Red Guest must learn: Windows permissions settings detailed

With the wide application of the mobile network Forum and the discovery of the vulnerability on the Internet, as well as the more and more use of SQL injection attacks, Webshell makes the firewall useless, and a Web server that only makes 80 ports open to all Microsoft patches will escape the fate of being hacked. Do we really have nothing to do? In fact, as long as you understand the NTFS system permissions to set the problem, we can say to the crackers: no!

To build a secure Web server, you must use NTFS and Windows nt/2000/2003 for this server. As we all know, Windows is a multi-user, multitasking operating system, which is the basis of permission settings, all permissions are based on users and processes, different users will have different permissions when accessing this computer.

DOS and Winnt the difference between the permissions

DOS is a single task, single user operating system. But can we say DOS does not have permission? No! When we open a computer with a DOS operating system, we have administrator privileges on the operating system, and the permissions are everywhere. Therefore, we can only say that DOS does not support the setting of permissions, can not say that it does not have permissions. As people's awareness of security increased, permission settings were born with the release of NTFS.

In Windows NT, users are grouped into groups with different permissions between groups and groups, and of course, users and users of a group can have different permissions. Now let's talk about the common user groups in NT.

Administrators, the Administrators group, by default, users in Administrators have unrestricted full access to the computer/domain. The default permissions assigned to this group allow full control of the entire system. Therefore, only trusted people can become members of the group.

Power Users, advanced user groups, Power users can perform any operating system tasks other than those reserved for the Administrators group. The default permissions assigned to the Power Users group allow members of the Power Users group to modify the settings for the entire computer. However, Power Users do not have the right to add themselves to the Administrators group. In permission settings, the permissions of this group are second to administrators.

Users: Normal user group, the user of this group cannot make intentional or unintentional changes. As a result, users can run validated applications, but they cannot run most legacy applications. The Users group is the safest group because the default permissions assigned to the group do not allow members to modify the operating system settings or user data. The Users Group provides an environment in which the most secure programs run. On NTFS-formatted volumes, the default security setting is designed to prevent members of this group from compromising the integrity of the operating system and installed programs. Users cannot modify system registry settings, operating system files, or program files. Users can shut down the workstation, but not the server. Users can create local groups, but can only modify local groups that they create.

Guests: Guest group, by default, guests have equal access to members of the regular users, but the Guest account has more restrictions.

Everyone: As the name implies, all users, all users on this computer belong to this group.

In fact, there is a group is also very common, it has the same as administrators, even higher than the permissions, but this group does not allow any user to join, in view of the user group, it will not be displayed, it is the system group. The permissions required for system and system-level services to function properly are vested in it. Since this group has only one user system, it may be more appropriate to classify the group as a user.

Power size Analysis of permissions

Permissions are high and low, and users with elevated privileges can operate on users with lower privileges, but in addition to administrators, users of other groups cannot access other user data on NTFS volumes unless they are authorized by those users. Users with low privileges cannot do anything with highly privileged users.

We usually do not feel the privilege of using the computer to prevent you from doing something, because we use the computer in the administrators of the user logged in. It's good and bad, and, of course, you can do anything you want to do without having access to the restrictions. The disadvantage is that running the computer as a member of the Administrators group makes the system vulnerable to Trojan horses, viruses, and other security risks. Simple actions to access an Internet site or open an e-mail attachment can damage the system.

Unfamiliar Internet sites or e-mail attachments may have Trojan Horse code that can be downloaded to the system and executed. If you are logged on as an administrator on the local computer, the Trojan may reformat your hard disk with administrative access, causing immeasurable damage, so it is best not to log in administrators users without the necessary circumstances. Administrators has a default user that is created at System installation----Administrator,administrator account has Full control of the server, and can assign user rights and access control rights to users as needed.

It is therefore strongly recommended that this account be set to use strong passwords. You can never delete an Administrator account from the Administrators group, but you can rename or disable the account. Because everyone knows that "admin" exists on many versions of Windows, renaming or disabling this account makes it more difficult for a malicious user to try and access the account. For a good server administrator, they usually rename or disable this account. Under the Guests user group, there is also a default user----Guest, but by default it is disabled. You do not need to enable this account if it is not particularly necessary.

Small help: What is a strong password? is the letter and number, the size of the combination of more than 8 complex password, but this also does not completely prevent many hackers, but to a certain extent more difficult to crack.

We can view user groups and users under this group through the Control Panel-Administrative Tools-Computer Management-users and user groups.

We right-click a directory under an NTFS volume or an NTFS volume, select Properties-Security to set permissions on a volume, or the directory under a volume, and we see the following seven types of permissions: Full Control, modify, read and run, List folder directories, read, write, and special permissions. Full Control is the unrestricted full access to this volume or directory. Status is like the position of administrators in all groups. Full Control is selected, and the following five properties are automatically selected.

"Modify", like Power Users, selects modify, and the following four properties are automatically selected. If any of the following items are not selected, the "modify" condition will no longer be established. Read and run is any file that is allowed to read and run under this volume or directory, and "List folder Directory" and "read" are necessary for read and run.

"List Folder Directory" means that only subdirectories under the volume or directory can be browsed, cannot be read, and cannot be run. Read is the ability to read data in the volume or directory. "Write" is the ability to write data to the volume or directory. and "Special" is to the above six kinds of permissions are subdivided. Readers can do a deeper study of "special" on their own, and I will not dwell on them here.

Set instance operation for a simple server:

The following is a comprehensive analysis of a Web server system and its permissions that have just been installed on the operating system and service software. The server uses Windows Server version, installed SP4 and a variety of patches. The Web services software uses IIS 5.0 with Windows 2000, removing all unnecessary mappings. The entire hard drive is divided into four NTFS volumes, C disk is the system volume, only installed the system and driver, D disk is a software volume, all the software installed on the server in D disk, e disk is a Web application volume, the Web site program is under the volume of the WWW directory; F disk is a Web site data volume, All data in the Web site system call is stored in the Wwwdatabase directory of the volume.

This sort of classification is more in line with the standard of a secure server. I hope that each novice administrator can reasonably give your server data classification, this is not only easy to find, but more importantly, this greatly enhances the security of the server, because we can give each volume or each directory to set different permissions, once a network security accident, can also reduce the loss to the minimum.

Of course, you can also distribute the site's data on different servers, make it a server farm, each server has a different user name and password and provide a different service, so the security is higher. But people who are willing to do so have a feature----money:).

Well, to get to the bottom of this, the server's database for Ms-sql,ms-sql service software SQL2000 installed in the D:\ms-sqlserver2K directory, to the SA account set a strong enough password, installed a SP3 patch. In order to facilitate web page producers to manage the Web, the site also opened the FTP service, FTP service software using the Serv-u 5.1.0.0, installed in the D:\ftpservice\serv-u directory. Antivirus software and firewalls are the Norton Antivirus and BlackICE respectively, the path is D:\nortonAV and D:\firewall\blackice, virus Library has been upgraded to the latest, firewall rule library definition only 80 ports and 21 ports open to the outside. The content of the website is to use 7.0 of the forum of Dynamic Net, the website program is under E:\www\bbs.

Attentive readers may have noticed that I have not adopted the default path for installing these service software or just changed the default path of the letter, which is also a security requirement, because a hacker who has access to your server through some means, but does not get administrator privileges, The first thing he does will be to see what services you open up and what software you have installed, because he needs to improve his privileges.

A path that is hard to guess and a good permission setting will block him out. It is believed that this configuration of the Web server is enough to withstand most of the wrong hackers. The reader may ask again, "This is no use to the permissions!" I have done all the other safe work, is the permission set necessary? "Of course there is!" A wise man will have a loss, even if you have now made the system safe and perfect, you must know that the new security vulnerabilities are always being found.

Instance attack

Permission will be your last line of defense! Well, let's just do it now. A mock attack on this server without any permissions setting, all with Windows default permissions, to see if it is really impregnable.

Assume that the server extranet domain name is http://www.webserver.com, scan it with scanning software to discover open www and FTP service, and found that its service software uses IIS 5.0 and Serv-u 5.1, with some overflow tool against them after found invalid, The idea of a direct remote overflow was abandoned.

Open the website page, found that the use of the network of the Forum system, so in its domain name after adding a/ Upfile.asp, found that there is a file upload loophole, then grabbed the package, the modified ASP Trojan with NC submission, prompted upload success, successfully get Webshell, open just uploaded ASP Trojan, found that there are ms-sql, Norton Antivirus and BlackICE are running, judging by the restrictions on the firewall, shielding the SQL service port.