With the extensive application of the mobile network forum and the discovery of the discovery of the online leakage, more and more SQL injection attacks, Webshell make the fire wall shaped with dummy, even, even the Microsoft patch, only allowed 80 ports to open The web server also fled the fate of the black. Isn't we really powerful? In fact, as long as you understand the rights setup problem under the NTFS system, we can say: no!
To create a secure web server, then this server must use NTFS and Windows NT / 2000/2003. As we all know, Windows is a system that supports multi-user, multitasking, which is the basis of permission settings. All permission settings are based on users and processes. Different users will have different users when accessing this computer. Permission. DOS is a single task, a single user operating system. But can we say that DOS has no permissions? Can't! When we open a computer with a DOS operating system, we have administrator privileges for this operating system, and this permission is everywhere. So, we can only say that DOS does not support the settings, can't say that it has no permissions. With the improvement of people's safety awareness, permission settings have born with NTFS release.
In Windows NT, users are divided into many groups, and there are different permissions between groups and groups. Of course, there are different permissions between users and users of a group. Let's talk about the common user groups in NT.
Administrators, administrators, by default, users in Administrators have unrestricted full access to computer / domains. Default permissions assigned to this group allow full control over the entire system. Therefore, only trusted person can become a member of the group.
Power Users, advanced user groups, Power Users can perform any other operating system tasks except for the tasks that the Administrators group reserved. Default permissions assigned to the Power Users group allow members of the Power User group to modify the settings of the entire computer. But Power Users does not have permissions that add yourself to the Administrators group. In the permission settings, the permissions of this group are second only to Administrators.
UserS: Ordinary User Group, users of this group cannot make intentional or unintentional changes. Therefore, users can run authenticated applications, but they cannot run most old apps. The User Group is the safest group because the default permissions assigned to the group do not allow members to modify the settings or user information of the operating system. The USERS group provides a safest program running environment. On the NTFS formatted volume, the default security settings are designed to ban the members of the group to endanger the integrity of the operating system and installed programs. Users cannot modify system registry settings, operating system files, or program files. Users can turn off the workstation but do not turn off the server. Users can create local groups, but can only modify the local group you created.
Guests: guest group, according to default, guests with members of ordinary users equal access to ordinary users, but guest accounts limit more.
Everyone: As the name suggests, all users, all users on this computer belong to this group.
In fact, there is also a group is also very common, it has the same as Administrators, even more permissions, but this group does not allow any users to join, when they see the user group, it will not be displayed, it is SYSTEM group. The permissions required for the system and system-level services are required to be given by it. Since this group only has this user SYSTEM, this group may be more appropriate to the user's ranks.
Permissions are high-level, high privileges can operate low-permissions users, but in addition to Administrators, other groups of users cannot access other user information on NTFS volumes, unless they receive the authorization of these users. . The low permissions user cannot perform any operations for high privileges. We usually use the computer's process without feeling permissions in obstructing you to do something, because we use users in Administrators when using your computer. This is advantageous and disadvantaged, and it is a limit to anything you want to do without encountering permissions. It is to run a computer as a member of the Administrators group to make the system easily threatened by Trojan horses, viruses and other security risks. Simple action accesses the Internet site or opening an email attachment may destroy the system. Unfamiliar Internet sites or email attachments may have Troima code, which can be downloaded to the system and executed. If you log in as a local computer, Trojm Horse may use management access to reformat your hard drive, causing an unbeatable loss, so it is best not necessary to log in with the user in Administrators. ADMINISTRATORS has a default user created in the system installation ---- Administrator, the Administrator account has full control permissions to the server and can assign user rights and access control permissions to users as needed. Therefore, it is strongly recommended to set this account to use strong passwords. Never delete the Administrator account from the Administrators group, but you can rename or disable the account. Since everyone knows that "admin" exists on many versions of Windows, renamed or disable this account will make malicious users try and access the account more difficult. For a good server administrator, they usually rename or disable this account. Under the guests user group, there is also a default user - Guest, but it is disabled by default. If there is no particular need, this account is not required. We can view users in the group and users through the "Control Panel" - Administrative Tools - Computer Management - User and User Group.
We use the mouse to right-click a directory under the NTFS volume or NTFS volume, select "Properties" - "Security" can permission to one volume, or a volume below the directory, at this time, we will see the following seven Protect: Fully control, modification, reading, and running, listing folder directories, reading, writing, and special permissions. "Full Control" is completely accessible to this volume or directory. The status is like Administrators like the status of all groups. Select "Full Control", the following five properties will be automatically selected. "Modify" is like Power Users, select "Modification", and the following four properties will be automatically selected. Any item below is not selected, the "Modify" condition will no longer be established. "Reading and Run" is to allow reading and running any files in this volume or directory, "List Folder Directory" and "Read" are the necessary conditions for "read and run". "List Folder Directory" means that only subdirectories of this volume or directory can not be read, and cannot be run. "Read" is the data that can read the volume or directory. "Write" is to write data to the volume or directory. And "special" is to subdivide more than six permissions. Readers can conduct deeper research on "special" themselves, and they will have more detailed.
Below we have a comprehensive planing of a web server system that has just installed the operating system and service software and its permissions. The server uses the Windows 2000 Server version to install SP4 and various patches. The web service software is an IIS 5.0 comes with Windows 2000, which deletes all unnecessary mappings. The entire hard drive is divided into four NTFS volumes. The C drive is a system volume, which only has a system and driver; D disk is a software volume, all installed software on the server is in the D disk; E disk is a web program volume, website The program is in the WWW directory under the volume; the F disk is a website data volume, all the data calls by the website system is stored in the wwwdatabase directory of the volume. Such classification is also a comparison that meets a standard of security servers. I hope that all novice administrators will be able to classify your server data reasonably, so that it is convenient to find, more importantly, this greatly enhances the security of the server, because we can give each volume or each directory as needed. Set different permissions, once a network security accident occurs, the loss can be minimized. Of course, you can also distribute the data of the site in different servers, making it a server group, each servers have different usernames and passwords and provide different services, which is more secure. However, people who are willing to do so have a feature ---- there is money :). Ok, the transaction is correct, the server's database is MS-SQL, the MS-SQL service software SQL2000 is installed in the D: / MS-SQLServer2k directory, and the SA account is set up with a sufficient intensity password, install the SP3 patch. In order to facilitate the webpage producer to manage the web page, the website has also opened the FTP service. The FTP service software uses Serv-U 5.1.0.0, installed in the D: / FTPService / Serv-U directory. The anti-virus software and firewall are Norton AntiVirus and Blackice, the paths are D: / Nortonav and D: / FireWall / Blackice, the virus database has been upgraded to the latest, the firewall rule library definition is only 80 ports and 21 ports. Open. The content of the website is a forum using the mobile network 7.0, and the website program is under E: / WWW / BBS. Careful readers may have noticed that the path to installing these service software I have not used the default path or only to change the default path of the drive letter, which is also a safety need, because a hacker enters you through some way. The server, but did not get administrator privileges, what he first did will be what services you have opened and which software installed, because he needs to enhance his permissions. A difficult path plus good permission setting will block him away. I believe that the WEB server through such a configuration is enough to resist most of the learning. The reader may ask: "This doesn't use the permission settings! I will do all the security work, the permission settings is necessary?" Of course! The wise man must have a loss, even if you have perfectly do the system security now, you must know that new security vulnerabilities are always discovered. Permissions will be your last defense! Then we will now set up any permission settings, all of which use Windows default privileges to simulate attacks, see if it is really solid gold soup. Suppose the server's external domain name is
Http://www.Webserver.com, use the scanning software to scan it to discover the WWW and FTP services, and find that its service software uses IIS 5.0 and SERV-U 5.1, with some discovery after their overflow tool Intuitive, I will give up the idea of direct remote overflow. Open the website page, discover the use of the mobile network forum system, so add /upfile.asp after its domain name, found that there is file upload vulnerability, caught the package, submit the modified ASP Trojan with NC, prompt to upload success, Successfully got the WebShell, open the ASP Trojan just uploaded, found that MS-SQL, Norton AntiVirus and Blackice are running, and judging is the firewall to make restrictions on the firewall, shielding the SQL service port. The PID of Norton AntiVirus and Blackice was found via ASP Trojan, and a file that could kill the process via ASP Trojan and killed Norton Antivirus and Blackice after running. Scan again, find that the 1433 port is open, where there are many ways to get administrator privileges, you can view the conn.asp under the website directory to get SQL username password, then log in to SQL to add users, manage Permission. You can also get the system administrator privileges after servadaemon.ini modifications under Serv-U. You can also transfer the user to Administrators, etc. As you can see, once hackers have found the entry point, in the absence of permission restrictions, hackers will acquire administrator privileges. Then let's take a look at what is the default permission setting of Windows 2000. For the root directory of each volume, the EVERYONE group is fully controlled by default. This means that any users entering the computer will not be restricted in these root directories. There are three directorys under the system volume, and the system gives them a restricted permission. These three directories are Documents and Settings, Program Files, and Winnt. For Documents and Settings, the default permissions are all assigned: Administrators have full control; Everyone has read & transport, column, and read rights; Power Users have read & transport, column, and read rights; System is intertwed with administrators; Yun, column, and read rights. For Program Files, Administrators have full control; Creat Owner has special permissions; Power Users have full control; System Server Users have full control, and users have read & transport, column, and read rights. For WinNT, Administrators have full control; Creator Owner has special permissions; Power Users have full control; System is That's with administrators; users have read & transport, column, and read rights. And all directories under non-system rolls will inherit their parent directory, that is, the EVERYONE group is fully controlled!
Now everyone knows why we can get the administrator privilege when we have just tested it? Permissions settings are too low! When a person is accessing the website, it will be automatically given an IUSR user, which is part of the guest group. The original permissions are not high, but the system default gives the EVERYONE group fully controlled it "Body price", to finally get Administrators. So, how do I set the permission to give this web server safe? Everyone should keep in mind: "The least service smallest permission = biggest security" For service, unnecessary, must not be installed, you must know the service run is the system level, for permissions, this is good enough The principle allocation is. For the web server, I just took the server. I set this authority. You can refer to: the root directory of each volume, Documents and Settings, and Program Files, only give the administrator full control, or simply directly put Program directly Files is deleted; give the root directory of the system volume, multiple EVERYONE read, write right; give the E: / WWW directory, that is, the website directory read, write rights. Finally, you have to dig the cmd.exe file to the Administrator full control. After such a setting, I want to invade this server through my just approach is impossible to complete the task. It may be said that there is a reader asking: "Why do you want to read the root directory of the system volume, write right? ASP file in the website does not need to run permission?" Ask, with depth. This, if the system volume does not read, write power, the computer will report an error while starting the computer, and it will prompt the virtual memory. Of course, this also has a premise - virtual memory is allocated in the system disk, if you assign the virtual memory in other volumes, then you have to read, write rights. The operation mode of the ASP file is executed on the server, and only the result is transmitted back to the end user's browser. This is not wrong, but the ASP file is not a executable file in the system, it is a web service provider - --Iis to explain the execution, so its execution does not need to run permissions. After the above explanation, you must have a preliminary understanding of the permissions? I want to know more about the permissions, then some of the features of the permissions you can't know, the permissions are inheritance, accumulative, priority, and cross.
The inheritance is to say that the lower level directory is set by the following directory. There is also a case where you want to explain that when copying your directory or file within a partition, copy past directory and file will have the previous directory permissions set now. However, when moving catalogs or files in partitions, moving past directorys and files will have its original permissions settings.
Accumulation is to say that there are two users in Group1, but they are "read" and "write" on a file or directory, then Group Group1 is accessible to the file or directory. The sum of the access rights for user1 and user2, is actually taken the biggest one, ie "read" "write" = "write". Another example is the user user1 belongs to group group1 and group2, and Group1 is "read-only" type for a file or directory, and Group2 is "fully controlled" type for this file or folder. , The user user1 is accumulated in two grouping rights for the file or folder, namely "read-only" "full control" = "complete control". Priority, this feature of permissions includes two sub-characteristics, one is the permission of the document access rights priority, that is, the file permissions can be across the directory, regardless of the settings of the first level folder. Another feature is "reject" permission priority other permissions, that is, "reject" permissions can cross all other permissions, once the "Reject" permissions are selected, other permissions can not take any effect, which is equivalent to not set.
The crossability means that the same folder sets the shared permissions for a user and sets the folder for the user, and the principle of payment is inconsistent with the permissions, it is the intersection of two privileges. That is, the most stringent, minimal permissions. If the directory A is the shared permission set for the user USER1, "Read-only", and the directory A is "full control" set for the user USER1, and the final access to the user is "read-only".
I will say this, I would like to give readers in the end, I want to remind you that the setting of the permissions must be implemented in the NTFS partition, and FAT32 is not supported. At the same time, I also want to give some advice:
1. Develop good habits, classification is clear when the server hard disk is partitioned, and the server is locked, often updating various patches and upgrade anti-virus software when not using the server.
2. Set a password that sufficient strength, this is a often talking, but there is always an administrator to set the weak password or even empty password.
3. Try not to install various software in the default path
4. Use the English version of the operating system if the English level is not a problem.
5. Do not take the software or unnecessary service on the server.
6. Keep in mind: There is no system that is always safe, often updating your knowledge
