Configuring ASP CGI PHP MySQL Raiders to support ASP CGI PHP MySQL
Install Win2K, install IIS
InDexing Service, FrontPage 2000 Server Extensions, Internet Service Manager (HTML), there are some other, in short, unloaded. (According to safety principles, least service minimum permissions = maximum security.)
First, open the Internet Manager (Start -> Program -> Management -> Internet Service Management) If you installed on the top, there is a default site and a SMTP service item to select the default site, remove all the following table of Contents. (Press the DELETE button on your keyboard) to stop IIS, the simplest method: Start -> Run -> Enter net stop iisadmin Select Y Enter (started commands: NET Start W3SVC) Put the C disk INETPUB The directory completely deletes (after stopping IIS can be deleted), in other discs, create a directory in IIS Manager to point the main directory of the default site to the new directory, if you need any permissions, you can build it, what need? What is the right to open? (Special paying attention to writing permissions and executing programs, there is no absolute need to be given, the default is not given, so you don't have to study, huh, huh ..)
Application Configuration: Remove any useless mappings outside the IIS Manager, leave ASP, ASA, and other file types you really need to use, (except CGI, PHP, other, I think you are useless, delete HTW, htr, idq, ida ...) I don't know where to delete it? ? Method: Open Internet Service Management -> Select Site -> Properties -> WWW Service -> Edit -> Home> Configuration -> Application Mapping, then start one by one to delete it (without all the best, true trouble). The script error message will then be changed to send text in the application tutoring of that window (unless you want the ASP error, the user knows your program / network / database structure) error text written? Just like you like it, look at it. Don't forget to let the virtual directory inherit the properties you set when you click OK.
In order to deal with increasing CGI vulnerability scanner, there is a small tip that can be referred to in IIS, and the HTTP404 Object Not Found error page will be redirected to a custom HTM file via URL, which can make the most CGI vulnerability scanner fail. In fact, the reason is very simple. Most CGI scanners are written for convenience. By checking if the HTTP code returns to the page is existing, for example, the famous IDQ vulnerability is generally verified by taking 1.IDQ, if Returns to HTTP200, it is considered to have this vulnerability, and vice versa if it returns HTTP404, if you reform the HTTP404 error message to the http404.htm file via URL, all scans return HTTP200, 90% The CGI scanner will think that you have any vulnerabilities. The result is that your true vulnerability is covered, so that the invaders are nowhere to start, but from the perspective, I still think that it is triggered to do safety settings than such tips. More important.
Win2000 account security is another focus. First, Win2000's default installation allows any user to get all the account / sharing lists through empty users, this original is to facilitate local area network users to share files, but a remote user can get your user List and crack user passwords with violence. Many friends know that can ban 139 empty connections can be disabled by changing registry local_machine / system / currentcontrolset / control / lsa-restrictanonymous = 1, actually Win2000 local security policy (if it is domain server is in domain server security and domain security policies There is such options restrictanonymous (additional limit for anonymous connection), this option has three values: 0: None. Rely on default permissions (no, depending on the default permissions) 1: do not allow Enumeration of Sam Accounts and Shares Not allowed to enumerate SAM account and share) 2: No Access WITHOUT EXPLICIT Anonymous Permous Permouss (no explicit anonymous permission is not allowed) 0 This value is the system default, what limit is not, remote users can know all your machines Account, Group Information, Shared Directory, Network Transfer List (NetServertransportenum, etc.) This setting is very dangerous to the server. 1 This value is only non-null user access SAM account information and sharing information. 2 This value is in Win2000 It is supported by it. If you use this value, your sharing is all finished, so I recommend you to 1 is better. Ok, invaders have no way to get us now. User list, our account is safe ... slow, there is at least one account is a password, this is the system built-in Administrator, what should I do? I changed, in computer management -> User account Administrator then renamed, change what casters, as long as you can remember it. After changing the super management user name, you can also see it in the Terminal Service login interface (you log in, you have remember), modify the method: Run Regedit, find the Don't Display Last User Name string data in HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / WindowsNT / CURRENTVERSION / WINLOGON item, so that the system does not automatically display the last login user name.
For security, you can also open TCP / IP filter, right-click on the desk, right-click on the network -> Properties -> Right click on the NIC you want to configure -> Properties -> TCP / IP-> Advanced -> Options -> TCP / IP Filter Here there is three filters, which are: TCP ports, UDP ports, and IP protocol TCP ports, click "Allow", then add the port you need to open, in general, the web server only needs to open 80 (WWW) The FTP server needs to open 20 (FTP DATA), 21 (FTP Control), 3306 (MySQL), 3389 (remote terminal control, if your host is hosted in the room room, you can't do it directly * Mail server Need to open 25 (SMTP), 110 (POP3), I have no research on the port, but if you provide the service provided by this article, you only have to open a few. (80, 20, 21, 25, 3306, 3389) - CGI support
Download ActivePerl (you can download the latest version of www.perl.com)
1, decompression, run install.exe, default is installed under C: / Perl, but for convenience, please install it to the C: / usr directory, (so you can use it directly to write the PERL interpreter).! / USR / BIN / Perl can be consistent with the stand-alone environment and the network environment path. Press Y.) 2, after installing, follow these three steps to modify the registry: Run Reedit, search: hkey_local_machine / system / CurrentControlSet / Services / W3SVC / Parameters / ScriptMap / key name, then add key name: ". Cgi", key value: "c: /usr/bin/perl.exe% s" and key name: ". Pl" Key value: "c: /usr/bin/perl.exe% s" (do not know how to build? So: In the box ---> Right button ---> New -> string value name Change to .cgi, double-click the key to enter numerical data, which is the key value mentioned above), because the host is to support PHP, so it adds support here to PHP and PHP3 (in the new site, save time) Add key name ".php", key value: "C: / php/php.exe% S% S" Add key name ".php3", key value: "c: / php/php.exe% s% s" OK, take effect after restart! CGI supports! After the new site is created, the application configuration will be added to PHP and CGI support (not to delete this permission). CGI support!
--Mysql support
Download mysql (you can download the latest version) for www.mysql.com)
1, decompression, run setup.exe fully installed, the default installation path is: C: / mysql; 2, after the installation is complete, "Run" in the Start button, enter the command: c: / mysql / bin / mysqld- Nt.exe --install, and execute; 3, start-> program -> management tool -> service -> find mysql -> boot it; 4, MySQL installation is complete, restart Win2000 5, turn it on C: /mysql/bin/winmysqladmin.exe, when using it for the first time, the administrator name and password are required, set the username and password, and after setting, the system tray will appear a "traffic light" small icon (later The system is automatically loaded when the system starts). 6, ok, mysql support to get! - PHP support
Download PHP (you can download the latest version)
1. Unzip PHP 4.0.4 to C: / PHP; 2, copy the php.ini-dist file within the PHP directory to the Winnt directory, renamed it is php.ini; (this is the PHP configuration file, no need to change Operation, I didn't study it carefully) 3. To modify the php.ini file content as needed, if you want to use the session feature, create a C: / TMP directory, and set the value of the session.save_path in the php.ini document to an absolute path: C: / TMP; 4, copy the php4ts.dll file within the PHP directory to the WinNT / System32 directory; 5, start "Internet Service Manager" (IIS) in the management tool in the control panel; 6, open the site attribute In the 'ISAPI Filter' option, add a new filter, use 'php' as the filter name, fill in PHP4isapi.dll and its path in the Executable File column (C: / PHP / SAPI / PHP4isapi) .dll). 7. Enable the default document "in the" Document "option of the property to join" index.php ";
