With the wide application of the mobile network Forum and the discovery of the vulnerability on the Internet, as well as the more and more use of SQL injection attacks, Webshell makes the firewall useless, and a Web server that only makes 80 ports open to all Microsoft patches will escape the fate of being hacked. Do we really have nothing to do? In fact, as long as you understand the NTFS system permissions to set the problem, we can say to the crackers: no!
To build a secure Web server, you must use NTFS and Windows nt/2000/2003 for this server. As we all know, Windows is a multi-user, multitasking operating system, which is the basis of permission settings, all permissions are based on users and processes, different users will have different permissions when accessing this computer. DOS is a single task, single user operating system. But can we say that DOS does not have permissions? When we open a computer with a DOS operating system, we have the admin rights of the operating system, and the permissions are everywhere. Therefore, we can only say that DOS does not support the setting of permissions, can not say that it does not have permissions. As people's awareness of security increased, permission settings were born with the release of NTFS.
In Windows NT, users are grouped into groups with different permissions between groups and groups, and of course, users and users of a group can have different permissions. Now let's talk about the common user groups in NT.
Administrators, the Administrators group, by default, users in Administrators have unrestricted full access to the computer/domain. The default permissions assigned to this group allow full control of the entire system. Therefore, only trusted people can become members of the group.
Power Users, advanced user groups, Power users can perform any operating system tasks other than those reserved for the Administrators group. The default permissions assigned to the Power Users group allow members of the Power Users group to modify the settings for the entire computer. However, Power Users do not have the right to add themselves to the Administrators group. In permission settings, the permissions of this group are second to administrators.
Users: Normal user group, the user of this group cannot make intentional or unintentional changes. As a result, users can run validated applications, but they cannot run most legacy applications. The Users group is the safest group because the default permissions assigned to the group do not allow members to modify the operating system settings or user data. The Users Group provides an environment in which the most secure programs run. On NTFS-formatted volumes, the default security setting is designed to prevent members of this group from compromising the integrity of the operating system and installed programs. Users cannot modify system registry settings, operating system files, or program files. Users can shut down the workstation, but not the server. Users can create local groups, but can only modify local groups that they create.
Guests: Guest group, by default, guests have equal access to members of the regular users, but the Guest account has more restrictions.
Everyone: As the name implies, all users, all users on this computer belong to this group.
In fact, there is a group is also very common, it has the same as administrators, even higher than the permissions, but this group does not allow any user to join, in view of the user group, it will not be displayed, it is the system group. The permissions required for system and system-level services to function properly are vested in it. Since this group has only one user system, it may be more appropriate to classify the group as a user.
Permissions are high and low, and users with elevated privileges can operate on users with lower privileges, but in addition to administrators, users of other groups cannot access other user data on NTFS volumes unless they are authorized by those users. Users with low privileges cannot do anything with highly privileged users.
We usually do not feel the privilege of using the computer to prevent you from doing something, because we use the computer in the administrators of the user logged in. It's good and bad, and, of course, you can do anything you want to do without having access to the restrictions. The disadvantage is that running the computer as a member of the Administrators group makes the system vulnerable to Trojan horses, viruses, and other security risks. Simple actions to access an Internet site or open an e-mail attachment can damage the system. Unfamiliar Internet sites or e-mail attachments may have Trojan Horse code that can be downloaded to the system and executed. If you are logged on as an administrator on the local computer, the Trojan may reformat your hard disk with administrative access, causing immeasurable damage, so it is best not to log in administrators users without the necessary circumstances.
Administrators has a default user that is created at System installation----Administrator,administrator account has Full control of the server, and can assign user rights and access control rights to users as needed. It is therefore strongly recommended that this account be set to use strong passwords. You can never delete an Administrator account from the Administrators group, but you can rename or disable the account. Because everyone knows that "admin" exists on many versions of Windows, renaming or disabling this account makes it more difficult for a malicious user to try and access the account. For a good server administrator, they usually rename or disable this account. Under the Guests user group, there is also a default user----Guest, but by default it is disabled. You do not need to enable this account if it is not particularly necessary. We can view user groups and users under this group through the Control Panel-Administrative Tools-Computer Management-users and user groups.
We right-click a directory under an NTFS volume or an NTFS volume, select Properties-Security to set permissions on a volume, or the directory under a volume, and we see the following seven types of permissions: Full Control, modify, read and run, List folder directories, read, write, and special permissions. Full Control is the unrestricted full access to this volume or directory. Status is like the position of administrators in all groups. Full Control is selected, and the following five properties are automatically selected. "Modify", like Power Users, selects modify, and the following four properties are automatically selected. If any of the following items are not selected, the "modify" condition will no longer be established. Read and run is any file that is allowed to read and run under this volume or directory, and "List folder Directory" and "read" are necessary for read and run. "List Folder Directory" means that only subdirectories under the volume or directory can be browsed, cannot be read, and cannot be run. Read is the ability to read data in the volume or directory. "Write" is the ability to write data to the volume or directory. and "Special" is to the above six kinds of permissions are subdivided. Readers can do a deeper study of "special" on their own, and I will not dwell on them here.
The following is a comprehensive analysis of a Web server system and its permissions that have just been installed on the operating system and service software. The server uses Windows Server version, installed SP4 and a variety of patches. The Web services software uses IIS 5.0 with Windows 2000, removing all unnecessary mappings. The entire hard drive is divided into four NTFS volumes, the C disk is the system volume, only the system and driver are installed, D disk is the software volume, all the software installed on the server is in D disk; E disk is a Web application volume, the Web site program is under the volume of the WWW directory; F disk is a Web site data volume, the site system calls all data are stored in the volume of the Wwwdatabase directory. This sort of classification is more in line with the standard of a secure server.
I hope that each novice administrator can reasonably give your server data classification, this is not only easy to find, but more importantly, this greatly enhances the security of the server, because we can give each volume or each directory to set different permissions, once a network security accident, can also reduce the loss to the minimum. Of course, you can also distribute the site's data on different servers, make it a server farm, each server has a different user name and password and provide a different service, so the security is higher. But people who are willing to do so have a feature----money:). Well, to get to the bottom of this, the server's database for Ms-sql,ms-sql service software SQL2000 installed in the d:/ms-sqlserver2k directory, to the SA account set a strong enough password, installed a SP3 patch.
In order to facilitate web page producers to manage the Web, the site also opened the FTP service, FTP service software using the Serv-u 5.1.0.0, installed in the D:/ftpservice/serv-u directory. Antivirus software and firewalls are the Norton Antivirus and BlackICE respectively, the path is D:/nortonav and D:/firewall/blackice, virus Library has been upgraded to the latest, firewall rule library definition only 80 ports and 21 ports open to the outside. The content of the website is to use 7.0 of the forum of Dynamic Net, the website program is under E:/www/bbs. Attentive readers may have noticed that I have not adopted the default path for installing these service software or just changed the default path of the letter, which is also a security requirement, because a hacker who has access to your server through some means, but does not get administrator privileges, The first thing he does will be to see what services you open up and what software you have installed, because he needs to improve his privileges.
A path that is hard to guess and a good permission setting will block him out. It is believed that this configuration of the Web server is enough to withstand most of the wrong hackers. The reader may ask again, "It's not going to be a privilege!" I've done all the rest of the work. Is it necessary to have permission settings? Of course there is! A wise man will have a loss, even if you have now made the system safe and perfect, you must know that the new security vulnerabilities are always being found. Permission will be your last line of defense! Well, let's just do it now. A mock attack on this server without any permission settings, all with Windows default permissions, to see if it is really impregnable.
Assume that the server extranet domain name is http://www.webserver.com, scan it with scanning software to discover open www and FTP service, and found that its service software uses IIS 5.0 and Serv-u 5.1, with some overflow tool against them after found invalid, The idea of a direct remote overflow was abandoned. Open the website page, found that the use of the network of the Forum system, so in its domain name after adding a/ Upfile.asp, found that there is a file upload loophole, then grabbed the package, the modified ASP Trojan with NC submission, prompted upload success, successfully get Webshell, open just uploaded ASP Trojan, found that there are ms-sql, Norton Antivirus and BlackICE are running, judging by the restrictions on the firewall, shielding the SQL service port. Through the ASP Trojan check to see the Norton Antivirus and BlackICE PID, and through the ASP Trojan upload a can kill the process of files, after the operation killed Norton Antivirus and BlackICE. Again scan, found that 1433 ports open, there are many ways to get administrator privileges, you can view the site Directory conn.asp get SQL username password, and then log into SQL to execute add user, mention administrator rights. can also catch serv-u under the Servudaemon.ini modified upload, get system administrator privileges. You can also add users directly to administrators, and so on, by passing local overflow serv-u tools. As you can see, once the hacker has found the entry point, in the absence of permission restrictions, hackers will be easy to obtain administrator privileges.
So let's take a look at the default permission settings for Windows 2000. For the root directory of each volume, the Everyone group is given full control by default. This means that any user who enters the computer will be unrestricted to do whatever is in the root directory. There are three directories under the system volume that are special, and the system defaults to their restricted permissions, and the three directories are documents and settings, program files, and Winnt. For documents and settings, the default permissions are assigned in this way: Administrators has full control; Everyone has read & Transport, column and read permissions; Power Users have read & shipping, column and read permissions; System with administrators; Users have read & shipping, column and Read permissions. have full control over program Files,administrators; Creator owner has special privileges; Power users have full control; System with administrators; Terminal Server users have full control, and users have read & shipping, columns, and Read permissions. Have full control over winnt,administrators; Creator owner has special privileges; Power users have full control; System with administrators; Users have read & shipping, columns and Read permissions. Not all directories under the system volume inherit the permissions of their parent directory, which is the Everyone group's full Control!
Now you know why we just got the admin right on the test, right? The permissions are set too low! When a person visits a website, it is automatically assigned to the IUSR user, which is subordinate to the Guest group. The original permission is not high, but the system defaults to the Everyone group full control but let it "worth doubling", to the end can get administrators. So how is it safe to set permissions on this Web server? We should keep in mind that: "The least service + minimum permissions = maximum security" For services, do not have to wear, do not need to know the operation of the service is the system-level, for the authority, in accordance with the principle of good enough to distribute it. For the Web server, take just that server, I set permissions, you can refer to: The root directory of each volume, Documents and Settings and program files, only to the administrator full Control, Or simply delete the program files to the root directory of the system to add a everyone read and write right, to the E:/www directory, that is, the site directory read, write right.
Finally, the Cmd.exe this file to be dug out, only give the administrator full control. After this setup, and then to the way I just hacked the server is impossible to complete the task. Perhaps this time another reader will ask: "Why do I have to give the root directory of the system volume to read and write right?" Does the ASP file in the Web site run without permissions? " Good question, deep. Yes, if the system volume does not give everyone the right to read and write, when you start the computer, the computer will report an error, and will prompt virtual memory is low. Of course, there is a premise----virtual memory is allocated on the system disk, if the virtual memory allocated to other volumes, then you have to give that volume everyone read and write right. ASP files are run on the server, it is true that only the results of the execution are passed back to the end-user's browser, but the ASP file is not a system-sense executable and is interpreted by the provider of the Web service----IIS, so its execution does not require permission to run.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.