Start Apache MySQL with low Permissions

Because Apache is widely used on Windows platforms, we have to pay attention to its security settings. Many careless webmasters build production environments using Apache on their managed servers and install them by default. Apache is started as system by default, so it inherits the system permission. Apache is safe. However, extension of other applications may cause security risks.

To do this, we need to downgrade Apache! What is "downgrading "? As the name implies, APACHE service operation permissions are reduced.

 

Step 1: create a low-Permission user

Net user users tester/Add
Net localgroup users tester/del

Net localgroup low_privilege/Add

Net localgroup low_privilege tester/Add
　

OK. We have created a user Tester that belongs to the low-Permission group low_privilege.

Step 2: start Apache MySQL with low PermissionsTwo configuration opportunities: Before creating a service, after creating a service)

Let's talk about the latter one: Low-privilege startup before creating a service

1. Run the secpol. msc command to open "Local Security Policy", select "user permission assignment", select "Log on as a service" on the right, and then add an Apache user. Use the newly created user as a service Login
2. Change Apache server startup account: run services. run the MSC command to open the Service Manager, open the apache service, find the logon tab, select "this account" in the logon identity, and enter the Apache account and password created in the upper part. Specify a user for the Apache service to run
3. Next, set the access permission for Apache, the account that logs on as the apache service. Otherwise, Apache cannot be started. The specific operation is to grant the read permission of the Apache and MySQL directories to the low_privilege group, the logs directory of Apache, the read and write permissions of MySQL data directory to low_privilege group,

Let's talk about the latter one: the service is started with low permissions after being created.

 

• First, assume that the installation directory of Apache is E:/program files/apache2.2, and that of MySQL is E:/program files/mysql5.5.

 

@ SC create apache2.2 binpath = "E: /program files/apache2.2/bin/httpd.exe-K runservice "type = own start = demand depend =" TCPIP/AFD "error = normal displayname = apache2.2.14 OBJ =. /tester Password = fuckmicrosoft <br/> @ SC description apache2.2 "Apache/2.2.14 (win32)" </P> <p> @ SC create mysql5.5 binpath = "E: /program files/mysql5.5/bin/mysqld -- defaults-file = E:/appserv/mysql-5.5.1-m2-win32/My. INI mysql5.5 "type = own start = demand error = normal displayname = mysql5.5 OBJ =. /tester Password = fuckmicrosoft <br/> @ SC description mysql5.5 "mysql5.5 (win32)" </P> <p>

• Open the console ("START" | "run" input: MMC), "file" menu | "add and delete Management Unit" | "add... "| select" security template "|" close ". On the "C:/Windows/security/templates" node, right-click "create template..." And enter "new" in the "Template Name" dialog box.
• Open the "New | Local Policy | User Privilege assignment" node and add the low_privilege group to "Log on as a server" on the right. Open the "System Service" node, double-click the apache service in the list on the right, check "define policy settings in the template", and select automatic start (or manual ), it is important to click "Edit Security Settings" to grant the permission to read and write modifications (except for deleting permissions) of the Apache service to the low_privilege group. For specific settings, see

• Then, right-click the new node and choose Save As... to save it to C:/sec. INF ".

Input in batch Creation Document:

@ SeCEdit Configure/DB SeCEdit. sdb/cfg c:/sec. inf <br/> @rundll32.exe user32.dll, updateperusersystemparameters <br/> @ gpupdate/Force

 

OK.