邪恶八进制信息安全团队技术讨论组's Archiver

sunwear 2005-11-22 23:52

[转载]IIS 6.0 Security

<P>信息来源:securityfocus</P>
<P>文章作者:<A href="mailto:Rohyt.Belani@foundstone.com">Rohyt Belani</A> and <A href="mailto:Michael.Muckin@foundstone.com">Michael Muckin</A> </P>
<P>
<TABLE cellSpacing=0 width="100%" border=0>
<TBODY>
<TR>
<TD class=text>The popularity of web servers as a prime target for crackers and worm writers around the globe made IIS a natural place for Microsoft to focus its Trustworthy Computing Initiative. As a result, IIS has been completely redesigned to be secure by default and secure by design. This article discusses the major default configuration and design changes incorporated in IIS 6.0 to make it a more secure platform for hosting critical web applications.
<H2>Secure by Default</H2>In the past, vendors including Microsoft packaged the default installations of their web servers with an array of sample scripts, file handlers and minimal file-system permissions to provide administrators the necessary flexibility and ease of use. However, this approach tended to increase the available attack surface and was the basis of several attacks against IIS. As a result, IIS 6.0 is designed to be more secure out-of-the-box than its precursors. The most noticeable change is that IIS 6.0 is not installed by default with Windows Server 2003. Other changes include:
<UL>
<LI><B>Default installation is only a static HTTP server</B>
<P>The default installation of IIS 6.0 is configured to serve static HTML pages only; dynamic content is not permitted. The following table compares the default features of IIS 5.0 and IIS 6.0.
<P>
<TABLE borderColor=#000000 cellSpacing=0 cellPadding=3 border=1>
<TBODY>
<TR>
<TD>IIS Component</TD>
<TD>IIS 5.0 default install</TD>
<TD>IIS 6.0 default install</TD></TR>
<TR>
<TD>Static file support</TD>
<TD>Enabled</TD>
<TD>Enabled</TD></TR>
<TR>
<TD>ASP</TD>
<TD>Enabled</TD>
<TD>Disabled</TD></TR>
<TR>
<TD>Server-side includes</TD>
<TD>Enabled</TD>
<TD>Disabled</TD></TR>
<TR>
<TD>Internet Data Connector</TD>
<TD>Enabled</TD>
<TD>Disabled</TD></TR>
<TR>
<TD>WebDAV</TD>
<TD>Enabled</TD>
<TD>Disabled</TD></TR>
<TR>
<TD>Index Server ISAPI</TD>
<TD>Enabled</TD>
<TD>Disabled</TD></TR>
<TR>
<TD>Internet Printing ISAPI</TD>
<TD>Enabled</TD>
<TD>Disabled</TD></TR>
<TR>
<TD>CGI</TD>
<TD>Enabled</TD>
<TD>Disabled</TD></TR>
<TR>
<TD>Microsoft FrontPage

页: [1]
© 1999-2008 EvilOctal Security Team