Built your own virtual host platform with Windows 2003 [Multi-Picture]
Date: 2004-07-14
As Internet is getting more popular, there are more and more variety of virtual hosts. Since the virtual hosts need to provide a secure network application environment to a large number of different users, build a virtual host platform in addition to setting up Web and FTP The server also involves some issues unique to some virtual host environments. These unique problems are summarized and analyzed below. I personally think that it is necessary to pay attention to the following three big aspects when establishing a virtual host:
1. Binds of users and disks and domain names; 2. Users use disk space capacity restrictions (disk quotas); 3. Security issues for IIS and user environments (I am using Windows Server system);
Below I will make a detailed introduction in the three aspects in Windows 2003 Enterprise Server.
First, the user is binding to disk space and domain name
Turn on computer management first (if the server has upgraded into the AD mode, open the Active Directory user and computer), click expand local users and groups, right-click the user module to create two user accounts. The user account I built here is Test1, Test2 in turn. Note that for safety reasons, please create a new group in the module of the group. Incidentally summarize users used to virtual hosts and delete the user's User group. (As a competent administrator, the small details that you need to pay attention is much, otherwise, a mistake will cause disasters) as shown in Figure 1:
(figure 1)
After establishing a good account, create a LocalUser folder first in the FTP space directory. The subfolder is then created corresponding to the account used. Such as: If the FTP space specifies the D: web_space folder, create a LocalUser folder under this folder. Then establish two subfolders: Test1, Test2. As shown in Figure 2:
(figure 2)
Since the user's account just now establishes a separate group, you need to add this group in the Security tab of the FTP Space Root Properties, and the user will not be accessed through FTP. Figure 3:
(image 3)
Then we need to establish an FTP user isolation site. This feature is not available in the previous version of IIS, FTP users are isolated for Internet Service Providers (ISP) and application service providers, allowing them to provide customers with personal FTP directory for upload files and web content. . FTP users isolation By limiting the user in their own directory to prevent users from viewing or overwriting the Web content of other users. Because the top-level directory is the root directory of the FTP service, the user cannot browse the top floor of the directory tree. In a specific site, the user can create, modify, or delete files and folders. FTP user isolation is site attribute instead of server properties. This property cannot be started or turned off for each FTP site. So when establishing an FTP site, you should choose well, or after the site is established, you will not be able to modify it.
FTP users have three modes:
Do not isolate users: This mode does not enable FTP user isolation. This mode is similar to the previous version of IIS. Since the isolation between different users logging in to the FTP site has not been implemented, the mode is best suited to only the site where the shared content download function is provided or the site that does not require data access protection between the user.
Isolation user: This mode verifies the user according to the local or domain account before the user accesses the main directory that matches its username. All users' home directory are in a single FTP primary directory, each user is placed and restricted in their own home directory. Users do not allow users to browse the contents of their own primary directories. If the user needs to access a specific shared folder, you can build a virtual root directory. This mode does not use the Active Directory directory service to verify. Note that when you create hundreds of primary directories with this mode, server performance will drop. Isolate users with Active Directory: This mode verifies user credentials according to the appropriate Active Directory container, not to search the entire Active Directory, which needs a lot of processing time. A specific FTP server instance will be specified for each customer to ensure data integrity and isolation. When the user object is within the Active Directory container, the ftproot and ftpdir properties can be extracted to provide a full path to the user home directory. If the FTP service can successfully access the path, the user is placed in the primary directory representing the FTP root position. Users can only see their own FTP root position, so they cannot browse the directory tree on the restriction. If the ftproot or ftpdir attribute does not exist, or if they are unable to constitute a valid, accessible path, the user will not be accessible.
Open Internet Information Services (IIS) Manager, click the Expand server, right-click the FTP site, create a new FTP site, create the wizard, because my server is not Active Directory mode, so we choose to isolate the user. Figure 4:
(Figure 4)
After completing the establishment wizard, open the newly established FTP site properties, click the Security User tab in the properties, and turn off the anonymous connection. Determine after exiting. Finally, the domain name is bound, and the domain name bind has two definitions. The first is to use a complete domain name bound web service, such as providing www.test1.com and www.test2.com and www.test2.com space service, second It is a sub-domain name service, such as providing Test1.yesky.com and Test2.Yesky.com Space Services. These two kinds are the same in the principles, but the second is different in operation. Need your own server's DSN support.
First we let us know about the basic knowledge of the domain name (DNS). We must understand DNS. First, we must first understand several terms: domain name space; root field; top field; secondary domain; host name; region.
Domain Name Space: It is the structure of the DNS name, and his structure is mainly composed of root domain, top field, secondary domain, and hostname. The root field: It is the top level of the entire structure, which is represented by point (.). Managed several foreign companies. 55555 is not our part ~ depressed! ! )
Top field: consisting of 2-3 English letters, and has certain significance, generally use relative English word abbreviations or relative code. For example, COM refers to the business agency, and GOV refers to government agencies, and CN refers to China ...
Secondary domain: It is served by some domain name providers to individuals or businesses. If Yesky is a secondary domain, such as www.yesky.com.
Host Name: Is it used to represent an Internet or an internal network computer name, but pay attention to it, on the Internet, sometimes the host name refers to the IP address of a server, not the name of the server, this is the internal network different! Area: is a discrete part in the domain name space. The area is mainly used to turn a domain name into several parts that can be managed, such as: www.yesky.com This domain name we can divide him into two parts of WWW and Yesky, COM. In this way, we can use yesky.com to generate different hostnames. Such as mail.yesky.com; bbs.yesky.com, etc. This is more important.
DSN Service Process We can call it called name parsing process, which is divided into two types: positive search and reverse search. The forward search is to analyze a domain name into an IP. We use the www.yesky.com domain name on the Internet. Let's enter www.yesky.com in the IE browser, then the computer will automatically pass this domain to the local DNS server (that is, the DSN server input box of the TCP / IP protocol in the native network card properties. The server corresponding to the IP address), after the DNS server receives the information, search for IP corresponding to the domain name in its own area table! If it returns, if not, it will pass the search information to one of several root domain DSN servers abroad, and request to resolve the domain name. The root domain DSN server returns an IP address of the COM domain DNS server to a local DNS server reference (because the top-level domain of Yesky.com is COM so returns the IP address of the COM Domain DNS server), the local DNS server is to COM according to IP address The domain DNS server sends a www.yesky.com domain name resolution request, the COM domain DNS server returns an IP address guide to the YeskyDSN server, then the local DNS server will give the YeskyDSN server according to the received IP address, send a www.yesky The information of the .com domain parsing request, the YeskyDSN server feeds back to the IP address of the WWW based on the request, and the local server feeds back this IP. At this time, the parsing is completed, and we also open the web page of www.yesky.com.
Instead of reverse search, it is parsing an IP address into a domain name, often seen, such as the NSLookup command tool under Windows 2003. Since the DNS service is indexed according to the domain name instead of the IP address, the reverse search searches all the information, which is consumed. To avoid this, the DNS service creates a special secondary domain called in -addr.arpa, which is the same method as other domain name spatial structure, but it does not use the domain name, but use IP addresses.
Note that if you want to do the second virtual host on the Internet, it is best to apply for DNS transfer rights to the domain name provider, requiring providers to assign DNS resolution to your DNS server so you can use Windwos Server's DSN service. Free to open a child name, or you have to apply for a new subdomain every time, it is very troublesome, and the DSN has a lot of benefits on your own server, such as opening MAIL services. First open the DNS manager, click the expand server, create a new area in the forward lookup area. Choose to create a main area, enter the domain name you apply, pay attention, just enter the area I mentioned above, such as yesky.com, sina.com. carry out. Figure 5:
(Figure 5)
After creating a well area, create a host in the area you created. It is best to create the same name as your user name, which is convenient to manage. Of course, if your system has been upgraded to the AD mode, then this step can be skipped, because in AD mode, you will automatically generate the corresponding host name each time you create an account. Figure 6: (Figure 6)
After all hosts are created, open the Internet Information Services (IIS) manager, create a new Web site under the Web site. In the IP address of the Site Creative Wizard, enter the complete domain name you want to bind in the Port Settings dialog box, such as www.test.com, test1.test.com, test12.test.com, after the creation is complete, the domain name is bound to space binding . Figure 7:
(Figure 7)
How many hosts can be created in the DNS, how many subdomains Web sites can be established. You can also specify the domain name of the IP directly by the domain name provider. But here you need to note that once there is a site with the host head in the Internet Information Service (IIS) manager, sometimes there is a mistake without the hostel head, this problem is very strange, but can be caused by DNS mapping. . Second, the user uses the capacity limit of disk space (disk quota)
Before configuring, let's take some basic knowledge of disk quota management so that we can easily understand its working methods. Windows 2003 disk quotas track the usage of each user in each drive. And control according to the user's disk quota. Because the quota is tracked by each user as a unit, it will be recorded regardless of any where the user is stored anywhere under this dish. There are two more significant features of disk quotas:
1. Calculate the amount of space using the disk according to the files and folders owned by each user. When a new, copy, save file to the disk of the disk quota, or when a file ownership is obtained, the system automatically deducts the space capacity of the user from the space defined by the disk quota management.
2. The system is ignored when calculating the user using disk space, which calculates the hard disk space used by the uncompressed byte, regardless of the user actually used how much disk space. This is because a lot of different file types are different in compression of compression. It will cause a lot of difference in the length of the document, bringing a lot of work burden to disk management.
Note that the disk quota must be built on the NTFS format. Otherwise, it will not be available.
Select the drive letter where your FTP space is located, open the Properties dialog box, click the quota tab, select Enable Quota Management check box to turn on disk quota management. This is the attribute that is originally could not be used. Please modify them according to the situation: Figure 8:
(Figure 8)
Refused to give disk space users: Select this check box, when the user exceeds the assigned disk space, they will receive a space that has been used up, and cannot write anything in the space
No restrictions on disk: When you don't intend to limit user disk space, click this option.
Limit the disk space to: Configure the disk space capacity that the user can use.
Set the warning level to: Configure when the user logs in space, if the space uses the warning space level, will send a message to the user, remind the user's space for quick use.
Quota item: Click this button to open the quota dialog box, in which the configuration menu can be customized for each user disk space. You can also delete old user spatial quota limitations. In addition, its main interface is a user quota monitor. Figure 9:
(Figure 9)
After setting it, it is determined - close the property window, then the user's disk quota has been set. Still simple. Third, IIS and user environmental security issues remember that a senior security person has said that from Windows 2000 Server, it is not so much, and it can even say that the WINDOWS itself has surpassed Linux. The system itself, (here I just refer the statement, I hope to argue Windows and Linux controversy) but because of the Vulnerability and unsafe factor of Windows, especially IIS services. Less people can't say that it is not safe.
Since the system's security problem is too large, there is also a lot of systems, it is impossible to face, so I am based on personal experience, but I have a close related security issue, but because these issues should be thorough If you solve the description, you need too much space, here I can only point out these questions, and solve these problems.
IIS security issues supporting ASP systems:
In the IIS system that supports ASP, there are two main issues, one is due to the security attack caused by the input box of the ASP page. In the ASP page, we can often see the input box, such as login account, password, inquiry, mobile phone, etc.. These controls are actually very dangerous, because the background of these controls is often connected to the database, (SQL, Oracle, etc.) Experienced programmers can enter the database command through these input boxes, after executing the database through the system itself, get the database account and password. That means not far from the SYSTEM or Administrator account. So, when doing an ASP page, we do some restrictions on windows with these input boxes. If you can only enter how many characters can be entered, which special characters are not allowed to enter, and so on. But now there are so many websites that can be dripping, it may be because of too much workload: (Second question is FileSystemObject This component provides ASP to read any files on the default Windows Server server hard disk. Write, copy, delete, rename, etc. The permissions are really too big. It also leads to some malicious virtual host rental users to use this ASP component to attack and control the system. So do not enable it if it is not necessary. Too dangerous .
Basic system setting security issues:
First, port settings. The port is a logical interface connected to the computer and the external network. It is also the first barrier of the computer. Since the system to do a virtual host is generally no need to open too much port, it can be in the network card attribute, the Internet protocol (TCP / IP) property, advanced , Option, TCP / IP filtering properties are added. However, Windows Server TCP / IP filter settings do a bit problem: only which ports are allowed, do not allow which ports are allowed, depressed.
Second, IIS setting: First, remove the default IIS directory inetpub in the C drive, stop the default web site in the Internet Information Service (IIS) manager, from the newly established web publishing site, but pay attention Please build the directory you want to publish the site in other drive characters, do not name some relatively simple or easy guesses, such as web, IIS, inetpub, etc. Second, delete the file name mapping that you don't want to use on your virtual host in the Internet Information Service (IIS) manager, if your system only needs to support ASP and HTML, then you can keep this two file name mapping Other can be removed, the steps are to right-click the host, attribute, WWW service, editing, main directory configuration, the application map, then start one by one. Finally, it is basically possible to change the script error message to send text within the application trial bookmark. Third, prevent DOS: DOS: DOS: Denial of Service, the abbreviation of the service is to produce a large number of packets to make the server constant, causing the server to respond to other data. Change the following values in the registry can help you HKLMSYSTEMCurrentControlSetServicesTcpipParameters defense a certain intensity of DoS attacks SynAttackProtect REG_DWORD 2 EnablePMTUDiscovery REG_DWORD 0 NoNameReleaseOnDemand REG_DWORD 1 EnableDeadGWDetect REG_DWORD 0 KeepAliveTime REG_DWORD 300,000 PerFORMRouterDiscovery REG_DWORD 0 EnableICMPRedirects REG_DWORD 0
Fourth, the working process isolation: In the virtual host, there will be an error due to an application of a user Web site, enters an unlimited loop, resulting in a large amount of server resources, and the final crash, this problem is difficult to solve in the past IIS. Sometimes you have to use third-party software.
But now, IIS 6.0 introduces the working process isolation mode that can run all web applications in the isolation environment. When running IIS in a working process isolation mode, the application can be configured to run in a separate application pool. Each application pool logically represents a configurable working process and links to applications in the pool. The working process runs independently of each other; they may fail, but they don't affect other work processes. Application pool protects the application from the work process that supports other application pools. This way, you can avoid the application of each other.
In the working process isolation mode, Hypertext Transfer Protocol (HTTP) requests directly route the kernel application pool queue that serves configured applications. Serving the working process of the application pool will pull the request directly from the queue to avoid the overhead of the process switching. To further protect WWW services, IIS 6.0 will isolate key web publishing service components such as HTTP protocol stacks and WWW services, avoiding its influence of third-party codes that are running in the working process. The HTTP protocol stack accepts the WWW service request and discharges it into the queue. The HTTP protocol stack continues to process the request when the working process is in an abnormal state and therefore interrupts the request. At the same time, the WWW service will detect abnormal working processes and turn it off. If the new work process is required to serve the request, the WWW service starts a new work process to get the request in the queue from the HTTP protocol stack. Even if the working process fails, the WWW service will continue to process requests and protect users from missing services. Open Internet Information Services (IIS) Manager, expand the server, right click on the application pool, select the properties. The process isolation is set according to your own system environment in the pop-up dialog box. Figure 10: (Figure 10)
Since the system environment is diversified, it is difficult to have a standard, so please refer to Windows 2003 help.
5. View the event viewer: As a network management, you should always be timed to time-time security, and the event viewer can reflect the security situation of the system 80%, which requires us to develop the habit of analyzing the event viewer daily. The general situation is to check once every morning and evening, and keep a week of log.
Of course, there is a problem about security, this is a topic that will never say, I hope this paper can play a goal of tile jade. Thank you!
Note: Some noun explanations and definitions of this article are from Microsoft. Information Source: China Network Information Security
