The method of iis firewall for installing WebKnight in IIS6
- 2020-05-06 12:01:40
- OfStack
how do I install WebKnight in IIS6?
our WebServer IIS6, so here only introduce IIS6 installation, I saw some of the post introduction WebKnight when installation, said only adjust IIS into IIS5. 0 isolation mode (IIS5. 0 isolation mode) can, but in fact WebKnight official website has introduced don't need this operation can be installed, but it need to abandon WebKnight global configuration properties, compared to abandon IIS6. 0, I prefer to give up WebKnight this feature:
First, download a copy of WebKnight, http:// aqtronix.com /? PageID=99#Download (note, this is not a direct download address, you need to click WebKnight 2.2 (Release date: 2008.09.02), in case you still download the old version after the update)
After decompression 2 directories Setup, Source, Source is the source code, we only need to install here, into Setup
After entering Setup, there are two more directories: w32 represents 32 bits; x64 stands for 64-bit; Depending on the operating system of your server, I will choose x64 (since WebKnight has exactly the same 32-bit and 64-bit file structure, the following is fully applicable to the 32-bit operating system)
Make sure each of your sites runs in a separate application pool;
In the WebKnight configurator,
Deselect "Is Installed As Global Filter"
under "Global Filter Capabilities" Select "Per Process Logging" under "Logging" so that each instance of the application pool loads a separate WebKnight instance
Make sure that Windows user NETWORK SERVICE (or another user of the application pool you set up) has permission to modify
for the WebKnight folder Copy all the files in the x64 folder in step 3 to the server (e.g. F:\WebKnight\WebSite1\) opens IIS Manager
right-click > on sites where WebKnight needs to be installed Attribute > ISAPI filters
Click add > Filter Name optional, such as (WebKnight), Excutable select WebKnight under the WebKnight directory Click ok to complete the
installation Click Config.exe in the WebKnight directory. See the next section for the specific configuration method After the above, restart IIS (restarting IIS can be avoided by simply stopping and restarting the application pool at the site configured with WebKnight)
How to configure WebKnight
Declaration: since WebKnight has a lot of configuration, here I only write the recommended configuration, personal views, just for reference, if better Suggestions, look forward to your sharing
In the WebKnight directory (e.g. F:\WebKnight\WebSite1\), double-click Config.exe to start the configuration Scanning Engine scanning engine
There is no need to change the default configuration
Incident Response Handling has been attacked by the handling
If you want someone to see denied.htm in the WebKnight directory, select Response Directly.
If you want to see when someone attacks under your website page is a file (such as: http: / / www. xxx. com/Error/Denied htm), select Response Redirect, and in the following Response Redirect URL fill in your web site in the file path (such as: / Error Denied htm)
If you only want to record attacks, but do not want to interrupt user access, you can choose Response Log Only
Logging log
If the log load is particularly large, please deselect Enabled, otherwise there is a high probability that the disk free space will disappear unconsciously, and there may be serious disk I/O performance problems
The logs are stored by default in the LogFiles folder in the WebKnight directory. If you want to change the path, you can change the Log Directory value
The daily log for WebKnight is stored in a different file, with a default of 28 days of data, which you can modify in Log Retention
Connection connection
There is no need to change the default configuration
Authentication safety certification
There is no need to change the default configuration
Request Limits request limit
Deselect Limit Content Length (Content-Length is a value in header that represents the requested element size) Deselect Limit URL (that is, limit the length of URL) for the same reason as above, URL can also be very long
Deselect Limit Query String (the length of the query string) for the same reason that the query string can also be very long
Deselect Limit HTTP Version (HTTP version). I feel there is no need to restrict HTTP version, which may cause users of the old version of the browser to be unable to access their website
Deselect Use Max Headers (that is, limit the maximum length of each item in Headers). I chose
at first, but in my practice, some items in Headers were too long due to the website traffic statistics, advertising cooperation code, etc., which prevented quite a lot of normal requests, so I decided to cancel
once and for all
URL Scanning website scan
Uncheck RFC Compliant URL, RFC Compliant HTTP Url, Deny Url HighBitShellCode, and many less standard URL formats, such as URL
with Chinese, will be inaccessible Deselect Deny URL Backslash, because in our website, "\" will also use
in URL In URL Denied Sequences, it describes some URL strings that reject requests. If any of them are in use on your site, you can delete them by selecting the item to be deleted, right-clicking Remove Selected
Mapped Path mapping directory
Use Allowed Paths, keep this check, because this can limit the physical path on the server that Web program can access, all we need to do is to add our own physical path to Allowed Paths, such as F:\WebSite1, by right-clicking > on any item Insert Item > After entering the physical path, press enter to
Requested File requested file
In Denied Files (the file that rejects the request), remove the files that the site allows the request, such as log.htm, logfiles
In Denied Extensions, remove the suffix of the site's sequential request, such as shtm
Robots spider program
There is no need to change the default configuration
Headers header information
In Server Header, you can change the value of Server field in Header, and I think you can change this as well To prevent organization of legitimate requests, uncheck RFC Compliant Host Header, Use Denied Headers
ContentType content type
Deselect Use Allowed Content Types. If selected, the file
cannot be uploaded
Cookie this does not need to be translated into Chinese :)
There is no need to change the default configuration
User Agent user agent/client
Uncheck Deny User Agent Empty, Deny User Agent Non RFC or some legitimate access will be denied
Referrer access route
Cancel the selection of Use Referrer Scanning, because I think that an access route may not have too serious security problems, or in order to try to let the legitimate request through, I choose to cancel the selection of
Methods HTTP request method
There is no need to change the default configuration
Querystring query string
There is no need to change the default configuration
Global Filter Capabilities global filtering
Uncheck Is Installed As Global Filter, remember, this must be unselected, otherwise WebKnight will not be working
SQL Injection SQL injection
There is no need to change the default configuration
Web Applications Web application
Check Allow File Uploads or the ability to upload files will be disabled Check Allow Unicode
Check Allow ASP NET
If your website needs to support ASP, check Allow ASP
Similarly, what does your website need to support, please choose the item you need to check
After modification, remember to go through the menu bar File > Save to save the configuration (or via the shortcut Ctrl+S), after saving the configuration, you can restart IIS or the application pool to enable WebKnight to
Tip: you can see which legitimate requests were blocked by looking at the log of WebKnight, and then modify the corresponding configuration of
Note that IIS 5.0 isolation mode must be enabled for installation. Otherwise, dll fails to load.
Enable IIS 5.0 isolation mode location: IIS manager -> Web site - > Right-click property -> Service - > Run WWW service in IIS 5.0 isolation mode (check the box) -> Application
Restart IIS. Then install webknight...
The 32-bit system WebKnightSetupw32 directory WebKnight.msi
64-bit system WebKnightSetupx64 directory WebKnight.msi
Installation can be default, or you can customize your own path... When set up, run to the installed directory: Config.exe
Then select WebKnight.xml specific security Settings, and we will discuss them later. I wish I could translate it.
Again,, you must turn on IIS 5.0 isolation mode to successfully load the firewall.
If the DLL loading unsuccessful can be installed in the attachment the official, the official download address http: / / aqtronix com /? PageID = 99 # Download
our WebServer IIS6, so here only introduce IIS6 installation, I saw some of the post introduction WebKnight when installation, said only adjust IIS into IIS5. 0 isolation mode (IIS5. 0 isolation mode) can, but in fact WebKnight official website has introduced don't need this operation can be installed, but it need to abandon WebKnight global configuration properties, compared to abandon IIS6. 0, I prefer to give up WebKnight this feature:
First, download a copy of WebKnight, http:// aqtronix.com /? PageID=99#Download (note, this is not a direct download address, you need to click WebKnight 2.2 (Release date: 2008.09.02), in case you still download the old version after the update)
After decompression 2 directories Setup, Source, Source is the source code, we only need to install here, into Setup
After entering Setup, there are two more directories: w32 represents 32 bits; x64 stands for 64-bit; Depending on the operating system of your server, I will choose x64 (since WebKnight has exactly the same 32-bit and 64-bit file structure, the following is fully applicable to the 32-bit operating system)
Make sure each of your sites runs in a separate application pool;
In the WebKnight configurator,
Deselect "Is Installed As Global Filter"
under "Global Filter Capabilities" Select "Per Process Logging" under "Logging" so that each instance of the application pool loads a separate WebKnight instance
Make sure that Windows user NETWORK SERVICE (or another user of the application pool you set up) has permission to modify
for the WebKnight folder Copy all the files in the x64 folder in step 3 to the server (e.g. F:\WebKnight\WebSite1\) opens IIS Manager
right-click > on sites where WebKnight needs to be installed Attribute > ISAPI filters
Click add > Filter Name optional, such as (WebKnight), Excutable select WebKnight under the WebKnight directory Click ok to complete the
installation Click Config.exe in the WebKnight directory. See the next section for the specific configuration method After the above, restart IIS (restarting IIS can be avoided by simply stopping and restarting the application pool at the site configured with WebKnight)
How to configure WebKnight
Declaration: since WebKnight has a lot of configuration, here I only write the recommended configuration, personal views, just for reference, if better Suggestions, look forward to your sharing
In the WebKnight directory (e.g. F:\WebKnight\WebSite1\), double-click Config.exe to start the configuration Scanning Engine scanning engine
There is no need to change the default configuration
Incident Response Handling has been attacked by the handling
If you want someone to see denied.htm in the WebKnight directory, select Response Directly.
If you want to see when someone attacks under your website page is a file (such as: http: / / www. xxx. com/Error/Denied htm), select Response Redirect, and in the following Response Redirect URL fill in your web site in the file path (such as: / Error Denied htm)
If you only want to record attacks, but do not want to interrupt user access, you can choose Response Log Only
Logging log
If the log load is particularly large, please deselect Enabled, otherwise there is a high probability that the disk free space will disappear unconsciously, and there may be serious disk I/O performance problems
The logs are stored by default in the LogFiles folder in the WebKnight directory. If you want to change the path, you can change the Log Directory value
The daily log for WebKnight is stored in a different file, with a default of 28 days of data, which you can modify in Log Retention
Connection connection
There is no need to change the default configuration
Authentication safety certification
There is no need to change the default configuration
Request Limits request limit
Deselect Limit Content Length (Content-Length is a value in header that represents the requested element size) Deselect Limit URL (that is, limit the length of URL) for the same reason as above, URL can also be very long
Deselect Limit Query String (the length of the query string) for the same reason that the query string can also be very long
Deselect Limit HTTP Version (HTTP version). I feel there is no need to restrict HTTP version, which may cause users of the old version of the browser to be unable to access their website
Deselect Use Max Headers (that is, limit the maximum length of each item in Headers). I chose
at first, but in my practice, some items in Headers were too long due to the website traffic statistics, advertising cooperation code, etc., which prevented quite a lot of normal requests, so I decided to cancel
once and for all
URL Scanning website scan
Uncheck RFC Compliant URL, RFC Compliant HTTP Url, Deny Url HighBitShellCode, and many less standard URL formats, such as URL
with Chinese, will be inaccessible Deselect Deny URL Backslash, because in our website, "\" will also use
in URL In URL Denied Sequences, it describes some URL strings that reject requests. If any of them are in use on your site, you can delete them by selecting the item to be deleted, right-clicking Remove Selected
Mapped Path mapping directory
Use Allowed Paths, keep this check, because this can limit the physical path on the server that Web program can access, all we need to do is to add our own physical path to Allowed Paths, such as F:\WebSite1, by right-clicking > on any item Insert Item > After entering the physical path, press enter to
Requested File requested file
In Denied Files (the file that rejects the request), remove the files that the site allows the request, such as log.htm, logfiles
In Denied Extensions, remove the suffix of the site's sequential request, such as shtm
Robots spider program
There is no need to change the default configuration
Headers header information
In Server Header, you can change the value of Server field in Header, and I think you can change this as well To prevent organization of legitimate requests, uncheck RFC Compliant Host Header, Use Denied Headers
ContentType content type
Deselect Use Allowed Content Types. If selected, the file
cannot be uploaded
Cookie this does not need to be translated into Chinese :)
There is no need to change the default configuration
User Agent user agent/client
Uncheck Deny User Agent Empty, Deny User Agent Non RFC or some legitimate access will be denied
Referrer access route
Cancel the selection of Use Referrer Scanning, because I think that an access route may not have too serious security problems, or in order to try to let the legitimate request through, I choose to cancel the selection of
Methods HTTP request method
There is no need to change the default configuration
Querystring query string
There is no need to change the default configuration
Global Filter Capabilities global filtering
Uncheck Is Installed As Global Filter, remember, this must be unselected, otherwise WebKnight will not be working
SQL Injection SQL injection
There is no need to change the default configuration
Web Applications Web application
Check Allow File Uploads or the ability to upload files will be disabled Check Allow Unicode
Check Allow ASP NET
If your website needs to support ASP, check Allow ASP
Similarly, what does your website need to support, please choose the item you need to check
After modification, remember to go through the menu bar File > Save to save the configuration (or via the shortcut Ctrl+S), after saving the configuration, you can restart IIS or the application pool to enable WebKnight to
Tip: you can see which legitimate requests were blocked by looking at the log of WebKnight, and then modify the corresponding configuration of
Note that IIS 5.0 isolation mode must be enabled for installation. Otherwise, dll fails to load.
Enable IIS 5.0 isolation mode location: IIS manager -> Web site - > Right-click property -> Service - > Run WWW service in IIS 5.0 isolation mode (check the box) -> Application
Restart IIS. Then install webknight...
The 32-bit system WebKnightSetupw32 directory WebKnight.msi
64-bit system WebKnightSetupx64 directory WebKnight.msi
Installation can be default, or you can customize your own path... When set up, run to the installed directory: Config.exe
Then select WebKnight.xml specific security Settings, and we will discuss them later. I wish I could translate it.
Again,, you must turn on IIS 5.0 isolation mode to successfully load the firewall.
If the DLL loading unsuccessful can be installed in the attachment the official, the official download address http: / / aqtronix com /? PageID = 99 # Download