Installation and configuration of windows Server iis6 + php + mysql

Installing iis on a windows Server is much better than installing apache. After my test, I will introduce how to install iis6 + php + mysql on a windows server.

I used apache in the past. Due to work needs, I had to configure the php environment of iis. I found some information on the Internet and configured it at once. In fact, I have experience with apache + php + mysql, this is easy to understand.

 

Let's take a look at the general steps.

 

Step 1: Download the program

 

Download php-5.2.0-win32.zip”, “mysql-noinstall-5.0.22-win32.zip ", which is available on Baidu.

 

Step 2: install php

 

(1) copy the downloaded php-5.2.0-win32.zip to the d disk, and then right-click and unzip the php-5.2.0-win32 directory;

 

(2) In the D:/php-5.2.0-Win32 folder, find the "php. ini-dist" file and copy it as a copy, so that you can restore it after an error occurs. Rename the copied file to "php. ini ";

 

(3) Open "php. ini file, find "extension_dir", and then set extension_dir = ". /"changed to extension_dir =" D:/php-5.2.0-Win32/ext "; (Note: here should use a slash/rather than a backslash ). For example;

 

 

(4) Configure php extension support in php. find the following line in the INI file: remove the semicolon before "; extension = php_mysql.dll"; "; extension = php_gd2.dll"; "; extension = php_mbstring.dll, php supports these extensions;

 

(5) Save and close the php. ini file and copy it to the C:/Windows directory;

 

(6) In the D:/php-5.2.0-Win32 folder find the name php5ts. dll, libmysql. dll file and copy it to the C:/windows/System32 folder (Note: This file is required for IIS to process PHP 5 and MYSQL ).

 

So far, php installation is complete!

 

Step 3: install and configure IIS

 

I believe everyone is familiar with this.

 

(1) control panel-> Add/delete programs-> Add/delete windows Components, check IIS. If no disk is installed, you can go to the next iis package extracted from the installation disk. After the installation is complete, an Inetpub folder will be created on drive C.

 

(2) Open the Internet Information Service (IIS) manager in administrative tools, or enter "inetmgr" (excluding quotation marks) in the running dialog box to confirm.

 

(3) Right-click "website" under "Internet Information Service" on the left, select "properties", or bring up a familiar "website properties" panel, switch to the "main directory" tab, click "configuration" below, a "application configuration" box will pop up, click the "add" button below, finally, locate D:/php-5.2.0-Win32/php5isapi In the executable file in the pop-up box. dll, enter ". "php" (Note: add a few points before the extension) and click "OK. For example;

 

 

(4) Right-click "web Service extension" under "Internet Information Service" on the left, and click "Add a new web Service extension ", add a new web extension-input: PHP, and then point the executable file to php5isapi. dll path, set it to "allow", and click "OK" (I missed this step and reported that the 403 page was inaccessible when accessing the PHP file, then I found out for half a day ). For example;

 

 

Now, the basic configuration of IIS is complete.Restart iis.

 

Net stop w3svc

Net start w3svc

 

Step 4: Install MYSQL

 

This will not be said. Basically, the next step will be done. If you are not sure, you can go to Baidu. The graphic tutorials are also very detailed.

 

Last step: test whether the configuration is successful

 

Create a site under iis, create a "test. php" file under the site directory, write a sentence "" to it, save and close the file. Then access the webpage through a browser. If the webpage can be opened and the following screen appears, the configuration is successful. Slide the page slowly. If there is a mysql option, mysql is installed successfully.

 

 

This method is summarized after my configuration is successful. If you have any questions, leave a message.

After the environment is configured, let's take a look.

IIS + PHP security configuration

I. abnormal configuration of the php. ini file

Since it is for IIS + PHP security configuration in windows, the first security setting is PHP. in the previous article, only php is required. ini has made some necessary settings so that it can interpret the PHP script. There are many default settings which are insecure.

First, let's take a look at some basic concepts of php. ini. Set the command format as follows: directive = value command name (directive) is case sensitive! Therefore, "foo = bar" is different from "FOO = bar ". The value can be:

1. A string defined by quotation marks (for example, "foo ")

2. A number (integer or floating point number, for example, 0, 1, 34,-1, 33.55)

3. a PHP constant (for example, E_ALL, M_PI)

4. An INI constant (On, Off, none)

5. An expression (for example, E_ALL &~ E_NOTICE)

Another option is to set a Boolean value. If 1 is On, it is enabled. If 0 is Off, It is disabled. Php. ini is divided into many parts, such as module, php global configuration, database configuration, and so on. After learning about the basic concepts, we can start to configure them.

Set parameters and annotations

1. register_globals

Note: This configuration affects how php receives the passed parameters. To put it bluntly, register_globals is registered as a global variable. Therefore, when this parameter is set to On, the passed value will be directly registered as a global variable for direct use. When the value of this parameter is Off, we need to get it from a specific array. Most php vulnerabilities are exploited when Register_Globals is On. Therefore, we strongly recommend that you change this parameter to Off. In the current top version of php, this parameter is Off by default, if you are using an old version, you must modify it here.

2. magic_quotes_gpc

Note: If you set magic_quotes_gpc to Off, php will not escape four types of characters (single quotation marks), "(double quotation marks), (backslash), and empty characters, in this case, the server may be injected illegally. However, if you set Magic_quotes_gpc to On, php will give $ _ POST, $ _ GET, $ _ if the preceding four characters exist in the COOKIE submitted variables, the backslashes are added. this will greatly improve the security of php. We strongly recommend that you set Magic_quotes_gpc to On.

3. display_errors

Note: The display_errors parameter of php helps developers locate and determine these errors. However, if the information provided by php is known to hackers, this would be a bad thing. This is a very important information for hackers, because many times penetration requires the knowledge of web directories, such as webshell writing. Therefore, we strongly recommend that you set this parameter to Off. In the previous article, I have explained this parameter and set it to Off, but I still want to list it to emphasize it.

4. safe_mode

Note: This is what we often call the security mode. The security mode of php is a very important embedded security mechanism. It can control some functions in php, such as system () and other functions. It also controls the permissions of many file operation functions, access to some key files is not allowed, such as/etc/passwd, but the default php. ini does not enable security mode. Open it. Safe_mode = on.

5. open_basedir

Note: the open_basedir option can be used to control the PHP script to access only the specified directory, so as to prevent the PHP script from accessing files that should not be accessed, which limits the harm of webshell to a certain extent, generally, you can set it to only access the website directory (assume that the website directory is E: test): open_basedir = E: test

6. disable_functions

Note: Using disable_functions can restrict some functions that are very threatening to the system.

For example, we can see the php environment variables on the page with the phpinfo () function in the first part. You can also use functions such as system and exec to execute system commands. The Recommended filter function is as follows. Disable_functions = phpinfo, passthru, exec, system, chroot, scandir, chgrp, chown, shell_exec, proc_open, commit, ini_alter, ini_alter, commit, dl, pfsockopen, openlog, syslog, readlink, symlink, popepassthru, stream_socket_server. If you do not know a function, you can search for the function by google to determine whether your server is disabled.

7. com. allow_dcom

Note: a security vulnerability exists in the PHP script platform on Windows, allowing PHP to allow attackers to use COM () even in the secure mode (safe_mode () function to create system components to execute arbitrary commands. The vulnerability occurs because, although the system (); pathru () function of the PHP platform in safe mode is disabled, the setting of com. allow_dcom is still true. Attackers can use the COM () function to create system component objects to run system commands. If it is the default Apache setting or the Web server runs with Loacalsystem or Administrators permissions, attackers can use this vulnerability to improve their permissions. Therefore, we must disable the com. allow_dcom parameter. The default value is True. We need to modify this parameter to com. allow_dcom = false.

8. expose_php

Note: This parameter determines whether PHP is exposed and installed on the server. If this parameter is set to On, the php version will be leaked. We recommend that you set it to Off.

Note: After modifying php. ini, you must restart IIS. Otherwise, the content you set will not take effect immediately.

Ii. IIS Security Configuration

The security settings of IIS are mainly implemented through the implementation of two functions. The security configurations on IIS are flexible.

Function 1: a specific directory or Website Cannot run PHP. For example, create an images directory under the website, and then create a phpinfo. php file under the images directory. The content is phpinfo. By default, the PHP file under this directory can be executed, So you can open this file in a browser to see the PHP configuration information, 1. The PHP file under this directory cannot be executed in two ways.

Method 1: First open the IIS Information Service Manager, find our site and open it, and then find the newly created directory and click the left-click attribute. 2. There are three options for REDLINE, they are none, pure scripts, scripts, and executable files. You only need to select none and click OK.

 

Method 2: Use the application pool for configuration. As shown in 3, select the directory to be set, right-click and select properties, and click Create with a red line, in this case, an application pool with the same name as the website will be created. Then, you can click the configuration button to display the 4 image, and remove the PHP extension in the application extension? Are you sure you want to return.

The above two methods can achieve a specific directory that cannot execute PHP, but does not affect the call of images and other files.

Feature 2: Integrate the windows 2003 authentication function into a specific directory, such as the website background. If the background directory is admin, after the windows 2003 authentication is integrated into the admin directory, two Authenticated Users and passwords are displayed in the website background.

The first protection is integrated authentication on the server, that is, adding a user to the server and setting a very abnormal password.

The second protection means the user name and password of the website. Of course, these two protection passwords must not be the same, otherwise they will not be the same. Next, let's implement this function. For example, the directory we want to configure is admin. Right-click the admin attribute, as shown in Figure 5. Click the edit button under "authentication and access control, in the dialog box shown in 6, select "Integrated windows Authentication", remove the check box before "enable Anonymous", and click "OK. When we access the background directory again, the screen shown in 7 is displayed, asking us to enter the user name and password on the windows server.

Create a local user test and set its permissions to the minimum. The process of creating a user is omitted. The following describes how to reduce the permissions of the test user. Right-click "my computer" and choose "manage". The "Computer Management" dialog box is displayed, as shown in Figure 15, right-click the newly created test and choose "properties" from the shortcut menu. Select "password will never expire", and select "Drop access" and select "OK. Go back to the directory and enter the user we created.

3. web directory permission settings

In the second part, the permission configuration principle has been involved, and there are not many settings in this part. For example, if our web directory is D: web, right-click and select Properties and select the Security tab, you only need to retain the Administrator account and the system and IIS Anonymous accounts in the group and user name columns. In the permission column, grant full control permissions to the Administrator and system accounts, grant the "read and run", "list folder directories", and "read" permissions to the IIS Anonymous Account. However, many of our websites will have the upload function. If we do not have the write permission, the upload function on our website will not be available, in this case, you only need to add the write permission to the IIS Anonymous Account of the directory to be uploaded, such as D: webimages.