Basic permission settings for Windows Virtual Hosts

Author: yunshu from: http://www.ph4nt0m.org/

Articles about script intrusion have become prevalent on the Internet. Although there are many original articles, there are also a lot of plagiarism. Many people use http://whois.webhosting.info to query all the domain names of an IP address, and then find a Script Vulnerability to enter the server as a hacker. I don't know about unpublished vulnerabilities, so please do not use them to attack me. Okay, I will not talk much about it. Here I will talk about how to set the permissions of the Win2000 virtual host that I thought was safer. I just want to talk about permission settings.

I. Software and environment required by Virtual Hosts

1. Serv-U5.0.11 (it seems unsafe, but not necessarily)
2. MySQL database
3. MSSQL database
4. PCAnywhere remote control
5. anti-virus software. I generally use Norton 8.0
6. PhP5
7. activeperl5.8

In addition to the MSSQL database, all the above software should go to the official website to download the recommended version for installation. The installation settings are as follows. Assume that Windows Advanced Server Edition is installed in the system. The system consists of drive C, drive D, and drive E, all in NTFS format.

Ii. System port settings

A virtual host generally uses both pcAnywhere and Terminal Services for control. Terminal Services must change the port, for example, to port 8735. Set TCP/IP Filtering Based on the service to be opened. Why not use the local security policy? I personally think that TCP/IP filtering is strict, because it is rejected unless explicitly permitted, and the Local Security Policy is allowed unless explicitly denied. Please advise me if I do not understand it properly. TCP/IP filtering settings are as follows:
TCP ports can only be 10005, and; IP protocol can only be 6; UDP port I have not done a detailed test, dare not talk about it, and try again later. 10001-10005 In the TCP/IP Port is the port used to set the PASV mode of Serv-U. Of course, you can also use other ports.
In the local connection properties, Uninstall all other protocols and leave only the Internet Protocol (TCP/IP). By the way, change the Administrator account name to a complex name, in addition, the setting in the Local Security Policy does not display the Last login account, and makes appropriate settings for account locking. Then restart the computer. This step is complete.

3. system permission settings

Now, start to install the software. All the software is installed on the d disk, and the E disk is used for data backup. First install Serv-U to D:/Serv-U, and break it in Chinese. Then install it on the D Drive in sequence. Set permissions now. Let alone Delete everyone in the security of drive C, drive D, and drive E, and add the renamed administrator and system to give them full control. In advanced, reset the permissions of all sub-objects and allow propagation to inherit permissions. In this way, all the files and directories in the system are controlled by the renamed administrator and system, and automatically inherit the permissions of the upper-level directories. Next, we will set the corresponding permissions for each directory.

To run ASP and establish a database connection, you need to use the files under the C:/program files/common files directory. Here, set the C:/program files/common files permission and add the everyone permission to read, list folder directories, read and run. You can also use advanced tags for more rigorous settings, but I have never done it.

To run php, you must set the C:/winnt/PHP. ini permission so that everyone has the read permission. If the PHP session directory is set to the C:/winnt/TEMP directory, this directory should give everyone the permission to read and write data. To improve performance, PHP is set to use ISAPI for parsing. The D:/PHP Directory allows everyone to read, list, read, and run folders. As for the settings of PHP. ini, I will not talk about it here. First, I don't quite understand. Second, I only talk about system permission settings.

Run CGI and set D:/perl to allow everyone to read, list folder directories, read, and run. By the way, setting CGI to ISAPI-based Parsing is beneficial to security and performance.

Now let's talk about the huge Serv-U settings. This feature is really powerful, but the security is not very good. We need to modify it. The first attack is an overflow attack. 5.0.11 does not seem to have this defect. The second step is to modify the ini configuration file. You have no permission to modify it. As far as I know, the only way is to use the default management account and password to add an account with write execution permission to execute the Trojan. Modify the secret. If you are too reluctant to bother, you can easily write a program in any language. I used to write something like this for my convenience. Now Serv-U is basically no problem.

As for the database, you do not need to set the permissions. simply inherit the root directory of the d disk. As for how to set the account and password in it, I am too lazy to say.

Now the last point is to set the C:/winnt/system32 directory and some of its contents. Many program programs require dynamic connection libraries, and there are too many files, so I didn't understand all of them. I gave the directory c:/winnt/system32 to everyone for reading and listing folder directories, read and run. In fact, it is not safe to do this, but don't worry, we are not finished yet. Under this directory, we also need to set several special programs separately. First, modify cacls.exe, and then set this to something else. This is used to set permissions, so that it does not inherit the parent directory permission, and let it deny access to anyone, because we generally do not use this bird thing. The list of other programs to be set is as follows: net.exe,.exe,ftp.exe,tftp.exe,telnet.exe. These programs are set to only allow access by the renamed administrator.

Now I think of it as much. This is a little bit of work today. I will try again later.

Supplement: Prohibit Non-Administrator groups from accessing the WINNT directory, and then obtain the file to be called from WINNT and re-assign it the read path.