10致步骤保护IIS服务器安全

10致步骤保护IIS服务器安全

问题

IIS(Internet
Information Server)是黑客特别爱的目标。因此,对于管理IIS网页服务器的领队来说,确保服务器安全是同码主要的事。IIS
4.0与IIS
5.0底默认值安装更为容易受攻击。

缓解方案

运用下的10只步骤来管IIS的安:

1.      专门为IIS应用以及数量设置一个NTFS磁盘驱动器。如果可能的话,不容许IUSER(或者无什么匿名用户)存取任何其他的磁盘驱动器。如果使用遇到任何由于匿名用户没有权力存取位于其它磁盘驱动器上之顺序一旦招致的题材,那么,使用Sysinternals的FileMon来查找哪一个档该用户不可知存取,然后拿欠次移至IIS磁盘驱动器上。如果这么不可行的话,则允许IUSER仅只是存取该档。

  1. 装磁盘驱动器上的NTFS权限:

Developers
= Full

IUSER
= Read and execute only

System
and admin = Full

  1. 动一个软件防火墙确保没有极限用户(只有研发人员)可以存取IIS机器上除了port
    80外的其余埠。

  2. 应用微软的工具来保障机械:IIS
    Lockdown和UrlScan。

  3. 起步以IIS的日记文件(logging)功能。除了IIS纪录外,如果可能的话,同时也采取防火墙日志文件功能。

  4. 管记录的日志(log)从预设地点转移开,并包已经拓展备份。为日志档案夹建立一个备份,这样在其余一个位置连续发生一个得用的备份档。

  5. 起先机器上之Windows监督作用(auditing),因为当计算反为追查攻击者的行事之时光总会发现资料不足。利用监控日志,你可借着执行下本来检查外可疑的所作所为,然后发送报告给管理员。这任起好像发出少数太,但是如果贵公司非常重视安全的话,这种作法可说坏值得鼓励。建立监控效能来报富有的败账号登录事件。另外,就同原先之IIS日志一样,请将默认值位置
    (c:\winnt\system32\config\secevent.log)改变为外一个不等的职务,并且保证您来一个备份而且有一个复制的正片文件。

  6. 时不时多看有安全文章(各种源之)。最好是硬着头皮多了解IIS,并进行到的平安作法,而不光是遵照其它人(比如自己)告诉你的涉来促成。

  7. 参加IIS漏洞邮件清单(mailing
    list),并而实在加以阅读以掌握最新状态。这种列表有自因特网安全体系的X-Force
    Alerts and
    Advisories。

  8. 末了,确保您时实行Windows
    Update,并重复检查修补程序真的就出安妥当。

下面是IIS工具

Log Parser is one cool tool. Created by Gabriele
Giuseppini, a software engineer at Microsoft, the original Log Parser
1.0 was developed for Microsoft’s internal testing purposes. It proved
so popular that a public version, Log Parser 2.0, was released in 2001,
and it has gone through two iterations, the current version being 2.2
and
available
from the Microsoft Download Center.

Log Parser operates as a kind of data pipeline. Into
this pipe you can send information from IIS logs, Windows Event logs,
Active Directory information, file system data, Registry data, Network
Monitor traces, and so on. Once the data is in the pipe, you can process
it using SQL statements; for example, to select certain portions of the
data by a SELECT query. Then, as the
processed data comes out of the pipeline, you can output it to text
files, HTML files, Excel-style charts, or a SQL database table, or
simply to the console as raw output. Putting these into proper syntax, a
typical Log Parser command looks something like this:

logparser -i:<Input_Format> -o:<Output_format> <SQL_statement>

Things can get a bit more complicated, but that’s the
basic idea.

Of course, the best way to learn about Log Parser is
to actually use it, so let’s see what we can do, using the Windows Event
logs as a data source. After installing Log Parser, open a command
prompt and change to the C:\Program Files\Log Parser directory,
where the logparser.exe executable resides. Let’s begin with a simple
query to select all records from the System log:

logparser "SELECT * FROM System" -i:EVT

Since there’s no output format specified, Log Parser
writes the output to the console. The result is a series of
messy-looking records like this:

 

System   2096   2005-06-17 05:01:14   2005-06-17 05:01:14   7035

   4   Information event   0   None   Service Control Manager

   Fax|stop   BOX15   S-1-5-18   The Fax service was successfully 

   sent a stop control.

This event, for example, is an event of type
Information that has an event ID of
7035 and an event source of
Service Control Manager. Log Parser will
display these events ten at a time, prompting you for a keystroke to
continue or Ctrl-C to abort.

Let’s focus in on events of type Error, as these are likely to be of some importance to
us:

logparser "SELECT * FROM System WHERE EventTypeName='Error event'" -i:EVT

We still get messy-looking results, but now they’re
all Error events:

 

System   975   2005-05-10 16:40:09   2005-05-10 16:40:09   

  10010   1   Error event   0   None   DCOM   

  {601AC3DC-786A-4EB0-BF40-EE3521E70BFB}   BOX15   

  S-1-5-21-2696947089-119843295-2143939133-500   

  The server {601AC3DC-786A-4EB0-BF40-EE3521E70BFB} 

  did not register with DCOM within the required 

  timeout.

What kinds of Error
events are we getting in our machine’s System log? Let’s output only the
event sources this time:

logparser "SELECT SourceName FROM System WHERE 

    EventTypeName='Error event'" -i:EVT

The screen output now looks like this:

SourceName

-----------------------

DCOM

Service Control Manager

Service Control Manager

Service Control Manager

Service Control Manager

Service Control Manager

Service Control Manager

Service Control Manager

W32Time

W32Time

Press a key...

What are the different kinds of Error events in our System log, and how many of each source type
were recorded? Log Parser can easily tell us this:

logparser "SELECT SourceName, COUNT(*) FROM System WHERE 

    EventTypeName='Error event' GROUP BY SourceName" -i:EVT

And here’s what we get:

SourceName              COUNT(ALL *)

----------------------- ------------

DCOM                    5

Service Control Manager 43

W32Time                 8

NETLOGON                3

NETLOGON errors may be important, so let’s key in
on those and display the event IDs for these events plus the date and
time they were generated (sorted in descending order):

logparser "SELECT TimeGenerated,EventID FROM System WHERE 

    EventTypeName='Error event' AND SourceName='NETLOGON' ORDER BY 

        TimeGenerated DESC" -i:EVT

The output now looks like this:

TimeGenerated       EventID

------------------- -------

2005-06-18 16:44:00 5719

2005-06-18 16:39:19 5719

2005-05-19 08:12:33 5719

What’s the description for an event that has event ID
5719? Let’s use Log Parser to find
out:

logparser "SELECT EventID,Message FROM System WHERE EventID=5719" -i:EVT

This gives us:

 

5719   No Domain Controller is available for domain MTIT 

  due to the following: There are currently no logon servers 

  available to service the logon request. Make sure that the 

  computer is connected to the network and try again. If the 

  problem persists, please contact your domain administrator.

Uh-oh, could be a problem. Was the network down? Did
the domain controller go offline? We need to investigate this further,
but if you want a good source of help for understanding events like
this, search EventID.net for information on
events with this event ID.

Additional Resources

This brief look at Log Parser only scratches the
surface of what it can do. How can you learn how to do more with this
tool?

First, you obviously need a good knowledge of SQL
syntax to construct SELECT statements. A
good resource for learning the basics is SQL
Tutorial from
FirstSQL.

Next, check out this Professor Windows
article
on Microsoft’s web site, which gives you an excellent bird’s-eye view of
what Log Parser can do.

After that, you can familiarize yourself with the
syntax of Log Parser by typing logparser -h
and viewing the Help information displayed.

Once you’ve started to rock and roll with Log Parser,
check out The Unofficial Log Parser Support
Site, where you can find tons of resources
and a thriving online community that can answer any questions you might
have about using the tool.

Finally, pick up a copy of the Microsoft Log Parser
Toolkit
(Syngress)
and kick your learning into high gear. You’ll soon be an expert and
wonder how you ever managed your Windows systems before Log Parser came
around.

Mitch
Tulloch is the author of
Windows 2000 Administration in a
Nutshell,
Windows Server 2003 in a
Nutshell, and
Windows Server
Hacks.


Related Reading

Microsoft Log Parser Toolkit
By Gabriele Giuseppini, Mak Burnett

 

admin

网站地图xml地图