Cross-Site attacks, remote control, and so on are all too old. Some VM administrators simply put all the websites in the same directory for convenience or unfamiliar configuration, and then set the parent directory as the site root directory. In some cases, the directories of all sites are set to executable, writable, and changeable. For convenience, QQ is suspended on the server and Bt is installed. What's more, the Internet Guest account is added to the Administrators group! Khan ......! Ordinary users set their passwords to 6 pure numbers such as birthdays. This situation can be forgiven. After all, most of them are not dedicated to network research, it may take some time for Chinese citizens to improve their security awareness, but if they are network administrators, they will be confused.
Here I will discuss the security virtual host configuration issues with my personal past experiences. The following uses the establishment of a site cert.ecjtu.jx.cn as an example to discuss the virtual host configuration issues with you.
1. Create a Windows User
Set a Windows User Account cert for each website, delete the account user group, and add Cert to the guest user group. The password cannot be changed, and the password will never expire.
2. Set folder Permissions
1. Set non-site-related Directory Permissions
After windows is installed, many directories and files can be viewed, viewed, run, or even modified by default by everyone. This poses a great risk to server security. Here are some of my personal experiences to mention some directories that are commonly used in intrusion.
The permissions of these directories or files should be appropriately restricted. For example, the permission to view, modify, and execute a guests user is revoked. Due to the length of the article, I will only mention it here.
2. Set site-related directory permissions:
A. Set the root directory permission of the site: grant the created user Cert to the corresponding site folder. Assume that D: CERT has set the corresponding permissions: The adiministrators Group is fully controlled; CERT supports reading and running, listing folder directories, and reading, and revoking all other permissions.
B. Set updatable file permissions: After setting the permissions for the root directory folder of the site in step 2, the guest user has no permission to modify any content in the site folder. This is obviously not enough for an updated site. In this case, you need to set the permissions for the files to be updated separately. Of course, this may be inconvenient for virtual host providers. The file content to be updated on the customer's site may be different. In this case, you can specify that a folder can be written or modified. For example, some web hosting providers require that the uploads in the site root directory is a Web-ready upload folder, and the data or database is a database folder. In this way, the VM service provider can customize the permissions of these two folders for the customer. Of course, you can also create Program To allow customers to set their own. In this case, service providers may have to spend a lot of money and manpower.
The basic configuration should be shared by everyone. Here are some special points or notes.
1. Master directory permission settings: You can set read here. Write, directory browsing, etc. The most important thing is directory browsing. Unless otherwise, it should be disabled. Otherwise, a lot of important information will be exposed. This will facilitate hacker intrusion. The rest will be retained by default.
2. Application configuration: in site properties, the home directory item also has a configuration option. Click to enter. You can see in the application ing option that there are many application ing by default. Delete all unnecessary and retained items. During the intrusion process, many programs may restrict the upload of files such as ASP and PHP, but do not restrict files such as CER and Asa. If the corresponding application ing is not deleted, you can change the suffix of ASP to CER or ASA for upload. The trojan will be parsed normally. This is often ignored by administrators. Add an application extension ing. You can select an executable file with the extension name. MDB. This is to prevent the user database with the suffix MDB from being downloaded.
3. Directory Security Settings: Select Directory Security in site properties, click anonymous access and authentication control, select Allow Anonymous Access, and click Edit. As shown in. Delete the Default User, browse and select the user set for the CERT website, and enter the password. You can select to allow IIS to control the password. The purpose of this setting is to prevent cross-directory and cross-site browsing of trojans such as webmaster assistants and marine Trojans, and effectively prevent such cross-directory and cross-site intrusion.
4. writable directory execution permission settings: Disable the execution permission for all writable directories. Due to program vulnerabilities, webpage Trojans are currently very popular, most of which are uploaded on the web. The writable directory Trojan cannot be uploaded. If you disable the permission to run the writable directory, the uploaded Trojan cannot run normally. It can effectively prevent such forms of Web intrusion.
5. Handle running errors: There are two methods. One is to disable error echo. IIS properties-main directory-configuration-application debugging-script error message, select to send a text error message to the customer. Second, customize the error page. In IIS properties-custom error information, double-click the custom error page in HTTP Error information. The error ing attribute setting box is displayed. Message types include default values, URLs, and files, which can be customized as needed. In this way, some error information can be hidden, and the error display can be more friendly.
3. Configure ftp
FTP is a required service for most VM providers. Most of your website files are uploaded using FTP. The most used FTP server is not Serv-U. Here are some points to explain.
1. The administrator password must be changed.
If attackers are familiar with Serv-U privilege escalation. These elevation tools use the default Administrator account and password of Serv-U. Because the Serv-U Administrator runs as a super administrator. If you haven't changed the administrator password, these tools will be easy to use. If you change the password, it is not that easy for these tools to run normally. The administrator password must be cracked first.
2. Change the installation directory permission
The default installation directory of Serv-U can be viewed or modified by everyone. If you choose to store user information in the INI file during installation, you can obtain all user information in servudaemon. ini. If guests has the modification permission, hackers can establish users with super permissions. This is not a good thing. Therefore, after Serv-U is installed, you must modify the corresponding folder permissions to cancel the corresponding permissions of the guests user.
4. command line operations
1 forbidden the guestsuser to execute com.exe:
We can use the following command to revoke the permission of gueststo execute com.exe.
Cacls C: winntsystem32.16.exe/e/d guests.
2. Disable the wscript. Shell component:
Wscript. Shell can call the system kernel to run basic dos commands. You can modify the registry and rename this component to prevent the dangers of such Trojans. Hkey_classes_rootwscript.shell and hkey_classes_rootwscript.shell.1 are renamed as other names. Change the value of the two CLSID items to the value of the hkey_classes_rootwscript.shellclsid item and the value of the hkey_classes_root wscript. shell.1clsid item, or delete the item.
3. Disable the Shell. Application component.
Shell. Application can also call the system kernel to run basic dos commands. You can modify the registry and rename this component to prevent the dangers of such Trojans. Hkey_classes_rootshell.application and hkey_classes_rootshell.application.1 are renamed as other names. Change or delete the value of hkey_classes_rootshell.applicationclsid. In addition, the guest user is prohibited from using shell32.dll to prevent calling this component. Run cacls C: winntsystem32shell32. dll/e/d guests.
4. FileSystemObject component
FileSystemObject can perform regular operations on files. You can modify the registry and rename this component to prevent the harm of such Trojans. The corresponding registry key is hkey_classes_root scripting. FileSystemObject. you can disable the use of guests or directly delete it. Considering that many uploads use this component, we do not recommend that you change or delete it for convenience.
5. telnet login prohibited
There is a login. CMD file in the C: winntsystem32 Directory, which is opened in Notepad. Take another line at the end of the file and add exit to save it. In this way, the user will automatically Exit immediately when logging on to telnet.
Note: The above modification to the registry takes effect only after the Web Service is restarted.
5. Port Settings
The bottom of the port form is the door. If all the ports on our server are open, it means that many hackers can intrude into the server. Therefore, I personally think it is important to close unused ports. On the Control Panel-network and dial-up connections-local connections-properties-Internet Protocol (TCP/IP) properties, click Advanced to go to Advanced TCP/IP Settings and select options, select TCP/IP filtering in the optional settings to enable TCP/IP filtering. Add the required ports, such as 21 and 80, and disable all unused ports.
6. disable file sharing
File Sharing is enabled by default. We should cancel it. In the control panel-network and dial-up connections-local connections-properties, in the general options Option, cancel Microsoft Network File Sharing and print sharing. The minimum service principle is an important principle to ensure security. Disable unnecessary services. System services can be set in Control Panel> Administrative Tools> services.
7. disable unnecessary services
Services such as telnet and remote registry operations should be disabled. Install as few software as possible. This avoids some security issues caused by software vulnerabilities. Some network administrators install QQ on the server and use the server to hook up QQ. This is extremely incorrect.
8. Pay attention to security dynamics and promptly update vulnerability patches
Updating vulnerability patches is very important for a network administrator. Patches can be updated to further ensure system security.