Windows Apache Application Environment Tower security settings (directory permissions settings) _win Server

Configuration of the environment:
Apache installation directory: D:\www-s\apache
PHP Directory: D:\WWW-S\PHP5
MySQL directory: d:\www-s\mysql
Site Root: D:\www\htdocs

Users who are specifically running Apache run: Apache-u (not affiliated to any user group)

PS: Here only to say that Windows Apache application environment-related directory permissions settings, as for other basic server directory permissions settings do not mention it!

Windows Apache Application Environment Tower Directory security Setup operation steps:

Configure Directory Permissions

The root directory where Apache is located (that is, d disk), only the Read permission is required, and this read permission does not need to be inherited to subdirectories and files (can be selected in the Advanced permission settings-Apply to: Only this folder-permissions: List folders/read data, read attributes, read extended properties, Read permissions- OK).

The Apache installation directory's parent directory (D:\WWW-S) requires "read" permissions (identical to the permissions of the root D disk).

Apache installation directory, requires "List folder Directory" and "read" permissions (can be used for easy inheritance).

subdirectory permission settings under the Apache installation directory

The "bin" and "modules" directories require "read and run", "List folders and directories", and "read" permissions.

The "Logs" Directory requires "list folders and directories", "read", "Write" permissions (if the Apache installation directory has permission to use inheritance, you can add only write permissions).

Here Apache permissions have been set up, then set PHP permissions

The PHP directory (PHP5) can be easily set to read and run, List folders and directories, read permissions.

The Bin folder and files (MySQL) in the MySQL directory need to add the Apache user's "Traverse folder and Run Files", "List folders and read data" permission (can be found in the permissions Advanced settings).

Here apache+mysql+php is already basically available, then configure the site root directory permissions

The parent directory of the site root (www\htdocs) www needs to read (list folders and read data, read properties, read Extended properties, read permissions) (the same as Apache's parent directory permissions and do not need to inherit to subdirectories and files).

The Web site root (htdocs) can simply set the Read permission (and then you can set writable permissions on the cached folder as needed).

Here the APACHE+PHP+MYSQL environment restricted permission settings are basically complete.

Enable restricted users for the Apache service
Enter the Service Manager (Services.msc, or "My Computer--attributes--admin-service"), locate the Apache service item (Apache2.2), set the properties, and the login user chooses the Limited user (Apache-u) to enter the password for the restricted user, apply, OK.

"OK" is generally followed by a prompt (the account has been granted). \apache-u the right to log on as a service. This hint is equivalent to adding apache-u users by selecting "Log on as a service" in "User Rights Assignment" in Group Policy (starting with the-> administration tool-> Local Security policy, or by using gpedit.msc).

The user name for the Httpd.exe process can be viewed in Task Manager apache-u, and programs using Php+mysql can function correctly.
It's done here. The restricted use settings for "Apache Application Environment directory permissions under Windows".

Add 3:
You can build a. htaccess content in the directory (with writable permissions):

Rewriteengine on
Order Allow,deny
Deny from all
<files ~ ". (CSS|JS) $ ">
Allow from all
</files>

CSS and JS for the allowed file extension type!

Add 2:
1.Apache Permission settings error prompt
Apache directory, PHP directory, the site directory of a lack of permission settings can not start the normal Apache service, the general tip is:

Windows can no longer start Apache2.2 on the local computer. For more information, check the system event log. If this is a non-Microsoft service, contact the service manufacturer and participate in specific service error code 1.

View the prompts in the system event log as:

The Apache2.2 service was stopped because of a 1 (0x1) serviceability error.

If the permissions configuration errors in PHP are logged in the Application event log.

2. Another MySQL directory permissions configuration error, will not be the normal start of the Apache service impact, but can not web site programs using the MySQL service (phpinfo display and did not load the MySQL module).

Add 1:
This dongdong is used on the local machine to do testing is basically ignore these permissions, because the default is to use the system user to start this Apache service! But it's dangerous if you're exposed to the net!

Security is an architectural consideration of all aspects, this is only the tip of the iceberg, can not be covered with a point!

Please correct me if you find any missing places.