IIS安全工具UrlScan介紹 ASP.NET 兩種超強SQL 注入免費解決方案( 基於IIS,使用免費工具) 批改或隱藏IIS7.5的Server頭信息 移除X-Powered-By,MVC,AS

微軟給了咱們一個很好的工具用來使IIS安全的運行-------UrlScan，下面是它的配置文件介紹

[options]
UseAllowVerbs=1                ; 若爲1,則使用[AllowVerbs]部分定義的方法,不然使用[DenyVerbs]部分定義的方法
UseAllowExtensions=0           ; 若爲1,則使用[AllowExtensions]部分定義的擴展名,

                                                不然使用[DenyExtensions]部分定義的擴展名
NormalizeUrlBeforeScan=1       ; if 1, canonicalize URL before processing
VerifyNormalization=1          ; if 1, canonicalize URL twice and reject request if a change occurs
AllowHighBitCharacters=0       ; if 1, allow high bit (ie. UTF8 or MBCS) characters in URL
AllowDotInPath=0               ; if 1, allow dots that are not file extensions
RemoveServerHeader=0           ; 若爲1,則移除IIS的server標頭
EnableLogging=1                ; 若爲1,則開啓urlscan日誌功能
PerProcessLogging=0            ; if 1, the UrlScan.log filename will contain a PID (ie. UrlScan.123.log)
AllowLateScanning=0            ; 若爲1,則urlscan以低優先級啓動
PerDayLogging=1                ; 若爲1,則UrlScan將以UrlScan.010101.log這樣每日的形式生成日誌
RejectResponseUrl=             ; UrlScan將發送拒絕請求到指定的URL,默認是/<Rejected-by-UrlScan>
UseFastPathReject=0            ; 若爲1,則UrlScan將不會使用上面的RejectResponseUrl或容許IIS記錄該請求

; If RemoveServerHeader is 0, then AlternateServerName can be
; used to specify a replacement for IIS's built in 'Server' header
;則RemoveServerHeader = 0,則可使用下面字符串替換IIS的server頭部
AlternateServerName=

[AllowVerbs]

;IIS中通常支持的方法
;當上面的 UseAllowVerbs = 1 時下面的纔有效
;

GET
HEAD
POST

[DenyVerbs]

;
;當使用WebDAV發佈內容到IIS 服務器上時,下面的方法將會使用
;當上面的 UseAllowVerbs = 0 時下面的纔有效
;

PROPFIND
PROPPATCH
MKCOL
DELETE
PUT
COPY
MOVE
LOCK
UNLOCK
OPTIONS
SEARCH

[DenyHeaders]

;
; The following request headers alter processing of a
; request by causing the server to process the request
; as if it were intended to be a WebDAV request, instead
; of a request to retrieve a resource.
;

Translate:
If:
Lock-Token:

[AllowExtensions]

;
;容許使用的擴展名
;當上面的 UseAllowExtensions = 1 時有效
;

.asp
.cer
.cdx
.asa
.htm
.html
.txt
.jpg
.jpeg
.gif

;.idq
;.htw
;.ida
;.idc
;.shtm
;.shtml
;.stm
;.htr
;.printer
[DenyExtensions]

;
;不容許使用的擴展名
;當上面的 UseAllowExtensions = 0 時有效
;

; 阻止可執行文件的執行
.exe
.bat
.cmd
.com

; 阻止比較少用的腳本
.htw     ; Maps to webhits.dll, part of Index Server
.ida     ; Maps to idq.dll, part of Index Server
.idq     ; Maps to idq.dll, part of Index Server
.htr     ; Maps to ism.dll, a legacy administrative tool
.idc     ; Maps to httpodbc.dll, a legacy database access tool
.shtm    ; Maps to ssinc.dll, for Server Side Includes
.shtml   ; Maps to ssinc.dll, for Server Side Includes
.stm     ; Maps to ssinc.dll, for Server Side Includes
.printer ; Maps to msw3prt.dll, for Internet Printing Services

; 組織對各種靜態文件的討論,能夠加入.mdb、.inc等後綴
.ini     ; Configuration files
.log     ; Log files
.pol     ; Policy files
.dat     ; Configuration files

;.asp
;.cer
;.cdx
;.asa
[DenyUrlSequences]
..  ; 不容許目錄遍歷
./  ; Don't allow trailing dot on a directory name
\   ; 不容許反斜槓出如今URL中
:   ; Don't allow alternate stream access
%   ; Don't allow escaping after normalization
&   ; 在單一的請求上不容許多個CGI進程運行

 

 

ASP.NET 兩種超強SQL 注入免費解決方案( 基於IIS,使用免費工具)  

不能否認，SQL注入是如今網站攻擊的主要手段，而在我以往作網站中都是利用字符串過濾和錯誤隱藏來避免這種攻擊。這種方法只是從程序能夠有效避免一些侵略，但實際若是在你沒能力改變代碼的狀況下該如何防止這樣的問題呢？下面我找到的兩中辦法，都是利用IIS來進行設置的。

UrlScan 3.1
UrlScan 3.1是一個安全方面的工具，微軟官方的東西。它會檢查全部IIS處理的HTTP請求。UrlScan 能夠在有安全問題的HTTP請求到達應用程序以前就阻止這個請求。UrlScan 3.1 是UrlScan 2.5的一個升級版本，支持Windows Vista 和Windows Server 2008系統之上的IIS 5.1, IIS 6.0 和 IIS 7.0。

連接地址：http://www.iis.net/expand/UrlScan 這裏還有不少很是有用的IIS擴展，能夠看看。

IIS 6 SQL Injection Sanitation ISAPI Wildcard

這個ISAPI dll 也是經過檢查HTTP請求避免SQL注入。只兼容windows 2003上的 IIS 6.0。對於Windows XP 上的 IIS 5 不支持。

這是一個開源項目：http://www.codeplex.com/IIS6SQLInjection

 

 

批改或隱藏IIS7.5的Server頭信息

 

修改或隱藏IIS7.5的Server頭信息

環境是 Windows 2008 Server R2 + IIS7.5

必須保證IIS角色下安裝上ISAPI篩選器和IIS6元數據庫兼容性。

首先下載 UrlScan 。而後直接安裝。安裝之後進入IIS管理，功能視圖裏ISAPI篩選器裏應有UrlScan這一行。

全局配置文件

C:\Windows\System32\inetsrv\urlscan\UrlScan.ini

RemoveServerHeader=0          ; 改爲1之後不顯示Server
AlternateServerName=             ;若是RemoveServerHeader=0能夠本身定義

在IIS 6 和 IIS 7 中 移除X-Powered-By xxx 的 HTTP頭 的方法以下：

X-Powered-By HTTP頭並不僅是在Asp.net中存在，其餘服務端語言，好比php, 也會包含這個HTTP頭,當Asp.net被安裝時，這個頭會做爲一個定製的 HTTP頭插入IIS中,所以,咱們須要將這個HTTP頭從IIS的配置中刪除,若是你的網站是在共享的環境下而且沒有使用IIS7並使用管道模式，你不 得不爲此聯繫你的空間提供商來幫你移除。(若是你的網站是在IIS7環境下，那你能夠經過HTTP Module的形式經過編程來移除)

在IIS6中移除X-Powered-By HTTP頭：

啓動IIS，展開Website目錄

在Website上點擊右鍵並在彈出的菜單中選擇「屬性」

選擇HTTP Header標籤，全部IIS響應中包含的自定義的HTTP頭都會在這裏顯示，只須要選擇響應的HTTP頭並點擊刪除就能夠刪除響應的HTTP頭，如圖：

而在IIS7中移除X-Powered-By HTTP頭的方法是:

選擇你須要修改的站點並雙擊HTTP響應頭部分

全部的自定義HTTP頭全在這裏了，刪除相應的頭僅須要點擊右邊的」Remove」連接：

 

Cloaking your ASP.NET MVC Web Application on IIS 7

 

If you are building and deploying public facing web applications, security has to be one of your key consideration; ensure that you create a security threat model of your application to highlight the flow of data in your application and the possible weak points (Microsoft have a useful tool called Microsoft Security Assessment Tool which can help you with the planning process); ensure that your production environment has been hardened (and that you have run the various tool provided to spot any vulnerabilities in your infrastructure, such as Microsoft Baseline Security Analyzer and tools like CAT.NET and Paros for spotting vulnerabilities in your application code); ensure that your web application protects against Cross Site Scripting (XSS) and Cross-Site Request Forgery (CSRF/XSRF) attacks.

If you can afford the cost, adding an Intrusion Prevention System device to your network adds benefit, but if you can’t afford such a device then a tool such as UrlScan can offer some protection by blocking potentially harmful HTTP Requests. In order to use URLScan effectively you need to put an operational feedback loop in place whereby you use a tool such as LogParser (if you want a nice UI for this command line app, give Visual LogParser a try) to examine your application’s IIS Logs for suspicious activity and add rules to UrlScan and your firewall to block such requests.

Examining IIS Server logs from a high traffic public website or having a network monitoring solution such as Cacti is fascinating and terrifying in equal measures; once you have removed the noise of normal human generated traffic, the sheer volume of remaining non-human traffic generated by bots and spiders is staggering. Once you’ve filtered out all the requests generated by search engine’s crawlers there are a surprising number of other requests being made against your servers the two worst being harvesters (screen scrapers) and bots that perform vulnerability scanning and exploitation. These bots start by fingerprinting your server and then exploit any known vulnerabilities, the HTTP RFC 2068 highlights this possibility:

"Note: Revealing the specific software version of the server may allow the server machine to become more vulnerable to attacks against software that is known to contain security holes. Server implementers are encouraged to make this field a configurable option."

There are two recourses to this situation, firstly you can broadcast a fake web topology, for example if your web platform is WISA (Windows, Internet Information Services, SQL Server, ASP.NET) you can configure your servers to return the response headers of a LAMP (Linux, Apache, MySQL, PHP) platform. Secondly you can cloak this information, so it isn’t broadcasted at all.

By default a WISA platform (running ASP.NET MVC) discloses its identity, by broadcasting the following response header (using Firebug):

 

You can turn off the X-AspNet-Version header by applying the following configuration section to your web.config:

<system.web>    <httpRuntime enableVersionHeader="false"/>  </system.web>

which results in the X-AspNet-Version being removed:

You can then remove the X-AspNetMvc-Version header by altering your Global.asax.cs as follows:

protected void Application_Start()  {      MvcHandler.DisableMvcResponseHeader = true;  }

which results in the X-AspNetMvc-Version being removed:

But there is no easy way to remove the Server response header via configuration. Luckily IIS7 has a managed pluggable module infrastructure which allows you to easily extend its functionality. Below is the source for a HttpModule for removing a specified list of HTTP Response Headers:

namespace Zen.Core.Web.CloakIIS {     #region Using Directives
    using System;     using System.Collections.Generic;     using System.Web;
    #endregion /// <summary>     /// Custom HTTP Module for Cloaking IIS7 Server Settings to allow anonymity     /// </summary>     public class CloakHttpHeaderModule : IHttpModule     {         /// <summary>         /// List of Headers to remove         /// </summary>         private List<string> headersToCloak;
        /// <summary>         /// Initializes a new instance of the <see cref="CloakHttpHeaderModule"/> class.         /// </summary>         public CloakHttpHeaderModule()         {             this.headersToCloak = new List<string>                                       {                                               "Server",                                               "X-AspNet-Version",                                               "X-AspNetMvc-Version",                                               "X-Powered-By",                                       };         }
        /// <summary>         /// Dispose the Custom HttpModule.         /// </summary>         public void Dispose()         {         }
        /// <summary>         /// Handles the current request.         /// </summary>         /// <param name="context">         /// The HttpApplication context.         /// </param>         public void Init(HttpApplication context)         {             context.PreSendRequestHeaders += this.OnPreSendRequestHeaders;         }
        /// <summary>         /// Remove all headers from the HTTP Response.         /// </summary>         /// <param name="sender">         /// The object raising the event         /// </param>         /// <param name="e">         /// The event data.         /// </param>         private void OnPreSendRequestHeaders(object sender, EventArgs e)         {             this.headersToCloak.ForEach(h => HttpContext.Current.Response.Headers.Remove(h));         }     } }

Ensure that you sign the assembly, then you can install it into the GAC of your web servers and simply make the following modification to your application’s web.config (or if you want it to be globally applied, to the machine.config):

<configuration>     <system.webServer>         <modules>             <add name="CloakHttpHeaderModule"                   type="Zen.Core.Web.CloakIIS.CloakHttpHeaderModule, Zen.Core.Web.CloakIIS,                         Version=1.0.0.0, Culture=neutral, PublicKeyToken=<YOUR TOKEN HERE>" />         </modules>     </system.webServer> </configuration>

Now when you execute a page, you should see the following HTTP Response (with X-AspNetMvc-Version, X-AspNetMvc-Version and Server response headers removed):

One further note – the bots also fingerprint via file extensions, if you are running ASP.NET MVC, extensionless URLs implemented via the ASP.NET MVC routing system, should help avoid this type of detection.