Summary: Save with IIS settings It's like giving someone the keys to your house, this article teaches you how to lock the door. (This article is not 100% literal, in brackets is begging cat nonsense)
No system is 100% secure, and system vulnerabilities are constantly being discovered, as hackers and system administrators look at newsgroups all day, gathering information about them. The fight between black and anti-Black will go on forever.
If you're using IIS's save settings, you're already on the defensive in this battle. Windows NT is installed as an open server, even rookie hacker can succeed. But as long as you do the following few simple steps, the situation will be greatly improved. Dare not say Gongwubuke, at least can protect your data is not like a small gram zipper door as the world knows.
A secure system should have multiple layers of protection. The general computer system has three layers of protection, physical layer, network layer, file system. The physical layer is to protect the computer hardware itself, hard disk, floppy disk is not stolen, I do not have to say more. The network layer is to protect network connections to the Internet and the local LAN, primarily by firewall and port access permissions settings. The innermost part is the file system, which is also the target of most attacks. Here we will mainly talk about this aspect.
The problem of saving the setup
NT province is set to an open system, the file system is almost completely without security settings, any user on the network can read and write to delete files. This is mainly due to the large use of the Everyone group in NT (more frightening is the lack of full authority), in theory, any user on the earth belongs to the Everyone group. In contrast, NetWare is set to a closed system, and security is much better. Why does Microsoft do such a stupid thing? The reason may be that giving maximum permissions can reduce the number of technical support calls that result from permission issues. (Is that right?) )
IIS also has a number of problems. When you install IIS, the system establishes a prefix that is IWAM_ (earlier version is IUSR_) account, which belongs to the guest group and has access to all files under the Guest group and Everyone group permissions. In the absence of installation, 90% of the system files can be accessed by the user.
It seems that the solution is to remove all the Everyone group permissions, but in practice it won't work. Because IIS will not only access HTML files, but also script and ActiveX controls, as well as the execution of DLLs, removing Everyone group permissions all will cause problems with the system. So use some system security tools to do it step by step.
System Security Tools
It is important to familiarize yourself with the following NT system security tools:
User Manager (Usrmgr.exe)
IIS 4.0:microsoft Management Console (MMC). EXE)
IIS 3.0:internet Service Manager (inetmgr. EXE)
Registry Editor (REGEDT32. EXE)
(Introduction omitted, do not believe you have no use)
Command Line ACL Editor (CACLS. EXE)
This tool may know few people and is also an NT self, for managing access Control List (ACL).
Control Panel, System applet
This tool is used to manage system environment variables.
Step One: Use a dedicated web group
1 Create a local group called WWW with User Manager
2 Remove IWAM_ account from Guests group and join WWW Group
3 give the WWW group access this computer from the network permission to allow IIS to perform a local logon operation
4 Restart WWW service
5 perform command-line operations under the Web root directory:
CACLS <dir>\*.*/t/e/c/g www:r
Parameter meaning
<dir>\*.* Web root directory. In with IIS 4.0 is usually C:\Inetpub\WWWRoot.
/T acts on all directories and subdirectories
/e Edit ACLs, not replace
/C There are errors to stop execution.
/g www:r gives WWW group Read permission
All files under the Web directory recognize the Read permissions of the WWW group. Don't forget to execute this command in other directories that contain Web content (mostly virtual directories)
Step two: Delete the Everyone group
When you are done, Internet users can only see the files that are allowed. But that's not enough because the Everyone group still exists and you now need to clear the Everyone group from all the files on your computer.
But clearing the Everyone group is not as simple as you might think. Many Microsoft DLL files have only the Everyone group listed in the ACL. If a pole hits the bottom, none of these DLL files can be accessed. Because the ACL is empty as soon as the Everyone group is deleted, the empty ACL means that no visitor has permissions. Execute the following command:
CACLS c:\*.*/t/e/c/g users:f/R Everyone
Parameter meaning
/g users:f give the Users group all permissions
/R Everyone cancels all permissions for the Everyone group
This guarantees that the ACL will not be empty. This, however, brings two problems: This machine is completely open to the local network; changes too many system file permissions. The best way to find out is that those files have only the Everyone group permissions, unfortunately WindowsNT doesn't provide that functionality, but there are third-party tools that do this. (There is no mention of the tools in the original text) if these tools are available, the order should read:
CACLS c:\*.*/t/e/c/r Everyone
Step three: Process the database
If your system includes databases or ActiveX, such as search engines, guest book, and so on, then you need to perform step three. For the guest book, perform:
cacls/t/e/c/g www:c
Parameter meaning
/g Www:c gives the WWW group change permissions.
At this point, you may find that the guest book cannot be updated from the web, or even the database read operation cannot be performed. If this happens, you must be using an ODBC connection database. The problem is in the ODBC temporary file. When ODBC is established, the system creates a temporary file record lock information, and so on. In case of shortage, these files are stored in the System32 directory. Internet users do not have permission to write and create in this directory. A better solution would be to specify a directory where another Internet user has permissions to store the ODBC temporary files. Add the following system variables to the System applet in the Control Panel
If you use ASP to connect to the database, there will be a problem. ASP uses ActiveX part ADO to access the database. A typical syntax for an ASP-linked database is:
var dbconn = Server.CreateObject (' ADODB. Connection ');
ADODB. Connection is a program ID, which is actually a file. In actual use to be translated into the actual address in order to invoke. This information is recorded in the HKEY_CLASSES_ROOT section of the registry. Do you understand what you want to change now? is to add the WWW group's Read permissions to the Adodb.connection directory. Use Regedit to find the catalogue.
Congratulations to you.
You've made your system a lot safer now. But remember, Hacker is constantly looking for new vulnerabilities to penetrate your system, so this security setting is just the first battle with hacker.
Transfer from station: http://www.windowstechedge.com
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
