Windows 2000 virtual host basic permissions settings

And here's what I think is safer. Win2000 Virtual Host permission settings method, just the next permission settings.

I. Software and environment required by a virtual host

1.serv-u5.0.11 (seems unsafe, but not necessarily)

2.Mysql Database

3.Mssql Database

4.PcAnyWhere Remote Control

5. Antivirus software, I generally use Norton 8.0

6.php5

7.activeperl5.8

Above all kinds of software, in addition to the MSSQL database, other should go to the official website to download the recommended version of installation. The following is the installation setup, starting with the installation of the system. Assuming the system is installed Windows2000 Advanced Server Edition, the system is divided into C disk, D disk and E disk, all NTFS format.

Two. System Port settings

Virtual hosts, typically using pcanywhere and Terminal Services for control, Terminal Services to change ports, such as modifying to 8735 ports. Set up TCP/IP filtering according to the services you want to open. Why not use the local security policy? The individual considers TCP/IP filtering to be more stringent, because it is rejected unless expressly permitted, and the local security policy is allowed unless expressly refused. If I don't understand it properly, please advise. The TCP/IP filtering settings are as follows:

The TCP port only allows the 21,80,5631,8735,10001,10002,10003,10004,10005;IP protocol to allow only the 6;UDP port I have not done a detailed test, do not dare to talk nonsense, after the test to fill up. The 10001-10005 in the TCP/IP port is the port that is used to set the Serv-u PASV mode, and of course you can use something else.

Local connection properties, uninstall all other protocols, leaving only Internet Protocol (TCP/IP), by the way of the administrator account to change the name of the complex, and in the local Security policy settings do not display the last login account, the account lock to make the appropriate settings. Then restart your computer, and this setting is complete.

Now start to install the software, all the software is installed in D disk, e disk for data backup use. First installed serv-u to D:\Serv-U, and the Chinese by the way to crack, hehe. Then install to D disk in turn. Now start setting permissions. First apart, C disk, D disk and E disk security inside the Everyone removed, add renamed the Administrator and system, let them fully control.
The advanced inside resets the permissions on all child objects and allows inheritable permissions to propagate. All files in this system, directories are all controlled by the renamed Administrator and System, and automatically inherit the permissions of the parent directory, and then set the corresponding permissions for each directory.

To run ASP, it is necessary to use the files in the C:\Program Files\Common Files directory to establish a database connection. Here, set C:\Program Files\Common Files permissions, add everyone, permissions for read, List folder directories, read and run. You can also use the advanced label for more stringent settings, but I didn't do it.

Run PHP, you need to set the C:\winnt\php.ini permissions, so that everyone has Read permission. If PHP's Session Directory is set to the C:\Winnt\Temp directory, this directory should have read Write permission for everyone. To improve performance, PHP is set to use ISAPI parsing, the d:\php directory allows everyone to read, List folder directories, read and run permissions. As for the php.ini setting, I will not say here. First I do not understand, the second I only talk about system permissions settings.

Run CGI, set D:\perl let everyone have read, List folder directories, read and run permissions. By the way, CGI is set up to use ISAPI methods to parse for security and performance.

Now let's set up the serv-u of the big head. It's really powerful, but it's not very safe and needs to be rebuilt. The first is the overflow attack, 5.0.11 seems to have no such defect. The second is to modify the INI configuration file, there is no permission to modify, skip the mention. As far as I know, the only way to do this is to use the default Admin account and password to add an account with Write execution permission to execute the Trojan.

Change the default account password is finished, this thing directly using the editor EditPlus and so on to open ServUDaemon.exe and ServUAdmin.exe changes on it. If you don't bother, it's easy to write a program in whatever language you want. I've written a thing like this before and it's easy to set yourself up. Now there is basically no problem with serv-u.

As for the database, the permissions have not been set, directly inherit the D-packing directory can be. As for inside the account password how to set, I also lazy to say.

Now the last point is to set up the C:\Winnt\System32 directory and some of the things underneath him. Many programs run the dynamic Connection library here, and there are too many files here, I do not understand all, the directory C:\Winnt\System32 to everyone to read, List folder directory, read and run.

In fact, this is not safe, but don't panic, we are not finished. Under this directory, we also need to set up separate settings for several special programs. First of all, Cacls.exe, hey, first set this up to say something else. This thing is set to use permissions, so that it does not inherit the parent directory permissions, and let it deny anyone access, because we generally do not use this bird. The list of other programs to be set is as follows: Net.exe,cmd.exe,ftp.exe,tftp.exe,telnet.exe, these programs are set to allow only renamed administrator access.

Now think of so much, this is today's free time to work in bits and pieces of writing, later to add it.

Add: Disable access to the Winnt directory by the Non-administrator group, and then winnt the file that needs to be invoked to the read path again.