As a classic FTP server software, Serv-u has been used by most administrators, its simple installation and configuration, as well as the powerful management of human nature has been praised by the administrator. But as users become more and more, the security of the software is emerging.
The first is Serv-u site chmod vulnerabilities and serv-u Mdtm vulnerabilities, that is, the use of an account can easily get system permissions. The second is the serv-u local overflow vulnerability, where SERV-U has a default administrative user (username: localadministrator, password: # @ $ak #. K;0@P), anyone who can access an account on the local port 43958 will be able to delete the account and execute arbitrary internal and external commands.
At this time, people began to pay attention to the safety of Serv-u, and took some relevant measures, such as modify the Serv-u management port, account number and password. However, the modified content is still retained in the ServUDaemon.exe file, so the download after the use of such as UltraEdit and other 16-editor software can easily get the modified port, account number and password.
Starting with serv-u6.0.0.2, the software has a login password feature, so if you add a management password, and the settings are better, Serv-u will be more secure than the original. Now we are starting to serv-u the set of the journey, using the version is Serv-u 6.0.0.2.
As the old saying goes, the platform of the thousand feet starts from the base soil, and the security of setting the Serv-u begins with installation. This article is mainly written serv-u security settings, so will not spend too much effort to introduce the installation, just to say the main points.
Serv-u By default is installed in the C:\Program files\serv-u directory, we'd better make a change. For example, the path to D:\U89327850MX8UTU432X$UY32X211936890CO7V23X1T3 (Figure 1) is difficult to guess if the installation disk Web user cannot browse. Of course, after installation, a shortcut is generated on the desktop and Start menu, which is recommended for deletion because it is not normally used. Perhaps you have to ask, that should be how to enter the Serv-u settings interface? In fact, it is very simple, double-click the lower right corner of the taskbar tray Monitor small icon to start the Serv-u management interface.
Figure 1: Modifying the installed directory
Only the first 2 items are available for installation, and the following 2 are instructions and online Help files. (See Figure 2)
Figure 2: Only the first 2 items need to be selected at installation time
The following figure is the name of the folder in the generated Start menu group, and it is recommended that you change it to a less-than-serv-u name, or delete the folder. (See Figure 3)
Figure 3: Change the name of the folder in the Start menu group after installation
When the installation is complete, a wizard appears to let you create a domain and account number. Click here to cancel the wizard. There are some problems with the accounts generated by the wizard, so create domains and accounts by hand. (See Figure 4)
Figure 4: Click Cancel Wizard
Then click the option in front of the start automatically (System service), and then click the Start Server button below to add serv-u to the system service so that it can be started with the system without having to manually start each time. (See Figure 5)
Figure 5: Adding serv-u to the service
Then there will be an interface like Figure 6. Set a password by clicking Set/change Password.
Figure 6: Click Set/change Password to set the password
Then there will be an interface like Figure 7. Because it is the first time to use, so there is no password, which means that the original password is empty. Do not enter characters in old password, directly in the following new password and repeat new password enter the same password and then click OK. It is recommended that you set a password that is complex enough to prevent other people from being violently cracked. I do not remember the relationship, as long as the Servudaemon.ini in the localsetuppassword= this line to clear and save, run again ServUAdmin.exe will not prompt you to enter the password login.
Figure 7: Setting and changing the password interface
Now it's time to set the security for Serv-u. First set up a Windows account Sservu, passwords also need to be complex enough. Password to remember, if not remember to temporarily save in a file, in a moment to use. (See Figure 8)
Figure 8: Creating a Windows Account
After you have established your account, double-click the user's edit user properties and delete the Users group from "subordinate to".
Figure 9: Removing the Users group from the subordinate
Remove the "Allow logon to Terminal Server (W)" option from the Terminal Services profile options and click OK to continue with our settings. (See Figure 10)
Figure 10: Cancel "Allow logon to Terminal Server"
Here we have built the account, the set up the service account. Now you need to use the account set up, the password has not forgotten it, will soon be used.
Find "Services" in the Start Menu's admin tool and click Open. Right-click on the Serv-u FTP Server service to select Properties to continue.
Then click "Login" to enter the login account selection interface. Select the SYSTEM account name you just created, and repeat the password 2 times below (that is, the one you just remembered), then click "Apply", and then point out again to complete the service settings. (See Figure 11)
Figure 11: Changing the account password for startup and login Srv-u
The next step is to use the FTP admin tool to build a domain, then set up an account, and then choose to save in the registry. (See Figure 12)
Figure 12:ftp User password saved to the registration list
Open the registry to test the appropriate permissions, otherwise serv-u is not able to start. Enter the regedt32 point "OK" to continue at the start-> Run.
Locate the [Hkey_local_machine\software\cat Soft] branch. Right click on the above, select permissions, then point to Advanced, cancel the inheritable permission to allow the parent to propagate to the object and all child objects, including those explicitly defined here, click "Apply" to continue, then delete all the accounts. Click the OK button again to continue. A dialog box pops up that says "You denied all users access to cat Soft." No one can access Cat Soft, and only the owner can change permissions. Do you want to continue? , click "Yes" to continue. Then click the Add button to increase our established SSERVU account to the permissions list of the subkey, and give Full Control permission. The registry has been set up here. However, you cannot restart Serv-u because the installation directory is not yet set up.
Set it up now, just keep your admin account and SSERVU account, and give all the permissions except Full Control. (See Figure 13)
Figure 13:serv-u installation directory permission settings
Now, restarting the Serv-u FTP Server service in the service will start up normally. Of course, not completely set up here, your FTP users because there is no permission or login, so also set the permissions of the directory.
Suppose you have a web directory, the path is d:\web. In this directory, in the "Security settings" in addition to administrators and IIS users are deleted, and then add the SSERVU account, remember that the system account also deleted. Why do you have to set this up? Because it is now started with the SSERVU account, rather than with system privileges, the access directory is no longer used with system but SSERVU, and system is useless, so even if the overflow does not get system permissions. In addition, the root directory of the disk on which the web directory resides also sets the browse and read permissions for the Sserv-u account, and confirms that only that folder is set in the advanced level. (See Figure 14)
Figure 14:web Permissions settings on the disk where the directory resides
At this point, the setting is all over. The Serv-u settings are now set up in conjunction with IIS because it is impossible for web users to access the Serv-u directory with IIS using a different account, and the Web directory does not give system permission, so the system account also cannot access the Web directory, that is, You cannot back up the shell to your web directory even if you have the right to backup with MSSQL. You can safely use the serv-u.