Hacker defense-Windows permission settings

With the wide application of the forum, the discovery of the online upload vulnerability, and the increasing use of SQL injection attacks, WEBSHELL makes the firewall useless, even if a WEB server with all Microsoft patches and port 80 open to the outside world, it cannot escape the fate of being hacked. Is there nothing we can do about it? In fact, as long as you understand the permission settings in the NTFS system, we can say NO to crackers!

To build a secure WEB server, you must use NTFS and Windows NT/2000/2003. as we all know, Windows is an operating system that supports multiple users and tasks. This is the basis of permission settings. All permission settings are based on users and processes. When different users access this computer, different permissions are granted. DOS is a single task and user operating system. But can we say DOS has no permission? No! When we open a computer with a DOS operating system, we have the Administrator permission for the operating system, and this permission is everywhere. Therefore, we can only say that DOS does not support permission settings. It cannot be said that it does not have permission. As people's security awareness improves, permission settings are born with the release of NTFS.

In Windows NT, users are divided into many groups, with different permissions between groups. Of course, users in a group and users in a group can also have different permissions. Next we will talk about the common user groups in NT.

Administrators. By default, users in Administrators have unrestricted full access to computers/domains. The default permissions assigned to this Group allow full control over the entire system. Therefore, only trusted personnel can become members of this group.

Power Users, advanced user group, and Power Users can execute any operating system task except the task retained for the Administrators group. The default permission assigned to the Power Users Group allows members of the Power Users Group to modify the settings of the entire computer. However, Power Users does not have the permission to add itself to the Administrators group. In permission settings, the permissions of this group are second only to those of Administrators.

Users: Common User Group. Users in this group cannot make changes intentionally or unintentionally. Therefore, you can run verified applications, but not most old applications. The Users Group is the safest group, because the default permissions assigned to this group do not allow Members to modify operating system settings or user information. The Users Group provides the safest running environment. On a volume formatted with NTFS, the default security settings are designed to prevent members of this group from endangering the integrity of the operating system and installed programs. You cannot modify system registry settings, operating system files, or program files. Users can shut down the workstation but not the server. You can create a local group, but you can only modify the local group you created.

Guests: The Guests group. By default, the Guests have the same access permissions as common Users members, but the Guest account has more restrictions.

Everyone: as the name suggests, all users on this computer belong to this group.

In fact, another group is also very common. It has the same or even higher permissions as Administrators, but this group does not allow any users to join. When viewing user groups, it will not be displayed. It is a SYSTEM group. Permissions required for the normal operation of system and system-level services are granted by the system. Since this group only has this user SYSTEM, it may be more appropriate to classify the Group as a user.

Permissions are classified into different levels. Users with high permissions can operate on users with low permissions. However, except for Administrators, Users in other groups cannot access other user data on NTFS volumes, unless they are authorized by these users. Low-Permission users cannot perform any operations on high-Permission users.

We usually do not feel the permission to obstruct you from doing something when using the computer. This is because we use the user login in the Administrators when using the computer. This has both advantages and disadvantages. Of course, you can do anything you want without permission restrictions. The disadvantage is that running a computer as a member of the Administrators group will make the system vulnerable to Trojans, viruses, and other security risks. Simple operations to access an Internet site or open an email attachment may damage the system. Unfamiliar Internet sites or email attachments may have Trojan code that can be downloaded to the system and executed. If you log on as an administrator of a local computer, the Trojan horse may use administrative access to reformat your hard disk, causing immeasurable losses, you are advised not to log on from the Administrators. The Administrator account is a default user created during system installation. The Administrator account has full control permissions on the server and can assign user rights and access control permissions to users as needed. Therefore, we strongly recommend that you use a strong password for this account. You can never delete an Administrator account from the Administrators group, but you can rename or disable this account. As we all know that "Administrators" exist in many versions of Windows, renaming or disabling this account will make it more difficult for malicious users to try and access this account. For a good server administrator, they usually rename or disable this account. In the Guests user group, there is also a default user-Guest, but it is disabled by default. You do not need to enable this account unless necessary. You can use "Control Panel"> "Management Tools"> "Computer Management"> "users and user groups" to view user groups and users in the group.

Right-click a directory under an NTFS Volume or NTFS Volume, and select "properties"> "security" To Set permissions for a volume or directory under a volume, you can view the following seven permissions: full control, modification, read and run, list folder directories, read, write, and special permissions. "Full control" means that this volume or directory has unrestricted full access. The status is the same as the status of Administrators in all groups. If "full control" is selected, the following five attributes are automatically selected. "Modify" is like Power users. If "modify" is selected, the following four attributes are automatically selected. If any of the following items is not selected, the "modify" condition is no longer valid. "Read and run" is to allow reading and running any files in this volume or directory. "list folder directories" and "read" are necessary for "read and run. "List folder directories" means that you can only browse the volume or sub-directories under the directory, and cannot read or run. "Read" is the ability to read data in the volume or directory. "Write" means data can be written to the volume or directory. The "special" section describes the six permissions listed above. Readers can conduct further research on "special" on their own. I will not go into detail here.

Next we will comprehensively analyze a WEB server system that has just installed the operating system and service software and its permissions. The Server uses Windows 2000 Server, and SP4 and various patches have been installed. WEB service software uses IIS 2000 that comes with Windows 5.0, removing unnecessary mappings. The entire hard disk is divided into four NTFS volumes. Drive C is the system volume and only the system and driver are installed. Drive D is the software volume, and all installed software on the server is in drive D; the e-disk is a WEB application volume, and the website program is in the WWW directory under the volume; the F-disk is a website data volume, and all the data called by the website system is stored in the WWWDATABASE directory of the volume. Such classification is more in line with the standards of a secure server. We hope that new administrators can classify your server data reasonably. This not only facilitates searching, but also greatly enhances the server security, because we can set different permissions for each volume or directory as needed. Once a network security accident occurs, we can minimize the loss. Of course, you can also distribute website data on different servers to form a server group. Each server has a different user name and password and provides different services, this is more secure. However, people who are willing to do this have a special feature-rich :). okay, let's get down to it, the server's database is MS-SQL, The MS-SQL service software SQL2000 is installed in d: ms-sqlserver2K directory, set a strong enough password for the SA account, installation assumes that the Internet domain name of the server is _ blank> http://www.webserver.com After scanning it with the scanning software, we found that the WWW and FTP services are open and that the service software uses IIS 5.0 and Serv-u 5.1, some overflow tools for them are used to find that they are invalid, so they give up the idea of direct remote overflow. Open the website page and find that you are using the dynamic network forum system, so add a/upfile after the domain name. asp. If a file upload vulnerability is found, capture the packet and submit the modified ASP Trojan with NC. A prompt is displayed, indicating that the upload is successful. a webshell is obtained and the uploaded ASP Trojan is opened, we found that MS-SQL, Norton Antivirus, and BlackICE were running. We determined that it was a firewall restriction and blocked the SQL Service port. The PID of Norton Antivirus and BlackICE is viewed through the ASP Trojan, and a file that can kill the process is uploaded through the ASP Trojan. After running the file, Norton Antivirus and BlackICE are killed. scan again and find that port 1433 is open. At this point, there are many ways to obtain administrator permissions. You can view the conn under the website directory. asp obtains the SQL username and password, and then logs in to SQL to execute the add user operation to grant administrator privileges. You can also grasp the ServUDaemon. ini under the SERV-U after modification upload, get the system administrator privileges. You can also pass a tool that overflows the SERV-U locally to add users directly to the Administrators and so on. As you can see, once a hacker finds a starting point, the hacker can easily gain administrator permissions without permission restrictions.

Now let's take a look at the default permission settings for Windows 2000. By default, the root directory of each volume gives full control to the Everyone group. This means that any user accessing the computer will do whatever he wants in these root directories without restriction. Three directories in the system volume are special. By default, the system gives them limited permissions. These three directories are Documents and settings, Program files, and Winnt. for Documents and settings, the default permissions are assigned as follows: Administrators have full control; Everyone has read and operation, column and read permissions; Power users has read and operation, column and read permissions; SYSTEM is the same as Administrators; Users has read and operation, column, and read permissions. For Program files, Administrators have full control; Creator owner has special permissions; Power users has full control; SYSTEM has full control with Administrators; Terminal server users, and Users has read and run, column and read permissions. For Winnt, Administrators has full control; Creator owner has special permissions; Power users has full control; SYSTEM has the same permissions as Administrators; Users has read, run, column, and read permissions. Not all objects in the system volume