Install IIS configuration Asp+cgi+php+mysql under Windows 2000

Install Win2K, install IIS, where Indexing Service, FrontPage Server Extensions, Internet service Manager (HTML) These are some other things that you don't want, anyway. Don't pretend. (According to the security principle, the least service + minimum permissions = maximum security.) )

First, open Internet Manager (start--> program--> Management-->internet Service Management) If you have a default site and an SMTP service item selected by the above, delete all of the directories below it. (Press the DELETE key on your keyboard) to stop IIS, the easiest way: start--> run--> into net stop IISAdmin select y return (Start command is: net start w3svc) Delete the Inetpub directory of C disk completely ( Delete IIS before deleting it, and create a new directory in the IIS Manager point the default site's home directory to the newly created directory if you need any permission to build your directory, what permissions you need to open.

(Special attention to write permissions and execute the program's permissions, no absolute need not to give, the default is not given, so you do not have to study, hehe ...)

Application configuration: Remove any unwanted mappings in IIS Manager, leaving the ASP, ASA, and other file types you really need to use (except cgi,php, I think you're useless, delete htw, HTR, IDQ, Ida ...) Do not know where to delete it?? Methods: Open Internet Services Management-> Select site-> Properties->www Service-> Edit-> home directory-> Configure-> Application mappings, and then start deleting them (not all of them, really trouble). Then change the script error message to send text in the application debug bookmark in the window just now (unless you want the user to know your program/network/database structure when the ASP goes wrong) what does the error text write? Whatever you like, you can do it yourself. When you click OK to exit, do not forget to let the virtual directory inherit the attributes you set.

In order to deal with the increasing number of CGI vulnerability scanners, there is also a small trick to refer to, in IIS, the HTTP404 Object not found error page is redirected to a custom HTM file by URL, so that most of the current CGI vulnerability scanners will fail. In fact, the reason is simple, most CGI scanners are written in order to facilitate, by looking at the return page of the HTTP code to determine whether the vulnerability exists, for example, The famous IDQ loophole is generally by taking 1.idq to check, if return HTTP200, it is considered to have this loophole, conversely if return HTTP404 to think that does not, if you through the URL will HTTP404 error information redirect to http404.htm file, then all scan regardless of exists loophole will return Back to Http200,90% 's CGI scanner will think you have any loopholes, the results instead of masking your real vulnerabilities, so that intruders have no place to start, but personally, I still think that a solid good security settings than such a small skill is more important.

WIN2000 's account security is another priority, first of all, Win2000 's default installation allows any user to obtain the system all account/share list through the empty user, this originally is for the convenience of the LAN user to share the file, but a remote user can also obtain your user list and uses the brute force method to crack the user password Many friends know that you can change the registry local_machine\system\currentcontrolset\control\lsa-restrictanonymous = To prevent 139 null connections, In fact, the Win2000 Local Security policy (if the domain server is in Domain Server security and Domain Security Policy) has this option RestrictAnonymous (additional restrictions on anonymous connections), this option has three values:

0:none. Rely on Default permissions (None, depending on the default permissions)

1:do not allow enumeration of SAM accounts and shares (does not allow enumeration of SAM accounts and shares)

2:no access without explicit anonymous permissions (access is not allowed without explicit anonymous permissions)

0 This value is the system default, what restrictions are not, remote users can know all of your machine accounts, group information, shared directories, network transfer list (Netservertransportenum, etc., for the server such a setting is very dangerous.)

1 This value allows only non-null users to access SAM account information and share information.

2 This value is supported in the Win2000, it should be noted that if you use this value, your share estimate will be all finished, so I recommend you or set to 1 better.

OK, the intruder can't get our user list now, our account is secure ... Wait, there is at least one account can run the password, this is the system built the administrator, how to do? I changed, in the Computer Management-> user account Right click on the administrator and then renamed, change what you want, as long as you can remember on the line. Changed the Super Admin user name, in the Terminal Service login interface can still be seen (you logged in on your own remember), modify the method: Run regedit, find HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ The Windowsnt\currentversion\winlogon item's don ' t display last user name string data is changed to 1 so the system does not automatically display the previous logon username.

For security, you can also turn on TCP/IP filtering, right-click on the Network Neighborhood-> properties on the desktop-> Right-click the NIC-> attribute you want to configure->tcp/ip-> advanced-> option->TCP/IP Filter, here are three filters, Respectively: TCP port, UDP port and IP protocol TCP port, click "Allow only", and then add the following you need to open the port, generally speaking, the Web server only needs to open (WWW), the FTP server needs to open (FTP Data), (FTP control), 3306 (Mysql), 3389 (remote terminal control, if your host in another computer room, not directly * do, you need this) mail server may need to turn on (SMTP), (POP3), I do not research on the port, but if the services provided in this article, You just have to drive a few more. (80,20,21,25,3306,3389)

--CGI Support

Download ActivePerl (Download the latest version to www.perl.com)

1, decompression, run Install.exe, the default is installed under the C:\PERL, but for convenience, please install to the C:\USR directory, (so write the PERL interpreter path can be directly used #!/usr/bin/perl, Can maintain the same machine environment and network environment path. You can press Y all the way when you install. )

2, after installation, follow the following three steps to modify the registry: Run RegEdit, search: hkey_local_machine\system\currentcontrlset\services\w3svc\parameters\ Scriptmap\ Key Name,

Then add the key name: ". CGI", Key value: "C:\USR\BIN\perl.exe%s" and Key name: ". pl", key value: "C:\USR\BIN\perl.exe%s%s"

(Do not know how to build?) Then: in the box to the right---> right---> New--> string Value name changed to. CGI, double-click the key to enter numeric data, which is the key value mentioned above.