00 5719

2005-06-18 16:39:19 5719

2005-05-19 08:12:33 5719

What’s the description for an event that has event ID
5719? Let’s use Log Parser to find
out:

logparser "SELECT EventID,Message FROM System WHERE EventID=5719" -i:EVT

This gives us:

 

5719   No Domain Controller is available for domain MTIT 

  due to the following: There are currently no logon servers 

  available to service the logon request. Make sure that the 

  computer is connected to the network and try again. If the 

  problem persists, please contact your domain administrator.

Uh-oh, could be a problem. Was the network down? Did
the domain controller go offline? We need to investigate this further,
but if you want a good source of help for understanding events like
this, search EventID.net for information on
events with this event ID.

Additional Resources

This brief look at Log Parser only scratches the
surface of what it can do. How can you learn how to do more with this
tool?

First, you obviously need a good knowledge of SQL
syntax to construct SELECT statements. A
good resource for learning the basics is SQL
Tutorial from
FirstSQL.

Next, check out this Professor Windows
article
on Microsoft’s web site, which gives you an excellent bird’s-eye view of
what Log Parser can do.

After that, you can familiarize yourself with the
syntax of Log Parser by typing logparser -h
and viewing the Help information displayed.

Once you’ve started to rock and roll with Log Parser,
check out The Unofficial Log Parser Support
Site, where you can find tons of resources
and a thriving online community that can answer any questions you might
have about using the tool.

Finally, pick up a copy of the Microsoft Log Parser
Toolkit
(Syngress)
and kick your learning into high gear. You’ll soon be an expert and
wonder how you ever managed your Windows systems before Log Parser came
around.

Mitch
Tulloch is the author of
Windows 2000 Administration in a
Nutshell,
Windows Server 2003 in a
Nutshell, and
Windows Server
Hacks.


Related Reading

Microsoft Log Parser Toolkit
By Gabriele Giuseppini, Mak Burnett

 

admin

网站地图xml地图