A detailed explanation of permissions settings under Windows

With the wide application of the mobile network Forum and the discovery of the vulnerability on the Internet, as well as the more and more use of SQL injection attacks, Webshell makes the firewall useless, and a Web server that only makes 80 ports open to all Microsoft patches will escape the fate of being hacked. Do we really have nothing to do? In fact, as long as you understand the NTFS system permissions to set the problem, we can say to the crackers: no!

To build a secure Web server, you must use NTFS and Windows nt/2000/2003 for this server. As we all know, Windows is a multi-user, multitasking operating system, which is the basis of permission settings, All permission settings are based on the user and the process, and different users will have different permissions when they access the computer.

DOS and Winnt the difference between the permissions

DOS is a single task, single user operating system. But can we say that DOS does not have permissions? When we open a computer with a DOS operating system, we have the admin rights of the operating system, and the permissions are everywhere. Therefore, we can only say that DOS does not support the setting of permissions, can not say that it does not have permissions. As people's awareness of security increased, permission settings were born with the release of NTFS.

In Windows NT, users are grouped into groups with different permissions between groups and groups, and of course, users and users of a group can have different permissions. Now let's talk about the common user groups in NT.

Administrators, the Administrators group, by default, users in Administrators have unrestricted full access to the computer/domain. The default permissions assigned to this group allow full control of the entire system. Therefore, only trusted people can become members of the group.

Power Users, advanced user groups, Power users can perform any operating system tasks other than those reserved for the Administrators group. The default permissions assigned to the Power Users group allow members of the Power Users group to modify the settings for the entire computer. However, Power Users do not have the right to add themselves to the Administrators group. In permission settings, the permissions of this group are second to administrators.

Users: Normal user group, the user of this group cannot make intentional or unintentional changes. As a result, users can run validated applications, but they cannot run most legacy applications. The Users group is the safest group because the default permissions assigned to the group do not allow members to modify the operating system settings or user data. The Users Group provides an environment in which the most secure programs run. On NTFS-formatted volumes, the default security setting is designed to prevent members of this group from compromising the integrity of the operating system and installed programs. Users cannot modify system registry settings, operating system files, or program files. Users can shut down the workstation, but not the server. Users can create local groups, but can only modify local groups that they create.

Guests: Guest group, by default, guests have equal access to members of the regular users, but the Guest account has more restrictions.

Everyone: As the name implies, all users, all users on this computer belong to this group.

In fact, there is a group is also very common, it has the same as administrators, even higher than the permissions, but this group does not allow any user to join, in view of the user group, it will not be displayed, it is the system group. The permissions required for system and system-level services to function properly are vested in it. Since this group has only one user system, it may be more appropriate to classify the group as a user.

Power size Analysis of permissions

Permissions are high and low, and users with elevated privileges can operate on users with lower privileges, but in addition to administrators, users of other groups cannot access other user data on NTFS volumes unless they are authorized by those users. Users with low privileges cannot do anything with highly privileged users.

We usually do not feel the privilege of using the computer to prevent you from doing something, because we use the computer in the administrators of the user logged in. It's good and bad, and, of course, you can do anything you want to do without having access to the restrictions. The disadvantage is that running the computer as a member of the Administrators group makes the system vulnerable to Trojan horses, viruses, and other security risks. Simple actions to access an Internet site or open an e-mail attachment can damage the system.

Unfamiliar Internet sites or e-mail attachments may have Trojan Horse code that can be downloaded to the system and executed. If you are logged on as an administrator on the local computer, the Trojan may reformat your hard disk with administrative access, causing immeasurable damage, so it is best not to log in administrators users without the necessary circumstances. Administrators has a default user that is created at System installation----Administrator,administrator account has Full control of the server, and can assign user rights and access control rights to users as needed.

It is therefore strongly recommended that this account be set to use strong passwords. You can never delete an Administrator account from the Administrators group, but you can rename or disable the account. Because everyone knows that "admin" exists on many versions of Windows, renaming or disabling this account makes it more difficult for a malicious user to try and access the account. For a good server administrator, they usually rename or disable this account. Under the Guests user group, there is also a default user----Guest, but by default it is disabled. You do not need to enable this account if it is not particularly necessary.

Small help: What is a strong password? is a combination of letters and numbers, size of more than 8-bit complex password, but this also does not completely prevent a large number of hackers, but to a certain extent more difficult to crack.

We can view user groups and users under this group through the Control Panel-Administrative Tools-Computer Management-users and user groups.

We right-click a directory under an NTFS volume or an NTFS volume, select Properties-Security to set permissions on a volume, or the directory under a volume, and we see the following seven types of permissions: Full Control, modify, read and run, List folder directories, read, write, and special permissions. Full Control is the unrestricted full access to this volume or directory. Status is like the position of administrators in all groups. Full Control is selected, and the following five properties are automatically selected.

"Modify", like Power Users, selects modify, and the following four properties are automatically selected. If any of the following items are not selected, the "modify" condition will no longer be established. Read and run is any file that is allowed to read and run under this volume or directory, and "List folder Directory" and "read" are necessary for read and run.

"List Folder Directory" means that only subdirectories under the volume or directory can be browsed, cannot be read, and cannot be run. Read is the ability to read data in the volume or directory. "Write" is the ability to write data to the volume or directory. and "Special" is to the above six kinds of permissions are subdivided. Readers can do a deeper study of "special" on their own, and I will not dwell on them here.

Set instance operation for a simple server:

The following is a comprehensive analysis of a Web server system and its permissions that have just been installed on the operating system and service software. The server uses Windows Server version, installed SP4 and a variety of patches. The Web services software uses IIS 5.0 with Windows 2000, removing all unnecessary mappings. The entire hard drive is divided into four NTFS volumes, the C disk is the system volume, only the system and driver are installed, D disk is the software volume, all the software installed on the server is in D disk; E disk is a Web application volume, the Web site program is under the volume of the WWW directory; F disk is a Web site data volume, the site system calls all data are stored in the volume of the Wwwdatabase directory.

This sort of classification is more in line with the standard of a secure server. I hope that each novice administrator can reasonably give your server data classification, this is not only easy to find, but more importantly, this greatly enhances the security of the server, because we can give each volume or each directory to set different permissions, once a network security accident, can also reduce the loss to the minimum.

Of course, you can also distribute the site's data on different servers, make it a server farm, each server has a different user name and password and provide a different service, so the security is higher. But people who are willing to do so have a feature----money:).

Well, to get to the bottom of this, the server's database for Ms-sql,ms-sql service software SQL2000 installed in the d:ms-sqlserver2k directory, to the SA account set a strong enough password, installed a SP3 patch. In order to facilitate web page producers to manage the Web, the site also opened the FTP service, FTP service software using the Serv-u 5.1.0.0, installed in the D:ftpserviceserv-u directory. Antivirus software and firewalls are the Norton Antivirus and BlackICE respectively, the path is D:nortonav and D:firewallblackice, virus Library has been upgraded to the latest, firewall rule library definition only 80 ports and 21 ports open to the outside. The content of the website is to use 7.0 of the forum of Dynamic Net, the website program is under E:wwwbbs.

Attentive readers may have noticed that I have not adopted the default path for installing these service software or just changed the default path of the letter, which is also a security requirement, because a hacker who has access to your server through some means, but does not get administrator privileges, The first thing he does will be to see what services you open up and what software you have installed, because he needs to improve his privileges.

A path that is hard to guess and a good permission setting will block him out. It is believed that this configuration of the Web server is enough to withstand most of the wrong hackers. The reader may ask again, "It's not going to be a privilege!" I've done all the rest of the work. Is it necessary to have permission settings? Of course there is! A wise man will have a loss, even if you have now made the system safe and perfect, you must know that the new security vulnerabilities are always being found.

Instance attack

Permission will be your last line of defense! Well, let's just do it now. A mock attack on this server without any permission settings, all with Windows default permissions, to see if it is really impregnable.

Assume that the server extranet domain name, scanned by scanning software to discover the open WWW and FTP services, and found that its service software using IIS 5.0 and Serv-u 5.1, with some of their overflow tool found invalid, and then abandon the idea of direct remote overflow.

Open the website page, found that the use of the Dynamic Network Forum system, and then add a/upfile.asp in its domain name, found that there is a file upload loophole, then grabbed the package, the modified ASP Trojan with NC submission, the successful upload success, Webshell, open just uploaded ASP Trojan, Ms-sql, Norton Antivirus and BlackICE were found to be running, judging by the restrictions on the firewall, shielding the SQL service port.

Through the ASP Trojan check to see the Norton Antivirus and BlackICE PID, and through the ASP Trojan upload a can kill the process of the file, run kill Norton Antivirus and BlackICE. Again scan, found that 1433 ports open, there are many ways to get administrator privileges, you can view the site Directory of the conn.asp get SQL username password, and then log into SQL to add users, to the administrator rights. can also catch serv-u under the Servudaemon.ini modified upload, get system administrator privileges.

You can also add users directly to administrators, and so on, by passing local overflow serv-u tools. As you can see, once the hacker has found the entry point, in the absence of permission restrictions, hackers will be easy to obtain administrator privileges.

So let's take a look at the default permission settings for Windows 2000. For the root directory of each volume, the Everyone group is given full control by default. This means that any user who enters the computer will be unrestricted to do whatever is in the root directory.

Three directories under the system volume are special, the system defaults to their restricted permissions, and the three directories are documents and settings, program files, and Winnt. For documents and settings, The default permissions are assigned in this way: Administrators has full control; Everyone has read & Transport, column and read permissions; Power Users have read & shipping, column and read permissions; System with administrators; Users have read & shipping, column and Read permissions. have full control over program Files,administrators; Creator owner has special privileges; Power users have full control; System with administrators; Terminal Server users have full control, and users have read & shipping, columns, and Read permissions.

Have full control over winnt,administrators; Creator owner has special privileges; Power users have full control; System with administrators; Users have read & shipping, columns and Read permissions. Not all directories under the system volume inherit the permissions of their parent directory, which is the Everyone group's full Control!

Now you know why we just got the admin right on the test, right? The permissions are set too low! When a person visits a website, it is automatically assigned to the IUSR user, which is subordinate to the Guest group. The original permission is not high, but the system defaults to the Everyone group full control but let it "worth doubling", to the end can get administrators.

So how is it safe to set permissions on this Web server? We should keep in mind that: "The least service + minimum permissions = maximum security" For services, do not have to wear, do not need to know the operation of the service is the system-level, for the authority, in accordance with the principle of good enough to distribute it.

For the Web server, take just that server, I set permissions, you can refer to: The root directory of each volume, Documents and Settings and program files, only to the administrator full Control, Or simply delete the program files to the root directory of the system to add a everyone read and write right, to the E:www directory, that is, the site directory read, write right.

Finally, the Cmd.exe this file to be dug out, only give the administrator full control. After this setup, and then to the way I just hacked the server is impossible to complete the task. Perhaps this time another reader will ask: "Why do I have to give the root directory of the system volume to read and write right?" Does the ASP file in the Web site run without permissions? " Good question, deep. Yes, if the system volume does not give everyone the right to read and write, when you start the computer, the computer will report an error, and will prompt virtual memory is low.

Of course, there is a premise----virtual memory is allocated on the system disk, if the virtual memory allocated to other volumes, then you have to give that volume everyone read and write right. ASP files are run on the server, it is true that only the results of the execution are passed back to the end-user's browser, but the ASP file is not a system-sense executable and is interpreted by the provider of the Web service----IIS, so its execution does not require permission to run.

Deep understanding of the meaning behind permissions

After the above explanation, you must have a preliminary understanding of the right? Want to more in-depth understanding of permissions, then some of the characteristics of permissions you can not do not know, permissions are inherited, cumulative, priority, cross-cutting.

Inheritance is that the subordinate directory has the previous level of directory permissions set before it is reset. There is also a case in point where copying directories or files within a partition will have the same level of directory permissions set up in the directory as it is now located. But when you move directories or files within a partition, the directories and files that you move in the past will have their original permissions set.

Add up is that if there are two users USER1, USER2 in a group GROUP1, and they have access to a file or directory, respectively, read and write, the group GROUP1 access to the file or directory for USER1 and USER2 access rights, is actually the largest one, read + write = write. Another example is that a user USER1 belong to group GROUP1 and GROUP2, and GROUP1 access to a file or directory is read-only, and GROUP2 access to this file or folder is "Full Control" type, The user USER1 access to the file or folder is cumulative by two group privileges, namely: Read Only + Full Control = Full Control.

Priority, this feature of the permission also contains two seed characteristics, one is the file access rights priority directory permissions, that is, file permissions can bypass the directory permissions, regardless of the previous level of folder settings. Another feature is that the Deny permission takes precedence over other permissions, which means that the Deny permission can cross all other permissions, and once the Deny permission is selected, the other permissions cannot take any action, equivalent to no settings.

Cross refers to when the same folder for a user set share permissions while the user set the access rights of the folder, and the set of permissions inconsistent, it is the principle of the choice of two permissions to the intersection, which is the most stringent, the smallest kind of permission. If the share permission set by directory A for user USER1 is read-only, and the access rights set by directory A for the user USER1 are full control, the user USER1 's final access is read-only.

Issue of permission settings I'm going to say this, and in the end I want to remind readers that the permissions settings must be implemented in an NTFS partition, and FAT32 does not support permission settings. At the same time, I would like to give you the administrator some suggestions:

1. Develop good habits, to the server hard disk partition when the classification is clear, when not using the server to lock the server, often update a variety of patches and upgrade anti-virus software.

2. Set a strong password, this is a cliché, but there are always administrators to set a weak password or even a blank password.

3. Try not to install all kinds of software under the default path

4. In the case of English proficiency is not a problem, try to install the English version of the operating system.

5. Avoid the installation of software or unnecessary services on the server.

6. Keep in mind: there is no permanent security system, often update your knowledge.