10招步骤保护IIS服务器安全

问题

IIS（Internet Information Server）是黑客特别喜欢的目标。因此，对于管理IIS网页服务器的管理员来说，确保服务器安全是一件至关重要的事。IIS 4.0和IIS 5.0的默认值安装尤其容易受到攻击。

解决方案

采取下面的10个步骤来确保IIS的安全：

1.      专门为IIS应用和数据设置一个NTFS磁盘驱动器。如果可能的话，不允许IUSER（或者无论什么匿名用户）存取任何其它的磁盘驱动器。如果应用遇到任何由于匿名用户没有权限存取位于其它磁盘驱动器上的程序而造成的问题，那么，使用Sysinternals的FileMon来寻找哪一个档案该用户不能存取，然后把该程序移至IIS磁盘驱动器上。如果这样不可行的话，则允许IUSER仅可存取该档案。

2. 设置磁盘驱动器上的NTFS权限：

Developers = Full

IUSER = Read and execute only

System and admin = Full

3. 使用一个软件防火墙确保没有终端用户（只有研发人员）可以存取IIS机器上除了port 80之外的其它埠。
4. 使用微软的工具来保护机器：IIS Lockdown和UrlScan。
5. 启动使用IIS的日志文件(logging)功能。除了IIS纪录外，如果可能的话，同时也使用防火墙日志文件功能。
6. 把记录的日志(log)从预设地点移开，并确保已经进行备份。为日志档案夹建立一个备份，这样在另一个位置总是有一个可以使用的备份档。
7. 启动机器上的Windows监督功能(auditing)，因为在试图反向追查攻击者的行为的时候总会发现资料不足。利用监督日志，你可借着执行脚本来检查任何可疑的行为，然后发送报告给管理员。这听起来好像有一点极端，但是如果贵公司非常重视安全的话，这种作法可说十分值得鼓励。建立监督功能来报告所有的失败账号登录事件。另外，就跟先前的IIS日志一样，请将默认值位置 （c:\winnt\system32\config\secevent.log）改变为另一个不同的位置，并且确保你有一个备份而且有一个复制的拷贝文件。
8. 经常多阅读一些安全文章（各种来源的）。最好是尽可能多了解IIS，并进行全面的安全作法，而不仅仅是按照其它人（比如我）告诉你的经验来实现。
9. 加入IIS漏洞邮件清单(mailing list)，并要确实加以阅读以掌握最新状态。这种列表有来自因特网安全系统的X-Force Alerts and Advisories。
10. 最后，确保你经常执行Windows Update，并重复检验修补程序真的已经有安装妥当。

下面是IIS工具

Log Parser is one cool tool. Created by Gabriele Giuseppini, a software engineer at Microsoft, the original Log Parser 1.0 was developed for Microsoft's internal testing purposes. It proved so popular that a public version, Log Parser 2.0, was released in 2001, and it has gone through two iterations, the current version being 2.2 and available from the Microsoft Download Center.

Log Parser operates as a kind of data pipeline. Into this pipe you can send information from IIS logs, Windows Event logs, Active Directory information, file system data, Registry data, Network Monitor traces, and so on. Once the data is in the pipe, you can process it using SQL statements; for example, to select certain portions of the data by a SELECT query. Then, as the processed data comes out of the pipeline, you can output it to text files, HTML files, Excel-style charts, or a SQL database table, or simply to the console as raw output. Putting these into proper syntax, a typical Log Parser command looks something like this:

logparser -i:<Input_Format> -o:<Output_format> <SQL_statement>

Things can get a bit more complicated, but that's the basic idea.

Of course, the best way to learn about Log Parser is to actually use it, so let's see what we can do, using the Windows Event logs as a data source. After installing Log Parser, open a command prompt and change to the C:\Program Files\Log Parser directory, where the logparser.exe executable resides. Let's begin with a simple query to select all records from the System log:

logparser "SELECT * FROM System" -i:EVT

Since there's no output format specified, Log Parser writes the output to the console. The result is a series of messy-looking records like this:

System   2096   2005-06-17 05:01:14   2005-06-17 05:01:14   7035

   4   Information event   0   None   Service Control Manager

   Fax|stop   BOX15   S-1-5-18   The Fax service was successfully 

   sent a stop control.

This event, for example, is an event of type Information that has an event ID of 7035 and an event source of Service Control Manager. Log Parser will display these events ten at a time, prompting you for a keystroke to continue or Ctrl-C to abort.

Let's focus in on events of type Error, as these are likely to be of some importance to us:

logparser "SELECT * FROM System WHERE EventTypeName='Error event'" -i:EVT

We still get messy-looking results, but now they're all Error events:

System   975   2005-05-10 16:40:09   2005-05-10 16:40:09   

  10010   1   Error event   0   None   DCOM   

  {601AC3DC-786A-4EB0-BF40-EE3521E70BFB}   BOX15   

  S-1-5-21-2696947089-119843295-2143939133-500   

  The server {601AC3DC-786A-4EB0-BF40-EE3521E70BFB} 

  did not register with DCOM within the required 

  timeout.

What kinds of Error events are we getting in our machine's System log? Let's output only the event sources this time:

logparser "SELECT SourceName FROM System WHERE 

    EventTypeName='Error event'" -i:EVT

The screen output now looks like this:

SourceName

-----------------------

DCOM

Service Control Manager

Service Control Manager

Service Control Manager

Service Control Manager

Service Control Manager

Service Control Manager

Service Control Manager

W32Time

W32Time

Press a key...

What are the different kinds of Error events in our System log, and how many of each source type were recorded? Log Parser can easily tell us this:

logparser "SELECT SourceName, COUNT(*) FROM System WHERE 

    EventTypeName='Error event' GROUP BY SourceName" -i:EVT

And here's what we get:

SourceName              COUNT(ALL *)

----------------------- ------------

DCOM                    5

Service Control Manager 43

W32Time                 8

NETLOGON                3

NETLOGON errors may be important, so let's key in on those and display the event IDs for these events plus the date and time they were generated (sorted in descending order):

logparser "SELECT TimeGenerated,EventID FROM System WHERE 

    EventTypeName='Error event' AND SourceName='NETLOGON' ORDER BY 

        TimeGenerated DESC" -i:EVT

The output now looks like this:

TimeGenerated       EventID

------------------- -------

2005-06-18 16:44:00 5719

2005-06-18 16:39:19 5719

2005-05-19 08:12:33 5719

What's the description for an event that has event ID 5719? Let's use Log Parser to find out:

logparser "SELECT EventID,Message FROM System WHERE EventID=5719" -i:EVT

This gives us:

5719   No Domain Controller is available for domain MTIT 

  due to the following: There are currently no logon servers 

  available to service the logon request. Make sure that the 

  computer is connected to the network and try again. If the 

  problem persists, please contact your domain administrator.

Uh-oh, could be a problem. Was the network down? Did the domain controller go offline? We need to investigate this further, but if you want a good source of help for understanding events like this, search EventID.net for information on events with this event ID.

Additional Resources

This brief look at Log Parser only scratches the surface of what it can do. How can you learn how to do more with this tool?

First, you obviously need a good knowledge of SQL syntax to construct SELECT statements. A good resource for learning the basics is SQL Tutorial from FirstSQL.

Next, check out this Professor Windows article on Microsoft's web site, which gives you an excellent bird's-eye view of what Log Parser can do.

After that, you can familiarize yourself with the syntax of Log Parser by typing logparser -h and viewing the Help information displayed.

Once you've started to rock and roll with Log Parser, check out The Unofficial Log Parser Support Site, where you can find tons of resources and a thriving online community that can answer any questions you might have about using the tool.

Finally, pick up a copy of the Microsoft Log Parser Toolkit (Syngress) and kick your learning into high gear. You'll soon be an expert and wonder how you ever managed your Windows systems before Log Parser came around.

Mitch Tulloch is the author of Windows 2000 Administration in a Nutshell, Windows Server 2003 in a Nutshell, and Windows Server Hacks.

---

Related Reading Microsoft Log Parser Toolkit By Gabriele Giuseppini, Mak Burnett