Nov 25

Print this Post

How to secure your Website in IIS?

How to secure your website in IIS.

1. Don’t Turn On Directory Browsing, directory browsing allows anyone can see the list of directories.

2. Lock Down cmd.exe command prompt is a common way for hackers to get control of a system.

3. Avoid Basic Authentication it sends the username and password combination in clear text, use Integrated Authentication Or you can use Microsoft’s new .NET Passport authentication.

4. Set Up Logging by this you can check who visited your site. You can track IP address and username of whoever accesses content on your site. Logging will help to track down someone if they hack into your site.

5. Don’t Set Up Write for Your Web Site: If you have execute permissions set up for your site, don’t enable write permission. If you have “write” enabled and permissions set for Execute, someone can upload an executable to your site and then promptly run it on your server!

If you need people to write content to your web site, find another way. You don’t need enabled writes unless you want people to upload files to your site through Hypertext Transfer Protocol (HTTP).

6. Set Execute Permissions for Your Web Site: Three execute permissions settings are available: None, Scripts, and Execute. Make sure that you choose the most restrictive permissions possible for your site to help keep it secure. If you aren’t using Common Gateway Interface (CGI) applications, and you are using Active Server Pages (ASP) or static content, choose the Scripts permission. If you aren’t even using ASP, choose None.

7. None: Allows only static web pages to execute, so no scripts will be executed. This is the default setting for all web sites in IIS 6.

8. Scripts: Allows scripts, such as ASP, to run through their associated Internet Server Application Programming Interface (ISAPI) extension, they have increased security risk when enabled.

9. Script & Execute: Allows anything to run. Any file type can be accessed and run.
10. Use SSL for Sensitive Web Sites: SSL allow to send data between client and server in encrypted form so no one can access the data in terms of hacking.

11. Use IP and Domain restriction.

12. Enable Only necessary WEB SERVER EXTENTION: Any dynamic content that is served by the Web server is done by using Web service extensions

12. Enable only Essential MIME type rather than enabling all.

13. Format All Disk through NTFS file system Dont go for FAT.

14. Isolate Application by separate application pool

Permanent link to this article: http://www.techxpress.in/how-to-secure-your-website-in-iis/

Bookmark this page