The practical skills of security settings for Web-dedicated servers

Source: Internet
Author: User
Tags ftp iis ini mssql mysql parent directory php and mysql database
web| Security | server | tips

Delete the virtual directory of the default established site, stop the default Web site, delete the corresponding file directory c:inetpub, configure the public settings for all sites, and set up the relevant number of connection limits, bandwidth settings, and other settings such as performance settings. Configures application mappings, removes all unnecessary application extensions, and retains only asp,php,cgi,pl,aspx application extensions. For PHP and CGI, it is recommended to use ISAPI parsing, and EXE parsing has an impact on security and performance. User program debug Settings send a text error message to the customer. For the database, try to use the MDB suffix, do not need to change to ASP, you can set up an MDB extension mapping in IIS, this mapping using an unrelated DLL file such as C:winntsystem32inetsrvssinc.dll to prevent the database from being downloaded. Set the log Save directory for IIS, and adjust logging information. Set to send text error messages. Modify the 403 error page and turn it to another page to prevent some scanners from probing. In addition, to hide system information, to prevent the release of the system version information from Telnet to port 80 can modify IIS banner information, you can use Winhex manual modification or use related software such as banneredit modification.

For the directory where the user site is located, here is a description of the user's FTP root directory corresponding to three files good, wwwroot,database,logfiles, respectively, storage site files, database backup and the site's log. If an intrusion event can set specific permissions on the directory where the user's site resides, the directory in which the picture resides is given permission only to the column directory, and the directory where the program resides does not require write access if the file is not required to generate the files, such as HTML-generated programs. Because it is a virtual host of the usual script security can not be nuanced to the point, more only in the method user from the script to elevate permissions:

Security Settings for asp:

After setting permissions and services, prevent ASP Trojan also need to do the following work, in the CMD window run the following command:

Regsvr32/u C:\WINNT\System32\wshom.ocx

Del C:\WINNT\System32\wshom.ocx

Regsvr32/u C:\WINNT\system32\shell32.dll

Del C:\WINNT\system32\shell32.dll

You can Wscript.Shell, Shell.Application, Wscript.Network component Uninstall, can effectively prevent ASP Trojan horse through Wscript or shell.application execute commands and use Trojans to view some system sensitive information. Alternatively: You can cancel the permissions of the users user of the above file and restart IIS to take effect. However, this method is not recommended.

In addition, for the FSO because the user program needs to use, the server can not log off the component, here only to mention the prevention of FSO, but do not need to open space in the virtual Business Server use, only suitable for manually opened the site. You can set up two groups of sites that require FSO and do not need FSO, and do not need to give permission to C:winntsystem32scrrun.dll files to the user group that requires the FSO. Restarting the server can take effect.

For such settings combined with the above permission settings, you will find that the Haiyang Trojan has lost its role here!

Security Settings for PHP:

The default installation of PHP requires the following issues to be noted:

C:\winnt\php.ini only gives users read access. The following settings are required in php.ini:

Safe_mode=on

Register_globals = Off

Allow_url_fopen = Off

Display_errors = Off

MAGIC_QUOTES_GPC = on [default is on, but need to check again]

Open_basedir =web Directory

Disable_functions =passthru,exec,shell_exec,system,phpinfo,get_cfg_var,popen,chmod

The default setting Com.allow_dcom = True is modified to remove the front before the false[modification;]

MySQL Security settings:

If the MySQL database is enabled on the server, the security settings that the MySQL database needs to be aware of are:

Delete all default users in MySQL, keep the local root account only, and add a complex password to the root user. Give ordinary users Updatedeletealertcreatedrop permissions, and limit to a specific database, especially to avoid ordinary customers have permissions on MySQL database operations. Check the Mysql.user table to remove unnecessary user Shutdown_priv,relo

Ad_priv,process_priv and File_priv permissions that may leak more server information, including other information that is not MySQL. You can set up a startup user for MySQL that only has permissions on the MySQL directory. Set permissions on the data database for the installation directory (this directory holds the MySQL database information). For the MySQL installation directory, add read, column directories, and execute permissions to users.

Serv-u Security Issues:

The installer will use the latest version as far as possible, avoid using the default installation directory, set the permissions of the Serv-u directory, and set up a complex administrator password. Modify the banner information of the SERV-U, set the passive mode port range (4001-4003) make the relevant security settings in the local server settings: including checking anonymous passwords, disabling the scheduling of the go-ahead, intercepting "FTP bounce" attacks and FXP, Intercept 10 minutes for users who have connected more than 3 times in 30 seconds. The settings in the domain are: complex passwords are required, directories only use lowercase letters, and the advanced setting cancels the date that allows the file to be changed using the Mdtm command.

To change the startup user for Serv-u: Create a new user in the system, set a complex password, and not belong to any group. Give the user Full control of the SERVU installation directory. To create an FTP root directory, you need to give this user full control of the directory, because all FTP users upload, delete, change files are inherited from the user's permissions, otherwise unable to manipulate the file. Additionally, you need to give the user Read permission to the parent directory above the directory, or it will appear 530 not logged in, home directory does at the time of the connection. exist. For example, when testing the FTP root directory is d:soft, must give the user D disk Read permission, in order to safely cancel other folders in D disk inherited permissions. The general use of the default system startup does not have these problems, because system generally has these permissions.
Security settings for the database server

For dedicated MSSQL database servers, open only 1433 and 5631 ports, as described above, to set up TCP/IP filtering and policy. For MSSQL, first you need to set a strong password for the SA, use mixed authentication, strengthen the logging of the database log, and audit the "success and failure" of the database login events. removing unwanted and dangerous ole automatic stored procedures (which can cause some of the functionality in Enterprise Manager to not be used) includes the following:

sp_OACreate sp_OADestroy sp_OAGetErrorInfo sp_OAGetProperty

sp_OAMethod sp_OASetProperty sp_OAStop

Remove unwanted registry access procedures, including:

Xp_regaddmultistring Xp_regdeletekey Xp_regdeletevalue

Xp_regenumvalues Xp_regread xp_regremovemultistring

Xp_regwrite

Remove other system stored procedures, if you think there is a threat, of course, be careful to drop these processes, can be tested on the test machine to ensure that the normal system to complete the work, these processes include:

xp_cmdshell Xp_dirtree Xp_dropwebtask sp_addsrvrolemember

Xp_makewebtask Xp_runwebtask xp_subdirs sp_addlogin



Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.