Considerations for IIS 6.0 Security PHP 5 (Security Questions and security tips)

Source: Internet
Author: User

Recently, I found that on IIS 6.0, security PHP5 has some security issues and some security skills. These problems are not easy for common administrators, so if someone wants to write PHP 5 over IIS, they can take this article into consideration.

---

If you install ISAPI Module for PHP5 (php5isapi. dll), when anonymous access is used, when PHP5 is set to an anonymous access identity (IUSR_MachineName.

Using anonymous access to "src =" http://www.bkjia.com/uploads/allimg/131129/052PC129-0.png "width = 374 border = 0>

However, if you have installed FastCGI Extension for IIS6.0 with PHP5, A token is a network service identity that identifies an application set.

Network service "src =" http://www.bkjia.com/uploads/allimg/131129/052PB4N-1.png "width = 464 border = 0>

The difference between the two is very important for you to set the access control list (ACL) of the website. If you accidentally set the access list, your PHP program can easily create a project and add the case to your website.

For example, if PHP is exposed to any security vulnerabilities, and you cannot update the PHP version, and the website ACL is not properly set, it will be easy to implant Trojans, which is very dangerous and has to be done with caution.

---

In addition, if an IIS server is installed on multiple different PHP websites, it is recommended that you do not use the same identity to set up the website, otherwise, everyone shares the same rights and limits, which is quite risky for website security.

---

I personally use FastCGI for PHP, which is faster than others.

---

If you want to write PHP to all the. htm cases, you can define the application's secondary program name in the application settings.

Take FastCGI's security as an example. The configured steps are as follows:

Add a. htm peer value and set the primary line to C: WINDOWSsystem32inetsrvfcgiext. dll.
 


 
Enable C: windowssystem32inetsrvfcgiext. ini

[Types]
Php = PHP-All
Htm = PHP-All pending changes: No need to restart IIS to take effect!

---

If the move_uploaded_file function needs to be used in PHP, if the "Chinese character name" is used on the User, it will cause the issue that the User cannot save, to solve this problem, you must modify the program.

Original program:

Move_uploaded_file ($ file [tmp_name],
$ Dir. mb_basename ($ file [name]) modified program:

Move_uploaded_file ($ file [tmp_name],
$ Dir. mb_basename (mb_convert_encoding ($ file [name], "big5", "utf8 ")))---

After installing PHP 5 on the Windows platform, there will be a problem with the "Time Zone". It was normal when the Linux platform was running normally, that is, the standard time zone GMT + 0800, but after it is moved to the Windows platform, it will all be reset to GMT + 0000 (Greenwich Mean Time Zone ), to solve this problem, you must add the TZ variable to the WIndows system environment variable and assign the variable value to Asia/Taipei, as shown below:

 

After the setting is complete, remember that the iisreset command will take effect!

If you want to check the time zone changes of other countries, you can refer to the following website: http://www.theprojects.org/dev/zone.txt

In Windows Server 2003/IIS 6. install PHP on x. x, please read the following documents. the process of making it work is really frustrating, so I hope that my experience will make others detour.

Before installing PHP 5 based on the network tutorial (here is a good article: html "> http://www.peterguy.com/php/install_IIS6.html)

Read the following tips:
These are the permissions I have found for security work:
NTFS permission (right-click a file or folder and select Properties to open the Security page)
1) PHP installation directory-> you need to give the NT user: Network Service read/run permissions (such as C: PHP ). if you have a tmp or session directory in the installation directory, You need to grant read/run and write permissions to the Network Service users. * (you do not need to grant the anonymous Internet user IUSR _ [name] any permission to the PHP installation file.
2) You need to view the actual WWW root directory and webpage. PHP file (if you want to apply to all sites) or the root directory and. PHP file (if multiple running sites) to anonymous Internet users IUSR _ [name] Read/run Permissions
3) for the IIS6.0 console, if the site properties (right-click an independent site or website root node to apply to all sites-> select Properties) are displayed on the Directory Security page-> click Edit, if you want the site to be accessed anonymously, select the multiple-choice box for anonymous access and enter the User name: IUSER _ [name] (IUSER _ [name] is customized based on the user settings of your server)
4) * Most Important *
Install and set PHP. in INI, do not open any extended EXTENSIONS. the reason is that if an extended extension error occurs, the error prompt box will pop up outside the Remote Desktop, you will not be able to close that dialog box, And Your PHP page will be suspended indefinitely (after this problem occurs, I am almost crazy to solve it)

Then, after you successfully open the test PHP page, open all the extensions in the PHP. ini file once.
If you have any tips that I have not mentioned, please send me an email. Again, I am not professional and learning.
Now that you have read this, open the link I posted on the top and follow the tutorial to complete the general setup and installation.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.