.Net IIS 常用安全漏洞設定
| 安全選項 | 配置點 |
| 遮蔽 OPTIONS, TRACE Http響應 |
<system.webServer> <security> <requestFiltering> <verbs allowUnlisted="true"> <add verb="OPTIONS" allowed="false"/> <add verb="TRACE" allowed="false"/> </verbs> </requestFiltering> </security> </system.webServer> |
| 新增安全頭標識 |
<system.webServer> <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="SAMEORIGIN" /> <add name="X-XSS-Protection" value="1; mode=block" /> <add name="X-Content-Type-Options" value="nosniff" /> <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains" /> <remove name="X-Powered-By" /> <add name="Cache-Control" value="no-cache, no-store" /> <add name="Pragma" value="no-cache" /> </customHeaders> </httpProtocol> </system.webServer> |
| 關閉IIS Server版本 ; 需要安裝IIS外掛 URLRewrite才生效 |
<system.webServer> <rewrite> <outboundRules> <rule name="replace server header" patternSyntax="Wildcard"> <matchserver Variable="RESPONSE_SERVER" pattern="*"/> <action type="Rewrite" value=""/> </rule> </outboundRules> </rewrite> </system.webServer> |
| 將目錄訪問的無權403錯誤都轉成 404 頁面 |
<system.webServer> <handlers> <add name="StopDirectoryBrowsing" path="*." resourceType="Directory"verb="*" preCondition="integratedMode" type="System.Web.HttpNotFoundHandler" /> </handlers> </system.webServer> 或 <system.webServer> <httpErrorserror Mode="Custom"> <removestatus Code="403" /> <errorstatus Code="403" path="ErrorPage.html" responseMode="ExecuteURL" /> </httpErrors> </system.webServer> |
| 關閉ASP.Net版本號 |
<system.web> <httpRuntimeenableVersionHeader="false"> </system.web> |
| 加密Viewstatus |
<system.web> <machineKeyvalidation="AES"/> </system.web> |
| 任何時候避免出現伺服器錯誤,開啟自定義的出錯頁面,所有出錯跳轉到一個自定義的錯誤 | <customErrorsmode="On"defaultRedirect="customerErr.html"/> |
| 提交內容有明文傳遞 | 需要改為Https://才能解決 |
| Weak SSL Cipher | 關閉弱安全協議SSL2.0,SSL3.0 用工具IISCrypto.exe |