Red guest required: detailed explanation of permission settings in Windows

Source: Internet
Author: User
Tags windows 5 strong password

With the wide application of the forum, the discovery of the online upload vulnerability, and the increasing use of SQL injection attacks, WEBSHELL makes the firewall useless, even if a WEB server with all Microsoft patches and port 80 open to the outside world, it cannot escape the fate of being hacked. Is there nothing we can do about it? In fact, as long as you understand the permission settings in the NTFS system, we can say NO to crackers!
  
To build a secure WEB server, NTFS and Windows NT/2000/2003 must be used for this server. As we all know, Windows is an operating system that supports multiple users and tasks. This is the basis of permission settings. All permission settings are based on users and processes. When different users access this computer, different permissions are granted.

DOS and WinNT Permissions

DOS is a single task and user operating system. But can we say DOS has no permission? No! When we open a computer with a DOS operating system, we have the Administrator permission for the operating system, and this permission is everywhere. Therefore, we can only say that DOS does not support permission settings. It cannot be said that it does not have permission. As people's security awareness improves, permission settings are born with the release of NTFS.
  
In Windows NT, users are divided into many groups, with different permissions between groups. Of course, users in a group and users in a group can also have different permissions. Next we will talk about the common user groups in NT.

Administrators. By default, users in Administrators have unrestricted full access to computers/domains. The default permissions assigned to this Group allow full control over the entire system. Therefore, only trusted personnel can become members of this group.
Power Users, advanced user group, and Power Users can execute any operating system task except the task retained for the Administrators group. The default permission assigned to the Power Users Group allows members of the Power Users Group to modify the settings of the entire computer. However, Power Users does not have the permission to add itself to the Administrators group. In permission settings, the permissions of this group are second only to those of Administrators.

Users: Common User Group. Users in this group cannot make changes intentionally or unintentionally. Therefore, you can run verified applications, but not most old applications. The Users Group is the safest group, because the default permissions assigned to this group do not allow Members to modify operating system settings or user information. The Users Group provides the safest running environment. On a volume formatted with NTFS, the default security settings are designed to prevent members of this group from endangering the integrity of the operating system and installed programs. You cannot modify system registry settings, operating system files, or program files. Users can shut down the workstation but not the server. You can create a local group, but you can only modify the local group you created.

Guests: The Guests group. By default, the Guests have the same access permissions as common Users members, but the Guest account has more restrictions.

Everyone: as the name suggests, all users on this computer belong to this group.

In fact, another group is also very common. It has the same or even higher permissions as Administrators, but this group does not allow any users to join. When viewing user groups, it will not be displayed. It is a SYSTEM group. Permissions required for the normal operation of system and system-level services are granted by the system. Since this group only has this user SYSTEM, it may be more appropriate to classify the Group as a user.

Permission power Size Analysis

Permissions are classified into different levels. Users with high permissions can operate on users with low permissions. However, except for Administrators, Users in other groups cannot access other user data on NTFS volumes, unless they are authorized by these users. Low-Permission users cannot perform any operations on high-Permission users.

We usually do not feel the permission to obstruct you from doing something when using the computer. This is because we use the user login in the Administrators when using the computer. This has both advantages and disadvantages. Of course, you can do anything you want without permission restrictions. The disadvantage is that running a computer as a member of the Administrators group will make the system vulnerable to Trojans, viruses, and other security risks. Simple operations to access an Internet site or open an email attachment may damage the system.

Unfamiliar Internet sites or email attachments may have Trojan code that can be downloaded to the system and executed. If you log on as an administrator of a local computer, the Trojan horse may use administrative access to reformat your hard disk, causing immeasurable losses, you are advised not to log on from the Administrators. The Administrator account has full control permissions on the server and can assign user rights and access control permissions to the user as needed.

Therefore, we strongly recommend that you use a strong password for this account. You can never delete an Administrator account from the Administrators group, but you can rename or disable this account. As we all know that "Administrators" exist in many versions of Windows, renaming or disabling this account will make it more difficult for malicious users to try and access this account. For a good server administrator, they usually rename or disable this account. In the Guests user group, there is also a default user ---- Guest, but it is disabled by default. You do not need to enable this account unless necessary.

Help: What is a strong password? It is a complex combination of letters, numbers, and sizes of 8-bit passwords, but it cannot completely defend against a large number of hackers, but it is difficult to crack to a certain extent.

You can use "Control Panel"> "Management Tools"> "Computer Management"> "users and user groups" to view user groups and users in the group.

Right-click a directory under an NTFS Volume or NTFS Volume, and select "properties"> "security" To Set permissions for a volume or directory under a volume, you can view the following seven permissions: full control, modification, read and run, list folder directories, read, write, and special permissions. "Full control" means that this volume or directory has unrestricted full access. The status is the same as the status of Administrators in all groups. If "full control" is selected, the following five attributes are automatically selected.

"Modify" is like Power users. If "modify" is selected, the following four attributes are automatically selected. If any of the following items is not selected, the "modify" condition is no longer valid. "Read and run" is to allow reading and running any files in this volume or directory. "list folder directories" and "read" are necessary for "read and run.

"List folder directories" means that you can only browse the volume or sub-directories under the directory, and cannot read or run. "Read" is the ability to read data in the volume or directory. "Write" means data can be written to the volume or directory. The "special" section describes the six permissions listed above. Readers can conduct further research on "special" on their own. I will not go into detail here.

Set instance operations for a simple server:

Next we will comprehensively analyze a WEB server system that has just installed the operating system and service software and its permissions. The Server uses Windows 2000 Server, and SP4 and various patches have been installed. WEB service software uses IIS 2000 that comes with Windows 5.0, removing unnecessary mappings. The entire hard disk is divided into four NTFS volumes. Drive C is the system volume and only the system and driver are installed. Drive D is the software volume, and all installed software on the server is in drive D; the e-disk is a WEB application volume, and the website program is in the WWW directory under the volume; the F-disk is a website data volume, and all the data called by the website system is stored in the WWWDATABASE directory of the volume.

Such classification is more in line with the standards of a secure server. We hope that new administrators can classify your server data reasonably. This not only facilitates searching, but also greatly enhances the server security, because we can set different permissions for each volume or directory as needed. Once a network security accident occurs, we can minimize the loss.

Of course, you can also distribute website data on different servers to form a server group. Each server has a different user name and password and provides different services, this is more secure. However, people who are willing to do this have a special feature-rich :).

Well, to put it back, the server database for the MS-SQL, MS-SQL service software SQL2000 installed in the d: \ ms-sqlserver2K directory, set a sufficient strength for the SA account password, install the SP3 patch. In order to facilitate web page makers to manage the web page, the site also opened the FTP service, FTP service software is used SERV-U 5.1.0.0, installed in d: \ ftpservice \ serv-u directory. Anti-virus software and the firewall use Norton Antivirus and BlackICE. The paths are d: \ nortonAV and d: \ firewall \ blackice. The virus database has been updated to the latest version, the firewall rule repository defines that only port 80 and port 21 are open to the outside world. The content of the website is the forum of Mobile Network 7.0, and the website program is under e: \ www \ bbs.

Careful readers may have noticed that I did not use the default path or only changed the default path of the drive letter for installation of these service software, which is also a security requirement, if a hacker enters your server through some channels but does not have administrator permissions, the first thing he does is to check which services are open and which software is installed, because he needs to improve his permissions.

A path that is hard to guess and a good permission setting will block it. I believe that the WEB server configured in this way is enough to defend against most hackers who are not skilled enough. The reader may ask again: "This is useless at all! I have done all other security work well. Is permission setting necessary ?" Of course! Even if you have already perfected system security, you must know that new security vulnerabilities are constantly being discovered.

Instance attack

Permission will be your last line of defense! Now, we will simulate an attack on this server that has not been configured with any permissions and uses all the default Windows permissions to see if it is really solid.
  
Assume that the Internet domain name of the server is a http://www.webserver.com, scan it with scanning software to find open WWW and FTP services, and found that the service software is IIS 5.0 and Serv-u 5.1, some overflow tools for them are used to find that they are invalid, so they give up the idea of direct remote overflow.

Open the website page and find that you are using the dynamic network forum system, so add a/upfile after the domain name. asp. If a file upload vulnerability is found, capture the packet and submit the modified ASP Trojan with NC. A prompt is displayed, indicating that the upload is successful. a webshell is obtained and the uploaded ASP Trojan is opened, we found that MS-SQL, Norton Antivirus, and BlackICE were running. We determined that it was a firewall restriction and blocked the SQL Service port.

The PID of Norton Antivirus and BlackICE is viewed through the ASP Trojan, and a file that can kill the process is uploaded through the ASP Trojan. After running the file, Norton Antivirus and BlackICE are killed. Scan again and find that port 1433 is open. At this point, there are many ways to obtain administrator permissions. You can view the conn under the website directory. asp obtains the SQL username and password, and then logs in to SQL to execute the add user operation to grant administrator privileges. You can also grasp the ServUDaemon. ini under the SERV-U after modification upload, get the system administrator privileges.

You can also pass a tool that overflows the SERV-U locally to add users directly to the Administrators and so on. As you can see, once a hacker finds a starting point, the hacker can easily gain administrator permissions without permission restrictions.
  
Now let's take a look at the default permission settings for Windows 2000. By default, the root directory of each volume gives full control to the Everyone group. This means that any user accessing the computer will do whatever he wants in these root directories without restriction.

Three directories in the system volume are special. By default, the system gives them limited permissions. These three directories are Documents and settings, Program files, and Winnt. For Documents and settings, the default permissions are assigned as follows: Administrators have full control; Everyone has read and operation, column and read permissions; Power users has read and operation, column and read permissions; SYSTEM is the same as Administrators; Users has read and operation, column, and read permissions. For Program files, Administrators have full control; Creator owner has special permissions; Power users has full control; SYSTEM has full control with Administrators; Terminal server users, and Users has read and run, column and read permissions.

For Winnt, Administrators has full control; Creator owner has special permissions; Power users has full control; SYSTEM has the same permissions as Administrators; Users has read, run, column, and read permissions. Instead, all directories under the system volume will inherit the permission of their parent directory, that is, the Everyone group has full control!

Now, we know why we just had the administrator privilege during the test? The permission settings are too low! When a person accesses a website, he or she is automatically assigned to the IUSR user, which belongs to the Guest group. Originally, the permission was not high, but the system gave the Everyone group full control by default, which allowed it to "multiply the value" and finally get the Administrators.

So how can I set permissions for this WEB server to be secure? Everyone should remember one sentence: "minimum service + minimum permission = maximum security". Do not install services unless necessary. You must know that the service is running at the SYSTEM level, for permissions, you should assign them in the principle that they are sufficient.

For the WEB server, I set the permissions for the server just now. For details, refer to the root directory of each volume, Documents and settings, and Program files, only give the Administrator full control, or simply delete the Program files directly; Add the Read and Write Permissions Of Everyone to the root directory of the system volume; give the e: \ www directory, that is, the read and write permissions of the website directory.

Finally, we need to dig out the cmd.exe file and only give the Administrator full control. After such settings, it is impossible to try to intrude into the server through the method I just created. At this time, some readers may ask: "Why should we give the root directory of the system volume the read and write permissions of Everyone? Do I not need the permission to run ASP files on my website ?" Good question, with depth. Yes. If the system volume does not give Everyone the read or write permission, an error will be reported when the computer is started and the virtual memory is insufficient.

Of course, this also has a premise-the virtual memory is allocated to the system disk. If the virtual memory is allocated to another volume, you need to grant the read and write permissions to the volume Everyone. ASP files run on the server and only return the execution results to the end user's browser. This is correct, but ASP files are not executable files in the system sense, it is interpreted and executed by the WEB service provider-IIS, so its execution does not require the running permission.

In-depth understanding of the meaning behind Permissions

After the above explanation, you must have a preliminary understanding of the permissions, right? If you want to gain a deeper understanding of permissions, you will not be able to understand some of the features of permissions. permissions are inherited, accumulative, prioritized, and cross-cutting.
  
Inheritance means that the sub-directory has the upper-level directory permission before being reset. There is also a case to note that when copying a directory or file in a partition, the copied directory and file will have the upper-level directory permission setting in its current location. However, when moving directories or files in a partition, moving directories and files in the past will have their original permission settings.
  
Accumulation means that in a group of GROUP1, there are two users, USER1 and USER2. They have the "read" and "write" permissions to access a file or directory at the same time ", the Group GROUP1's access permission to this file or directory is the sum of the access permissions of USER1 and USER2, which is actually the largest one, that is, "read" + "write" = "write ". Another example is that USER1 belongs to GROUP1 and GROUP2, while GROUP1 has read-only access to a file or directory, if GROUP2 has full control over the access permission to this file or folder, the access permission of USER1 to this file or folder is accumulated by two groups of permissions, that is: "Read-only" + "Full Control" = "full control ".
  
Priority. The permission feature includes two sub-features: first, the file access permission takes precedence over the directory permission, that is, the File Permission can bypass the directory permission, regardless of the setting of the upper-level folder. Another characteristic is that the "deny" permission gives priority to other permissions, that is, the "deny" permission can bypass all other permissions. Once the "deny" permission is selected, other permissions cannot take any role, which is equivalent to not being set.
  
Crossover means that when the same folder is set to share permissions for a user and the user is set to access the folder, and the permissions are inconsistent, the trade-off principle is to take the intersection of two permissions, that is, the strictest and least permission. For example, if directory A sets the share permission for USER1 as "read-only", and directory A sets the access permission for USER1 as "full control ", the final access permission of user USER1 is "read-only ".
This is the question of permission settings. In the end, I would like to remind you that permission settings must be implemented in the NTFS partition, FAT32 does not support permission settings. I also want to give some suggestions to the administrators:

1. develop a good habit of clearly classifying hard disk partitions on the server, locking the server when the server is not used, updating various patches and upgrading anti-virus software.

2. Set a strong enough password. This is a common practice, but there is always a weak or even empty password set by the Administrator.

3. Try not to install various software in the default path

4. If the English level is not a problem, try to install the English version of the operating system.

5. Do not install software or unnecessary services on the server.

6. Keep in mind that there is no secure system and your knowledge is updated frequently.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.