Windows permission settings

Careful readers may have noticed that I did not use the default path or only changed the default path of the drive letter for installation of these service software, which is also a security requirement, if a hacker enters your server through some channels but does not receive administrator privileges, the first thing he does is to check which services are open and which software is installed, because he needs to improve his permissions.
　　
A path that is hard to guess and a good permission setting will block it. I believe that the WEB server configured in this way is enough to defend against most hackers who are not skilled enough. The reader may ask again: "This is useless at all! I have done all other security work well. Is permission setting necessary ?" Of course! Even if you have already perfected system security, you must know that new security vulnerabilities are constantly being discovered.
　　
Instance attack
Permission will be your last line of defense! Now, we will simulate an attack on this server that has not been configured with any permissions and uses all the default Windows permissions to see if it is really solid.
　 　
Assume that the Internet domain name of the server is a http://www.webserver.com, scan it with scanning software to find open WWW and FTP services, and found that the service software is IIS 5.0 and Serv-u 5.1, some overflow tools for them are used to find that they are invalid, so they give up the idea of direct remote overflow.
　　
Open the website page and find that you are using the dynamic network forum system, so add a/upfile after the domain name. asp. When a file upload vulnerability is detected, the system captures packets and submits the modified ASP Trojan with NC. The system prompts you to upload the file as a success. Then, the WEBSHELL is obtained and the uploaded ASP Trojan is opened, we found that MS-SQL, Norton Antivirus, and BlackICE were running. We determined that it was a firewall restriction and blocked the SQL Service port.
　　
The PID of Norton Antivirus and BlackICE is viewed through the ASP Trojan, and a file that can kill the process is uploaded through the ASP Trojan. After running the file, Norton Antivirus and BlackICE are killed. Scan again and find that port 1433 is open. At this point, there are many ways to obtain administrator permissions. You can view the conn under the website directory. asp obtains the SQL username and password, and then logs in to SQL to execute the add user operation to grant administrator privileges. You can also grasp the ServUDaemon. ini under the SERV-U after modification upload, get the system administrator privileges.
　　
You can also pass a tool that overflows the SERV-U locally to add users directly to the Administrators and so on. As you can see, once a hacker finds a starting point, the hacker can obtain administrator permissions without permission restrictions.
　　
Now let's take a look at the default permission settings for Windows 2000. By default, the root directory of each volume gives full control to the Everyone group. This means that any user accessing the computer will do whatever he wants in these root directories without restriction.
　　
Three directories in the system volume are special. By default, the system gives them limited permissions. These three directories are Documents and settings, Program files, and Winnt. For Documents and settings, the default permissions are assigned as follows: Administrators have full control; Everyone has read and operation, column and read permissions; Power users has read and operation, column and read permissions; SYSTEM is the same as Administrators; Users has read and operation, column, and read permissions. For Program files, Administrators have full control; Creator owner has special permissions; Power users has full control; SYSTEM has full control with Administrators; Terminal server users, and Users has read and run, column and read permissions.
　　
For Winnt, Administrators has full control; Creator owner has special permissions; Power users has full control permissions; SYSTEM is the same as Administrators; Users has read, run, column, and read permissions. Instead, all directories under the system volume will inherit the permission of their parent directory, that is, the Everyone group has full control!
　　
Now, we know why we just had the administrator privilege during the test? The permission settings are too low! When you access a website, a person is automatically assigned to the IUSR user, which belongs to the Guest group. Originally, the permission was not high, but the system gave the Everyone group full control by default, which allowed it to "multiply the value" and finally get the Administrators.
　　
So how can I set permissions for this WEB server to be secure? Everyone should remember one sentence: "minimum service + minimum permission = maximum security". Do not install services unless necessary. You must know that the service is running at the SYSTEM level, for permissions, just use the principle that is sufficient.
　　
For the WEB server, I set the permissions for the server just now. For details, refer to the root directory of each volume, Documents and settings, and Program files, only give the Administrator full control, or simply delete the Program files directly; Add the Read and Write Permissions Of Everyone to the root directory of the system volume; give the e: www directory, that is, the read and write permissions of the website directory.
　　
Finally, we need to dig out the cmd.exe file and only give the Administrator full control. After such settings, it is impossible to try to intrude into the server through the method I just created. At this time, some readers may ask: "Why should we give the root directory of the system volume the read and write permissions of Everyone? Do I not need the permission to run ASP files on my website ?" Good question, with depth. Yes. If the system volume does not give Everyone the read or write permission, an error will be reported when the computer is started and the virtual memory is insufficient.
　　
Of course, this also has a premise-the virtual memory is allocated to the system disk. If the virtual memory is allocated to another volume, you need to grant the read and write permissions to the volume Everyone. ASP files run on the server and only return the execution results to the end user's browser. This is correct, but ASP files are not executable files in the system sense, it is interpreted and executed by IIS, the WEB service provider, so its execution does not require the running permission.
　　
In-depth understanding of the meaning behind Permissions
After the above explanation, you must have a preliminary understanding of the permissions, right? If you want to gain a deeper understanding of permissions, you will not be able to find out some of the features of permissions. permissions are inherited, accumulative, preferential, and cross-cutting.
　　
Inheritance means that the sub-directory has the upper-level directory permission before being reset. There is also a case to note that when copying a directory or file in a partition, the copied directory and file will have the upper-level directory permission setting in its current location. However, when moving directories or files in a partition, moving directories and files in the past will have their original permission settings.
　　
Accumulation means that in a group of GROUP1, there are two users, USER1 and USER2. They have the "read" and "write" permissions on a file or directory at the same time ", the Group GROUP1's access to this file or directory is the sum of the access permissions of USER1 and USER2, which is actually the largest, that is, "read" + "write" = "write ". Another example is that USER1 belongs to GROUP1 and GROUP2, while GROUP1 has read-only access to a file or object, if GROUP2 has full control over the access permission to this file or folder, the access permission of USER1 to this file or folder is accumulated by two groups of permissions, that is: "Read-only" + "Full Control" = "full control ".
　　
Priority. The permission feature includes two sub-features: first, the file access permission takes precedence over the directory permission, that is, the File Permission can bypass the directory permission, regardless of the setting of the upper-level folder. Another characteristic is that the "deny" permission gives priority to its permissions. That is to say, the "deny" permission can bypass all other permissions. Once the "deny" permission is selected, other permissions do not play any role, which is equivalent to no setting.
　　
Crossover means that when a folder sets the sharing permission for a user while setting the access permission for the user, and the permissions are different, the trade-off principle is to take the intersection of two permissions, that is, the strictest and least permission. For example, if directory A sets the share permission for USER1 as "read-only", and directory A sets the access permission for USER1 as "full control ", the final access permission of user USER1 is "read-only ".
　　
This is the question of permission settings. In the end, I would like to remind you that permission settings must be implemented in the NTFS partition, FAT32 does not support permission settings. I also want to give some suggestions to the administrators:
　　
1. develop a good habit of clearly classifying hard disk partitions on the server, locking the server when the server is not used, updating various patches and upgrading anti-virus software.
　　
2. Set a strong enough password. This is a commonplace, but there is always an administrator to set a weak password or even a blank password. 3. Try not to install various software in the default path.
　　
4. If the English level is not a problem, try to install the English version of the operating system.
　　
5. Do not install software or unnecessary services on the server.
　　
6. Keep in mind that there is no secure system and your knowledge is updated frequently.