Secure Virtual Host Configuration Tips _ server

Source: Internet
Author: User
Tags microsoft sql server parent directory php file upload administrator password file permissions java web
Injection vulnerabilities, upload vulnerabilities, weak password vulnerabilities and other problems are everywhere. Cross-site attacks, remote control, and so on are a cliché. Some virtual host administrators do not know whether to facilitate or unfamiliar with the configuration, simply put all the sites in the same directory, and then set the parent directory to the site root directory. In some cases, the directory of all sites is set to executable, writable, and modifiable. Some for convenience, in the server hang up QQ, also installed on the BT. Even more, the Internet Guest account is added to the Administrators group! Sweat......! The average user sets his or her password to a 6-digit pure number, such as birthdays, this situation can also be forgiven, after all, most of them are not specialized in network research, the safety awareness of Chinese people will need some time, but if it is the network administrator also, it is also a bit of people think impassability. Network security issues are increasingly prominent, and recently no one claims that "million nets: I came in to play twice!" ”。 Such a well-known network service provider, also inevitable escape ah! The web site injection loophole is a recent high school intrusion that has been exposed in newspapers and magazines ... In a word, most of the site security situation is worrying!

Here's my personal past experience with you to explore the issue of secure virtual host configuration. The following to establish a site cert.ecjtu.jx.cn as an example, with you to discuss the virtual host configuration issues.

First, the establishment of Windows users

Set up a separate Windows user account cert for each site, delete the user group for the account, and add cert to the Guest user group. The user cannot change the password, the password never expires two options selected.

Second, set folder permissions

1, set the non-site-related directory permissions

When Windows is installed, many directories and files by default are everyone can browse, view, run, or even modify. This poses a great danger to server security. Here are some of my personal experiences to mention some of the more commonly used directories in intrusion.

C:\;d:\ .....
C:\perl
C:\temp\
C:\Mysql\
C:\php\
C:\autorun.inf
C:\Documents and setting\
C:\Documents and Settings\All users\"Start menu \ programs \
C:\Documents and Settings\All users\"Start menu \ program \ Boot
C:\Documents and Settings\All Users\documents\
C:\Documents and Settings\All Users\Application Data\symantec\
C:\Documents and Settings\All Users\Application Data\symantec\pcanywhere
C:\WINNT\system32\config\
C:\winnt\system32\inetsrv\data\
C:\WINDOWS\system32\inetsrv\data\
C:\Program files\
C:\Program files\serv-u\
C:\Program files\kv2004\
C:\Program Files\rising\rav
C:\Program Files\realserver\
C:\Program Files\Microsoft SQL Server\
C:\Program Files\java Web start\


The permissions for these directories or files should be appropriately restricted. such as canceling the guests user's view, modify, and Execute permissions. Due to the length of the relationship, this is simply mentioned here.

2, set the site related directory permissions:

A, set the site root directory permissions: The user just established cert to the corresponding site folder, assume the appropriate permissions for the D:\cert: Adiministrators Group for Full Control, cert have read and run, List folder directory, read, cancel all other permissions.

B, set updatable file permissions: After the 1th site root folder permissions setting, the Guest user has no permission to modify any content in the site folder. This is obviously not enough for an updated site. Then you need to set permissions on individual files that need to be updated. Of course this may be inconvenient for a virtual host provider. The customer's site may not be the same as the content of the file that needs to be updated. At this point, you can specify a folder can be written, can be changed. If some of the virtual host providers, the site root directory uploads for the Web can be uploaded folders, data or database folder. This allows the virtual host service provider to tailor the permissions for the two folders to the client. Of course, like some do a better virtual host provider, to the customer to do a program, let the customer set their own. May want to do so, service providers have to spend not small money and manpower oh.

Third, configure IIS

The basic configuration should be everyone, here is a few special points or need to pay attention to places.

1, the main directory permissions settings: This can be set to read on the line. Write, directory browsing, etc. can not, the most important thing is the directory browsing. Unless it is a special case, it should be closed or it will expose a lot of important information. This will bring convenience to hackers. Leave the rest to default on it.

2, application configuration: In the Site properties, home directory This item also has a configuration option, click Enter. As you can see in the application mapping options, there are many application mappings by default. Remove all the required reservations and all that you don't need. In the process of intrusion, many programs may limit the asp,php file upload, but do not cer,asa, such as file restrictions, if the corresponding application mapping is not deleted, you can change the name of the ASP suffix to CER or ASA after the upload, Trojan will be able to be resolved normally. This is also often overlooked by the administrator. Add an application extension mapping and the executable file can be optionally selected with a suffix named. mdb. This is to prevent the user database of the suffix named MDB from being downloaded.

3, Directory Security settings: Select Directory security in the site properties, click Anonymous access and authentication control, choose to Allow anonymous access, click Edit. As shown in the following figure. Delete the default user, browse to select the corresponding user for the CERT Web site, and enter the password. You can select to allow IIS to control passwords. The purpose of this set is to prevent some like webmaster assistants, the sea, such as cross-directory Cross-site browsing, can effectively prevent such cross-directory cross-site intrusion.

4, writable directory to perform permissions settings: Turn off all writable directories to execute permissions. Due to the loopholes in the program, the current very popular upload some of the trojan, most of them are uploaded with the web. Because can not write the directory Trojan can not upload, if you turn off the ability to write a directory, then upload the Trojan will not run normally. Can effectively prevent such forms of web intrusion.

5, processing run error: Here are two methods, one is to turn off error ECHO. IIS Properties-Home Directory-Configuration-application debugging-script error message, select Send text error message to customer. The second is to customize the error page. In the IIS properties-custom error messages, double-click the error page that you want to customize in the HTTP error message, the Error mapping property settings box pops up. The message type has a default value, a URL, and a file of three, which can be customized according to the situation. This allows you to hide some error messages, and on the other hand you can make the error display more user-friendly.

Four, configure the FTP

FTP is a necessary service for most virtual host providers. Most of the user's station files are uploaded using FTP. Most of the FTP servers currently in use are not serv-u. Here are a few points to explain.
  
1. Admin password must be changed

If the invasion enthusiasts must be familiar with the serv-u right again mo past. These power tools use the Serv-u default Administrator's account number and password to run. Because the SERV-U administrator is running as a super administrator. If you do not change the administrator password, these tools can be used to the most useful. If you change the password, the tools are not as simple as they want to function properly. You have to crack the admin password before you can.

2, change the installation directory permissions

The default installation directory for Serv-u is for everyone to browse and even modify. If you choose to store the user information in the INI file when you install it, you can get all the information about the user in Servudaemon.ini. If guests has permission to modify, then hackers can successfully establish a user with super privileges. This is not a good thing. So after installing the serv-u, you have to modify the appropriate folder permissions, you can cancel the guests user's corresponding permissions.

V. Command-line related operations handling

1, prohibit guests users to perform Com.exe:

We can cancel guests execute Com.exe permission by following command
cacls c:\winnt\system3\cmd.exe/e/d guests.

2. Disable Wscript.Shell components:

Wscript.Shell can invoke the system kernel to run DOS basic commands. This can be prevented by modifying the registry to rename this component. Hkey_classes_root\wscript.shell\ and hkey_classes_root\wscript.shell.1\ renamed to other names. You can also change the value of the hkey_classes_root\wscript.shell\clsid\ item and the value of the hkey_classes_root\wscript.shell.1\clsid\ item by changing the values of the two CLSID.

3. Disable Shell.Application Components

Shell.Application can also invoke the system kernel to run DOS basic commands. This can be prevented by modifying the registry to rename this component. Hkey_classes_root\shell.application\ and hkey_classes_root\shell.application.1\ renamed to other names. Change or delete the value of the Hkey_classes_root\shell.application\clsid\ project hkey_classes_root\shell.application\clsid\ the value of the item. Also, the guest user is prohibited from using Shell32.dll to prevent calls to this component. Use command: cacls c:\winnt\system32\shell32.dll/e/d Guests

4, FileSystemObject components

FileSystemObject can be normal operation of the file can be modified by modifying the registry, the component renamed to prevent the harm of such Trojans. The corresponding registry key is hkey_classes_root\scripting. Filesystemobject\. You can prevent guests users from using or deleting them directly. Considering that many uploads will use this component, it is not recommended to change or delete it for convenience.

5. No Telnet landing

There is a login.cmd file in the C:\WINNT\system32 directory, open it in Notepad, take another line at the end of the file, and add the exit to save it. This allows users to automatically exit immediately when they log on to telnet.

Note: The above registry operation requires a restart of the Web service before it takes effect.

Six, port settings

The bottom of the port form is the door, the metaphor is very vivid. If all the ports on our servers are open, that means hackers have a lot of doors to invade. So I personally feel that shutting down unused ports is an important thing. In Control Panel-network and dial-up connections-local Connection-attribute ――internet protocol (TCP/IP) properties, click Advanced, enter Advanced TCP/IP settings, select options, select TCP/IP filtering in the optional settings, and enable TCP/IP filtering. Add the required ports, such as 21, 80, and close all remaining unused ports.

Vii. Turn off file sharing

The system defaults to the file sharing feature enabled. We should give the cancellation. In Control Panel-network and dial-up connections-local connections-Properties, in the General options, cancel Microsoft Network file and print sharing. The principle of minimum service is an important principle of guaranteeing security. Non-essential services should be given off. System services can be set in the Control Panel-management tools-services.

Viii. Closure of Non-essential Services

Services such as Telnet services, remote registry operations, and so on should be disabled. At the same time install the fewest software possible. This avoids some of the security problems caused by software vulnerabilities. Some network administrators install QQ on the server, use the server to hang QQ, this kind of practice is extremely wrong.

Nine, pay attention to the security and update the vulnerability of timely patches

  Update vulnerability patches are important for a network administrator. Update the patch, you can further ensure the security of the system.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.