怎样使IIS更安全PPT课件

1、WEB327怎样使 IIS更安全,胡 雪高级顾问 美国微软公司 顾问咨询部 Microsoft Corporation,日程,出名的病毒：Code Red (I ) ( / Do stuff else Response.write(Access Denied); function isPasswordOK(strName, strPwd) var fAllowLogon = false; var oConn = new ActiveXObject(ADODB.Connection); var strConnection=Data Source=c:authauth.mdb; oConn.Ope

2、n(strConnection); var strSQL = SELECT count(*) FROM client WHERE + name= + strName + + and pwd= + strPwd + ; var oRS = new ActiveXObject(ADODB.RecordSet); oRS.Open(strSQL,oConn); fAllowLogon = (oRS(0).Value 0) ? true : false; oRS.Close(); delete oRS; oConn.Close(); delete oConn; return fAllowLogon;,

3、危险在哪,好人 Username: jeff Password: &y-)4Hi=Qw8 SELECT count(*) FROM client WHERE name=jeff and pwd=&y-)4Hi=Qw8,坏人 Password: or 1 = 1,SELECT count(*) FROM client WHERE name=jeff and pwd= or 1=1,Unicode attack,IIS 检查 . 防止进入父目录。但IIS 5 Gold 没检查 UTF-8 的 或 /. 例如 %c0%af,http:/localhost/scripts/.%c0%af./winnt

4、/system32/cmd.exe?/c+type%20d:boot.ini,http:/localhost/scripts/.%c0%af./winnt/system32/cmd.exe?/c+copy%20d:winntsystem32cmd.exe root.exe,http:/localhost/scripts/root.exe?/c+echo Your Website is Defaced d:inetpubwwwrootdefault.asp,对策,Tell the attacker nothing! Determine what is valid input Beware of

5、quotes Check SQL return values Disable parent paths,如果您不幸被黑,Have a “Incident Response Plan” Remove machines from the net Find out how the hacker did it Perform low-level format Examine connected computers,IIS 4.0 and 5.0 新安全工具,Security hotfixes New: Cumulative Security Hotfixes New: No reboot hotfix

6、es New: Windows Update Integration New: One-Button-Lockdown-Tool New: Lockdown ISAPI Filter New: HFCHECK v2.0,IIS 6.0安全防范措施,Server is locked down by default Only static files Secure defaults Content protection Secure timeouts and limits Code Security Buffer Overflow Checks automated in the Windows b

7、uild environment VC+ compiler supported (/Gs) Isolation through a new process model Worker Processes run as a low privileged by default Lets get real: WindowsDotNetT Always secure with AutoUpdate,工具和检查清单, IIS5 Security Checklist HiSecWeb Template HFCheck IIS Lockdown Tool IISlockd.exe Using IPSec: http:/ “Designing Secure Web-based Applications” http:/,总结,Windows 2000 and Windows.NET are robust platforms that can provide security against real-world attacks provide the tools and features needed to mak