I. Software and environment required for virtual hosts
1.Serv-u5.0.11 (seems unsafe, but no necessary) 2. Mysql database 3. MSSQL database 4.pcanywhere remote control 5. anti-virus software, I usually use Norton 8.06.php57.activePerl5.8
The above various software, in addition to the MSSQL database, others should go to the official website to download the recommended version installation. The following start is installation setting, starting from the system installation. Suppose the Windows2000 advanced server version installed, the system is divided into C drive, D disk, and E disk, all of which are NTFS format.
Second. System port settings
Virtual hosts, generally simultaneously using PCANywhere and Terminal Services, and Terminal Services To change ports, such as modifying to 8735 ports. Set TCP / IP filtering according to the service to be open. Why don't you use a local security strategy? Personally, TCP / IP screens are strict because this is not explicitly rejected unless otherwise refuses, and the local security policy is allowed unless it is clearly refused. If I understand improper, please advise. The TCP / IP screening is set as follows: TCP port only allows 21, 80, 5631, 8735, 110001, 10002, 10003, 110004, 10005; IP protocol only allows 6; UDP port I have not done a detailed test, I don't dare to say, later Tested again. The 10001-10005 inside the TCP / IP port is the port that sets the PASV mode used in Serv-U, of course, other can be used. Inside the local connection attribute, uninstall all other protocols, leaving only the Internet protocol (TCP / IP), by the way, the Administrator account will be changed to the name of the complex point, and the settings in the local security policy are not displayed for the last login account, lock the account Make a suitable setting. Then restart your computer, which is completed.
III. System permission settings
Now start installing the software, all software is installed on a D disk, e disk as a data backup. Install Serv-U to D: / Serv-U first, and Han is cracking, hehe. Then install it to the D disk. Start setting permissions now. First of all, don't say, the C drive, the D disk and the E disk are safely deleted, add the renamed Administrator and System to make them completely control. Advanced reset permissions of all child objects and allows propagation to inherit permissions. Such a system all the files, the directory is all controlled by the renamed Administrator and System, and automatically inherit the permissions of the superior directory, and below will set the corresponding permissions for each directory.
Run the ASP and create a database connection requires the file below the C: / Program Files / Common Files directory. Here, set C: / Program Files / Common Files permissions, add EVERYONE, permission to read, list folder directory, read, and run. You can also use advanced tags to make more stringent settings, but I have not done it, I don't dare to say.
Run PHP, you need to set the permissions of c: /winnt/php.ini, so that Everyone has read permissions. If the PHP's session directory is set to the C: / WinNT / TEMP directory, this directory should make Everyone have read authorities. To improve performance, PHP is set to use ISAPI parsing, D: / PHP directory allows Everyone to read, list folder directories, read, and run permissions. As for the setting of php.ini, I will not say it here. First, I don't understand, the second, I only talk about system permission settings. Run CGI, set D: / Perl to let Everyone have read, list folder directories, read, and run permissions. Incidentally, the CGI is set to parse the use of ISAPI facilitates security and performance.
Now, the setting of the SERV-U makes the head. This thing is really powerful, but security is not good, we need us to transform. The first thing is to overflow attacks, 5.0.11 seems to have no such defect. Secondly, the INI configuration file is modified, and there is no permissions to modify, and it is slightly not mentioned. As far as I know now is the only way to use the default management account and password to add an account that writes execution permissions to perform Trojans. The default account password is modified. This is OK to open Servudaemon.exe and servuadmin.exe modified using editplus. If you are too lazy, you will be easy to write. I have written such something before, it is convenient for yourself. Now SERV-U basically has no problem.
As for the database, the permissions are no longer set, directly inherit the D disk root directory. As for the account password inside, I am too lazy to say.
Now the last point is to set the C: / Winnt / System32 directory and some of him below. Many programs run the dynamic connection library here, and there are too many files here, I have not figured out all, put the directory C: / Winnt / System32 gives EVERYONE to read, list the folder directory, read, and run. . In fact, this is not safe, but don't panic, we haven't finished yet. In this directory, we also need to make separate settings for several special programs. The first is Cacls.exe, hehe, first set this to say something else. This stuff is to set the permissions, let it not inherit the father's directory, and let it reject anyone's visit, because we generally don't use this bird. Other programs to be set are as follows: Net.exe, cmd.exe, ftp.exe, tftp.exe, telnet.exe, these programs are set to only renonly renamed administrator access.
Supplement: Prohibition of non-administrators from accessing the Winnt directory and then make the file you need to get out of Winnt to re-impart it to read the path
