With the wide application of the forum, the discovery of the online upload vulnerability, and the increasing use of SQL injection attacks, WEBSHELL makes the firewall useless, even if a WEB server with all Microsoft patches and port 80 open to the outside world, it cannot escape the fate of being hacked. Is there nothing we can do about it? In fact, as long as you understand the permission settings in the NTFS system, we can say NO to crackers!
To build a secure WEB server, NTFS and Windows NT/2000/2003 must be used for this server. As we all know, Windows is an operating system that supports multiple users and tasks. This is the basis of permission settings. All permission settings are based on users and processes. When different users access this computer, different permissions are granted.
DOS and WinNT Permissions
DOS is a single task and user operating system. But can we say DOS has no permission? No! When we open a computer with a DOS operating system, we have the Administrator permission for the operating system, and this permission is everywhere. Therefore, we can only say that DOS does not support permission settings. It cannot be said that it does not have permission. As people's security awareness improves, permission settings are born with the release of NTFS.
In Windows NT, users are divided into many groups, with different permissions between groups. Of course, users in a group and users in a group can also have different permissions. Next we will talk about the common user groups in NT.
Administrators. By default, users in Administrators have unrestricted full access to computers/domains. The default permissions assigned to this Group allow full control over the entire system. Therefore, only trusted personnel can become members of this group.
Power Users, advanced user group, and Power Users can execute any operating system task except the task retained for the Administrators group. The default permission assigned to the Power Users Group allows members of the Power Users Group to modify the settings of the entire computer. However, Power Users does not have the permission to add itself to the Administrators group. In permission settings, the permissions of this group are second only to those of Administrators.
Users: Common User Group. Users in this group cannot make changes intentionally or unintentionally. Therefore, you can run verified applications, but not most old applications. The Users Group is the safest group, because the default permissions assigned to this group do not allow Members to modify operating system settings or user information.
The Users Group provides the safest running environment. On a volume formatted with NTFS, the default security settings are designed to prevent members of this group from endangering the integrity of the operating system and installed programs. You cannot modify system registry settings, operating system files, or program files. Users can shut down the workstation but not the server. You can create a local group, but you can only modify the local group you created.
Guests: The Guests group. By default, the Guests have the same access permissions as common Users members, but the Guest account has more restrictions.
Everyone: as the name suggests, all users on this computer belong to this group.
In fact, another group is also very common. It has the same or even higher permissions as Administrators, but this group does not allow any users to join. When viewing user groups, it will not be displayed. It is a SYSTEM group. Permissions required for the normal operation of system and system-level services are granted by the system. Since this group only has this user SYSTEM, it may be more appropriate to classify the Group as a user.
Permission power Size Analysis
Permissions are classified into different levels. Users with high permissions can operate on users with low permissions. However, except for Administrators, Users in other groups cannot access other user data on NTFS volumes, unless they are authorized by these users. Low-Permission users cannot perform any operations on high-Permission users.
We usually do not feel the permission to obstruct you from doing something when using the computer. This is because we use the user login in the Administrators when using the computer. This has both advantages and disadvantages. Of course, you can do anything you want without permission restrictions.
The disadvantage is that running a computer as a member of the Administrators group will make the system vulnerable to Trojans, viruses, and other security risks. Simple operations to access an Internet site or open an email attachment may damage the system.
Unfamiliar Internet sites or email attachments may have Trojan code that can be downloaded to the system and executed. If you log on as an administrator of a local computer, the Trojan horse may use administrative access to reformat your hard disk, causing immeasurable losses, you are advised not to log on from the Administrators. The Administrator account has full control permissions on the server and can assign user rights and access control permissions to the user as needed.
Therefore, we strongly recommend that you use a strong password for this account. You can never delete an Administrator account from the Administrators group, but you can rename or disable this account. As we all know that "Administrators" exist in many versions of Windows, renaming or disabling this account will make it more difficult for malicious users to try and access this account.
For a good server administrator, they usually rename or disable this account. In the Guests user group, there is also a default user ---- Guest, but it is disabled by default. You do not need to enable this account unless necessary.
What is a strong password? It is a complex combination of letters, numbers, and sizes of 8-bit passwords, but it cannot completely defend against a large number of hackers, but it is difficult to crack to a certain extent.
You can use "Control Panel"> "Management Tools"> "Computer Management"> "users and user groups" to view user groups and users in the group.
Right-click a directory under an NTFS Volume or NTFS Volume, and select "properties"> "security" To Set permissions for a volume or directory under a volume, you can view the following seven permissions: full control, modification, read and run, list folder directories, read, write, and special permissions.
"Full control" means that this volume or directory has unrestricted full access. The status is the same as the status of Administrators in all groups. If "full control" is selected, the following five attributes will be automatically selected.
"Modify" is like Power users. If "modify" is selected, the following four attributes are automatically selected. If any of the following items is not selected, the "modify" condition is no longer valid. "Read and run" is to allow reading and running any files in this volume or directory. "list folder directories" and "read" are necessary for "read and run.
"List folder directories" means that you can only browse the volume or sub-directories under the directory, and cannot read or run. "Read" is the ability to read data in the volume or directory. "Write" means data can be written to the volume or directory. The "special" section describes the six permissions listed above. Readers can conduct further research on "special" on their own. I will not go into detail here.
Set instance operations for a simple server:
Next we will comprehensively analyze a WEB server system that has just installed the operating system and service software and its permissions. The Server uses Windows 2000 Server, and SP4 and various patches have been installed.
WEB service software uses IIS 2000 that comes with Windows 5.0, removing unnecessary mappings. The entire hard disk is divided into four NTFS volumes. Drive C is the system volume and only the system and driver are installed. Drive D is the software volume, and all installed software on the server is in drive D; the e-disk is a WEB application volume, and the website program is in the WWW directory under the volume; the F-disk is a website data volume, and all the data called by the website system is stored in the WWWDATABASE directory of the volume.
Such classification is more in line with the standards of a secure server. We hope that new administrators can classify your server data reasonably. This not only facilitates searching, but also greatly enhances the server security, because we can set different permissions for each volume or directory as needed. Once a network security accident occurs, we can minimize the loss.
Of course, you can also distribute website data on different servers to form a server group. Each server has a different user name and password and provides different services, this is more secure.
The server database is MS-SQL, MS-SQL service software SQL2000 installed in d: ms-sqlserver2K directory, set a strong enough password for the SA account, install the SP3 patch. In order to facilitate web page makers to manage the web page, the site also opened the FTP service, FTP service software is used SERV-U 5.1.0.0, installed in d: ftpserviceserv-u directory. Anti-virus software and the firewall use Norton Antivirus and BlackICE. The paths are d: ortonAV and d: firewalllackice. The virus database has been updated to the latest version, the firewall rule repository defines that only port 80 and port 21 are open to the outside world. The content of the website is a forum on the Mobile Network 7.0, and the website program is under e: wwwbs.
Careful readers may have noticed that I did not use the default path or only changed the default path of the drive letter for installation of these service software, which is also a security requirement, if a hacker enters your server through some channels but does not have administrator permissions, the first thing he does is to check which services are open and which software is installed, because he needs to improve his permissions.
A path that is hard to guess and a good permission setting will block it. I believe that the WEB server configured in this way is enough to defend against most hackers who are not skilled enough. The reader may ask again: "This is useless at all! I have done all other security work well. Is permission setting necessary ?" Of course! Even if you have already perfected system security, you must know that new security vulnerabilities are constantly being discovered.
Permission instance attack
Permission will be your last line of defense! Now, we will simulate an attack on this server that has not been configured with any permissions and uses all the default Windows permissions to see if it is really solid.
Assume that the Internet domain name of the server is a http://www.webserver.com, scan it with scanning software to find open WWW and FTP services, and found that the service software is IIS 5.0 and Serv-u 5.1, some overflow tools for them are used to find that they are invalid, so they give up the idea of direct remote overflow.
Open the website page and find that you are using the dynamic network forum system, so add a/upfile after the domain name. asp. If a file upload vulnerability is found, capture the packet and submit the modified ASP Trojan with NC. A prompt is displayed, indicating that the upload is successful. a webshell is obtained and the uploaded ASP Trojan is opened, we found that MS-SQL, Norton Antivirus, and BlackICE were running. We determined that it was a firewall restriction and blocked the SQL Service port.
The PID of Norton Antivirus and BlackICE is viewed through the ASP Trojan, and a file that can kill the process is uploaded through the ASP Trojan. After running the file, Norton Antivirus and BlackICE are killed. Scan again and find that port 1433 is open. At this point, there are many ways to obtain administrator permissions. You can view