Full introduction to asp + cgi + php + mysql configuration in win2K

Install win2K, IISIndexingService, FrontPage2000ServerExtensions, and InternetServiceManager (HTML). There are other installation methods. (According to the security principle, the minimum service + the minimum permission is the maximum security .) First, open internet Manager (start -- Program-

Install win2K and IIS

Indexing Service,
FrontPage 2000 Server Extensions,
Internet Service Manager (HTML)
These are not loaded, and there are others. In short, they are not installed.
(According to the security principle, minimum service + minimum permissions = maximum security .)

First, open internet Manager (start --> program --> Management --> Internet service management)
If a default site and smtp service item are installed as shown in the preceding figure
Select the default site and delete all directories under it. (Press the delete key on your keyboard)
To stop iis, run the following command: start --> run --> enter net stop iisadmin and press enter (the command to start is net start w3svc)
Delete the Inetpub directory of drive C (disable iis before deletion), and create a new directory on other disks.
In IIS Manager, direct the default site's home directory to the directory you just created
If you need a directory with any permissions, you can create it by yourself and what permissions you need.
(Pay special attention to write and execute permissions. there is no absolute need to do not give them. By default, they are not given, so you do not need to study them ..)

Application Configuration: delete unnecessary mappings that are not required in IIS Manager,
Leave ASP, ASA, and other file types that you actually need (except cgi, php, and others I think are useless. delete htw, htr, idq, ida ......)
Do you know where to delete it ?? Method: choose Internet service management> Site> Properties> WWW service> Edit> Home Directory> configuration> application ING,
Then let's start deleting them one by one (not all selected, which is really troublesome ).
Then, change the script error message to send text in the application debugging bookmarks in the window.
(Unless you want to know your program/network/database structure when an ASP error occurs) What is the error text written?
If you like it, do it yourself. When you click OK to exit, do not forget to let the virtual directory inherit the attributes you set.

To deal with the increasing number of cgi vulnerability scanners, you can also refer to the following tips,
In IIS, redirect the HTTP404 Object Not Found error page to a custom HTM file through the URL,
This vulnerability can cause most CGI vulnerability scanners to malfunction. In fact, the reason is very simple,
Most CGI scanners determine whether the vulnerability exists by checking the HTTP code on the returned page for convenience,
For example, the famous IDQ vulnerability is generally tested by taking 1. idq. if HTTP200 is returned, the vulnerability is considered to exist,
Otherwise, if you fail to return to http404, you can redirect http404's error information to the http404.htm file through url,
All scans will return HTTP200 regardless of whether there are any vulnerabilities, and 90% of CGI scanners will think that you have any vulnerabilities,
Instead, it masks your real vulnerabilities and leaves intruders nowhere to start. However, from a personal perspective,
I still think it is more important to do a good job of security settings than such tips.

Win2000 account security is another focus. First, the default installation of Win2000 allows any user to obtain a list of all accounts/shares of the system through empty users,
This was originally intended to facilitate LAN users to share files, but a remote user can also get your user list and use the brute force to crack the user password.
Many of you know that you can disable null connection 139 by changing the registry Local_Machine \ System \ CurrentControlSet \ Control \ LSA-RestrictAnonymous = 1,
In fact, win2000's local security policy (if the domain server is in the domain server security and domain security policy) has this option RestrictAnonymous (additional restrictions on anonymous connections ),
This option has three values:
0: None. Rely on default permissions (None, depending on the default permission)
1: Do not allow enumeration of SAM accounts and shares (enumeration of SAM accounts and sharing is not allowed)
2: No access without explicit anonymous permissions (access is not allowed without explicit anonymous permissions)
The value 0 is the default value and has no restrictions. remote users can know all the accounts, group information, shared directories, and network transmission lists (NetServerTransportEnum) on your machine, this setting is very dangerous for servers.
1. this value only allows non-NULL users to access SAM account information and share information.
2. this value is only supported in win2000. it should be noted that if you use this value, your sharing estimation will all be finished, therefore, it is recommended that you set it to 1.
Now, intruders cannot get our user list. our account is secure ...... Slow down. at least one account can run the password, which is the built-in administrator in the system. what should I do? In computer management> user account, right-click administrator and rename it. just remember what you want.
After changing the hypervisor user name, you can still see it on the logon interface of the Terminal Service (remember it after you log on ),
Modification method:
Run regedit and find
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ WindowsNT \ CurrentVersion \ winlogon
The data in the Don't Display Last User Name string in item is changed to 1, so that the system will not automatically Display the Last login User Name.

To ensure security, you can also enable TCP/IP filtering, right-click Network neighbor on the desktop-> Properties-> right-click the network adapter you want to configure-> Properties-> TCP/IP-> Advanced-> Options-> TCP/IP filtering,
There are three filters: TCP port, UDP port, and IP protocol.
TCP port, click "only allow", and add the port you need to open below. Generally, the WEB server only needs to open 80 (www ),
The FTP server requires 20 (FTP Data), 21 (FTP Control), 3306 (Mysql), and 3389 (Remote Terminal Control. if your host is hosted in another machine room, this is not required for direct * operations)
The mail server may need to open 25 (SMTP), 110 (POP3). I have not studied the port, but if you follow the services provided in this article, you only need to open the above several. (, 3306)

-- Cgi support

Download activeperl (you can download the latest version from www.perl.com)

1. run install.exe. it is installed in C: \ PERL by default. for convenience, install install.exe in the C: \ USR directory, (in this way, the path for writing the Perl interpreter can be directly used #! /Usr/bin/perl: the path of the standalone environment and the network environment can be consistent. During installation, press Y .)
2. after installation, follow the three steps below to modify the registry: run RegEdit and search for: HKEY_LOCAL_MACHINE \ System \ Currentcontrlset \ Services \ W3svc \ Parameters \ scriptMap \ key name,
Then add the key name :". cgi ", key value:" C: \ USR \ BIN \ perl.exe % s "and key name :". pl ", key value:" C: \ USR \ BIN \ perl.exe % s"
(Do not know how to build? Then, in the box on the right ---> right-click ---> New --> Change the string value name to. cgi. double-click the key to enter the value data, that is, the key value mentioned above)
To allow this host to support php, add the support for php and php3 here by the way (it will be easier to create new sites in the future)
Add the key name ". php" and the key value: "C: \ php \ php.exe % s"
Add the key name ". php3" and the key value: "C: \ php \ php.exe % s"
OK. it takes effect immediately after restart! Cgi support! After a new site is created, php and cgi support will be added by default in the application configuration (if you do not grant this permission, delete it ).
Cgi support!

-- Mysql support

Download mysql (you can download the latest version from www.mysql.com)

1. decompress and run setup.exe for full installation. the default installation path is c: \ mysql;
2. after the installation is complete, open "run" in the "start" button, enter the command: C: \ mysql \ bin \ mysqld-nt.exe -- install, and execute;
3. start --> program --> management tool --> service --> find mysql --> start it;
4. mysql installation is complete. restart win2000.
5. after the restart, open C: \ mysql \ bin \ winmysqladmin.exe. when using it for the first time, you need to set the administrator name and password, respectively set the user name and password, A small "traffic light" icon will appear on the system tray (it will be automatically loaded when the system starts later ).
6. OK, mysql support!

-- Php support

Download PHP (you can download the latest version from www.php.com)

1. decompress php 4.0.4 to c: \ php;
2. set PHP in the php directory. copy the ini-dist file to the WinNT directory and change it to php. ini; (this is the php configuration file and can be run without any changes. I did not study it carefully)
3. modify php as needed. ini file content. to use the session function, create the c: \ tmp directory and. session in ini document. the value of save_path is set to absolute path: c:/tmp;
4. copy the Php4ts. dll file in the PHP directory to the WinNt \ System32 directory;
5. start "Internet service manager" (IIS) in the management tools on the control panel );
6. open the site attribute. in the 'isapi filter' option, add a new filter, use 'php' as the filter name, and fill in php4isapi in the executable file column. dll and its path (c: \ php \ sapi \ php4isapi. dll ).
7. in the "document" option of the attribute, "enable default document" and add "index. php ";