Serv-U uses independent user running mode for security reinforcement

Author:25hourwowo@gmail.com

For Serv-u security, we recommend that you use version 6.3 first. It seems that this version does not overflow. For security, see the following tutorial.

By default, Serv-U runs as a System group and has full operation permissions on the local machine. Therefore, if attackers exploit the Serv-U program vulnerability to obtain an executable shell, they can access any directory in the operating system.

Linux and Unix systems are more secure than Windows systems because Linux and Unix systems do not use root permissions, but are used by another individual user with low permissions, for example, the web Service uses the nobody user.

To improve the security level of Serv-U, we create an independent user for Serv-U and let Serv-U run as this user. In this way, even if Serv-U is attacked due to a vulnerability, it can only affect limited data and not critical system files.

First, create a user whose name can be defined at will, for example, ftpuser. Choose Start> Control Panel> Administrative Tools> Computer Management. Right-click a user and choose new user. Open a notepad and press a password. The more complex the password is, the better the password is. Copy the password and paste it in the dialog box for creating a new user.

Modify the disk permissions. First, modify the installation directory of Serv-U. Right-click and select Properties. Switch to the security label. The permission of the current directory is only available to administrators and system users. Click Add and enter ftpuser in the user name, that is, the user you just created. Click OK. Set the ftpuser permission to "read and run", "list folder directories", and "read ". Go to the directory, find the ServUAdmin. ini and ServUDaemon. ini files, right-click them, and select Properties. Click the Security tab to view the current file permission, which is consistent with the directory permission you just set. We add "modify" and "write" permission to him.

Next, add the Serv-U read and write permissions to the site directory. Grant the ftpuser permission to all your sites and set the permissions to all permissions except full operations.

Now you can set permissions for the C drive. To prevent the running user of serv-ufrom reading and writing files such as cmd.exe, we need to add the permission to prohibit writing to them. Find C: WINNTsystem32cmd.exe, right-click and select Properties to go to security, and add the permission to prohibit any operation. Allow C: WINNTexplorer.exe to disable the operation.

In addition, you also need to set "Local Security Settings" to disable local login by ftpuser users. Choose Control Panel> Administrative Tools> Local Security Policies> Local Policies> User permission assignment> deny local logon.

After the settings are complete, we switch the startup identity of Serv-U to ftpuser. Go to Control Panel> Administrative Tools> Computer Management, and find the Serv-U service. Double-click it to open the "login" dialog box. The default value is "Local SYSTEM account ". Change to the ftpuser user and enter the complex password you just set. Click OK and restart the service.

After this setting, the ftpuser operator can only read and write the specified site directory, and has no write permission on other directories. It is a non-system user, which reduces the potential danger to the system.