Windows permissions settings Detailed _ Security settings

Source: Internet
Author: User
Tags file upload parent directory sql injection web services file permissions strong password
With the wide application of the mobile network Forum and the discovery of the vulnerability on the Internet, as well as the more and more use of SQL injection attacks, Webshell makes the firewall useless, and a Web server that only makes 80 ports open to all Microsoft patches will escape the fate of being hacked. Do we really have nothing to do? In fact, as long as you understand the NTFS system permissions to set the problem, we can say to the crackers: no!

To build a secure Web server, this server must use NTFS and Windows
nt/2000/2003. As we all know, Windows is a multi-user, multitasking operating system, which is the basis of permission settings, all permissions are based on users and processes, different users will have different permissions when accessing this computer.

DOS and Winnt the difference between the permissions
DOS is a single task, single user operating system. But can we say DOS does not have permission? No! When we open a computer with a DOS operating system, we have administrator privileges on the operating system, and the permissions are everywhere. Therefore, we can only say that DOS does not support the setting of permissions, can not say that it does not have permissions. As people's awareness of security increased, permission settings were born with the release of NTFS.

Windows
NT, the user is divided into many groups, groups and groups have different permissions, of course, a group of users and users can also have different permissions. Now let's talk about the common user groups in NT.

Administrators, the Administrators group, by default, users in Administrators have unrestricted full access to the computer/domain. The default permissions assigned to this group allow full control of the entire system. Therefore, only trusted people can become members of the group.

Power
Users, advanced user groups, Power users can perform any operating system tasks other than those reserved for the Administrators group. Assign to power
The default permissions for the Users group allow members of the Power Users group to modify the settings for the entire computer. But power Users do not have to add themselves to the Administrators
Permissions for the group. In permission settings, the permissions of this group are second to administrators.

Users: Normal user group, the user of this group cannot make intentional or unintentional changes. As a result, users can run validated applications, but they cannot run most legacy applications. Users
A group is the safest group because the default permissions assigned to the group do not allow members to modify the operating system settings or user data. The Users Group provides an environment in which the most secure programs run. After the NTFS
On a formatted volume, the default security setting is designed to prevent members of this group from compromising the integrity of the operating system and installed programs. Users cannot modify system registry settings, operating system files, or program files. Users
You can turn off the workstation, but you cannot shut down the server. Users
You can create local groups, but you can modify only the local groups that you create.

Guests: Guest group, by default, guests have equal access to members of the regular users, but the Guest account has more restrictions.

Everyone: As the name implies, all users, all users on this computer belong to this group.

In fact, there is a group is also very common, it has the same as administrators, even higher than the permissions, but this group does not allow any user to join, in view of the user group, it will not be displayed, it is the system group. The permissions required for system and system-level services to function properly are vested in it. Since this group has only one user system, it may be more appropriate to classify the group as a user.

Power size Analysis of permissions
Permissions are high or low, and users with elevated privileges can operate on users with lower privileges, but other groups, except administrators, cannot access
Ntfs
Other user data on the volume, unless they are authorized by these users. Users with low privileges cannot do anything with highly privileged users.

We usually do not feel the privilege of using the computer to prevent you from doing something, because we use the computer in the administrators of the user logged in. It's good and bad, and, of course, you can do anything you want to do without having access to the restrictions. The disadvantage is to
Running the computer as a member of the Administrators group makes the system vulnerable to Trojan horses, viruses, and other security risks. Access to the Internet
A simple action to site or open an e-mail attachment can damage the system.

Unfamiliar Internet
The site or e-mail attachment may have Trojan Horse code that can be downloaded to the system and executed. If you are logged on as an administrator on the local computer, the Trojan may reformat your hard disk with administrative access, causing immeasurable damage, so it is best not to log in administrators users without the necessary circumstances. Administrators has a default user----that is created when the system is installed Administrator,administrator
The account has full control over the server and can assign user rights and access control permissions to the user as needed.

It is therefore strongly recommended that this account be set to use strong passwords. Can never be from administrators
Group to delete an Administrator account, but you can rename or disable the account. As you all know that "admin" exists in many versions of Windows
, renaming or disabling this account makes it more difficult for a malicious user to try and access the account. For a good server administrator, they usually rename or disable this account. Under the Guests user group, there is also a default user----Guest, but by default it is disabled. You do not need to enable this account if it is not particularly necessary.

Small help: What is a strong password? is the letter and number, the size of the combination of more than 8 complex password, but this also does not completely prevent many hackers, but to a certain extent more difficult to crack.

We can view user groups and users under this group through the Control Panel-Administrative Tools-Computer Management-users and user groups.

We right-click a directory under an NTFS volume or an NTFS volume, select Properties-Security to set permissions on a volume, or the directory under a volume, and we see the following seven types of permissions: Full Control, modify, read and run, List folder directories, read, write, and special permissions. Full Control is the unrestricted full access to this volume or directory. Status is like the position of administrators in all groups. Full Control is selected, and the following five properties are automatically selected.

"Modify" is like power
Users, "Modify" is selected and the following four properties will be automatically selected. If any of the following items are not selected, the "modify" condition will no longer be established. Read and run is any file that is allowed to read and run under this volume or directory, and "List folder Directory" and "read" are necessary for read and run.

"List Folder Directory" means that only subdirectories under the volume or directory can be browsed, cannot be read, and cannot be run. Read is the ability to read data in the volume or directory. "Write" is the ability to write data to the volume or directory. and "Special" is to the above six kinds of permissions are subdivided. Readers can do a deeper study of "special" on their own, and I will not dwell on them here.

Set instance operation for a simple server:

The following is a comprehensive analysis of a Web server system and its permissions that have just been installed on the operating system and service software. Server with Windows
The server version, installed SP4 and a variety of patches. The Web services software is IIS with Windows 2000 self
5.0, removed all unnecessary mappings. The entire hard drive is divided into four NTFS volumes, C disk is the system volume, only installed the system and driver, D disk is a software volume, all the software installed on the server in D disk, e disk is a Web application volume, the Web site program is under the volume of the WWW directory; F disk is a Web site data volume, All data in the Web site system call is stored in the Wwwdatabase directory of the volume.

This sort of classification is more in line with the standard of a secure server. I hope that each novice administrator can reasonably give your server data classification, this is not only easy to find, but more importantly, this greatly enhances the security of the server, because we can give each volume or each directory to set different permissions, once a network security accident, can also reduce the loss to the minimum.

Of course, you can also distribute the site's data on different servers, make it a server farm, each server has a different user name and password and provide a different service, so the security is higher. But people who are willing to do so have a feature----money:).

Well, to get to the bottom of this, the server's database for Ms-sql,ms-sql service software SQL2000 installed in the D:\ms-sqlserver2K directory, to the SA account set a strong enough password, installed a SP3 patch. In order to facilitate web page producers to manage the Web, the site also opened the FTP service, the FTP service software using the Serv-u
5.1.0.0, installed in the D:\ftpservice\serv-u directory. The difference between antivirus software and firewalls is Norton.
Antivirus and BlackICE, the path is D:\nortonAV and D:\firewall\blackice, virus Library has been upgraded to the latest, firewall rule library definition only 80 ports and 21 ports open to the outside. The content of the website is to use 7.0 of the forum of Dynamic Net, the website program is under E:\www\bbs.

Attentive readers may have noticed that I have not adopted the default path for installing these service software or just changed the default path of the letter, which is also a security requirement, because a hacker who has access to your server through some means, but does not get administrator privileges, The first thing he does will be to see what services you open up and what software you have installed, because he needs to improve his privileges.

A path that is hard to guess and a good permission setting will block him out. It is believed that this configuration of the Web server is enough to withstand most of the wrong hackers. The reader may ask again, "This is no use to the permissions!" I have done all the other safe work, is the permission set necessary? "Of course there is!" A wise man will have a loss, even if you have now made the system safe and perfect, you must know that the new security vulnerabilities are always being found.

Instance attack
Permission will be your last line of defense! Well, let's just do it now. A mock attack on this server without any permissions setting, all with Windows default permissions, to see if it is really impregnable.

Assuming the server extranet domain name is http://www.webserver.com, scan it with scanning software to discover open www and FTP service, and found that its service software uses IIS
5.0 and Serv-u
5.1, with some of their overflow tool found invalid, and then abandoned the idea of a direct remote overflow.

Open the website page, found that the use of the network of the Forum system, so in its domain name after adding a/ Upfile.asp, found that there is a file upload loophole, then grabbed the package, the modified ASP Trojan with NC submission, prompted upload success, successfully get Webshell, open just uploaded ASP Trojan, found that there are ms-sql, Norton
Antivirus and BlackICE are running, judging by the restrictions on the firewall, shielding the SQL service port.

Through the ASP Trojan check to see Norton
Antivirus and BlackICE PID, and through the ASP Trojan upload a can kill the process of the file, run and kill the Norton
Antivirus and BlackICE. Again scan, found that 1433 ports open, there are many ways to get administrator privileges, you can view the site Directory conn.asp get SQL username password, and then log into SQL to execute add user, mention administrator rights. can also catch serv-u under the Servudaemon.ini modified upload, get system administrator privileges.

You can also add users directly to administrators, and so on, by passing local overflow serv-u tools. As you can see, once the hacker has found the entry point, in the absence of permission restrictions, hackers will be easy to obtain administrator privileges.

So let's take a look at Windows now.
The default permission setting for 2000 is exactly what it is. For the root directory of each volume, the Everyone group is given full control by default. This means that any user who enters the computer will be unrestricted to do whatever is in the root directory.

Three directories under the system volume are special, the system defaults to their restricted permissions, the three directories are documents
and settings, program files, and Winnt. For documents and
Settings, the default permissions are assigned in this way: Administrators has full control; everyone has read & Transport, column and read permissions; power
Users have read & transport, column and read permissions, system with administrators; Users have read & shipping, column and Read permissions. For program
Files,administrators has full control; Creator owner has special privileges; Power
Users have full control; System with administrators; Terminal Server
Users have full control, users have read & transport, columns and Read permissions.

Have full control over winnt,administrators; Creator
Owner has special privileges; Power
Users have full control; System with administrators; Users have read & shipping, columns and Read permissions. Not all directories under the system volume inherit the permissions of their parent directory, which is the Everyone group's full Control!

Now you know why we just got the admin right when we were testing it? The permissions are set too low! When a person visits a website, it is automatically assigned to the IUSR user, which is subordinate to the Guest group. The original permission is not high, but the system defaults to the Everyone group full control but let it "worth doubling", to the end can get administrators.

So how is it safe to set permissions on this Web server? We should keep in mind that: "The least service + minimum permissions = maximum security" For services, do not have to wear, do not need to know the operation of the service is the system-level, for the authority, in accordance with the principle of good enough to distribute it.

For the Web server, take just that server, I am so set permissions, we can refer to: The root directory of each volume, Documents
and settings and program files, only give the administrator full control, or simply direct the program
files are deleted; Add a read and write right to the root directory of the system volume; to the E:\www directory, that is, the site directory read, write right.

Finally, the Cmd.exe this file to be dug out, only give the administrator full control. After this setup, and then to the way I just hacked the server is impossible to complete the task. Perhaps this time another reader will ask: "Why do you want to give the system volume to the root directory of everyone read and write right?" Do you need to run the ASP files in your Web site without running permissions? "The question is good, there is depth." Yes, if the system volume does not give everyone the right to read and write, when you start the computer, the computer will report an error, and will prompt virtual memory is low.

Of course, there is a premise----virtual memory is allocated on the system disk, if the virtual memory allocated to other volumes, then you have to give that volume everyone read and write right. ASP files are run on the server, it is true that only the results of the execution are passed back to the end-user's browser, but the ASP file is not a system-sense executable and is interpreted by the provider of the Web service----IIS, so its execution does not require permission to run.

Deep understanding of the meaning behind permissions
After the above explanation, you must have a preliminary understanding of the right? Want to have a deeper understanding of permissions, then some of the characteristics of the permissions you can not do not know, permissions are inherited, cumulative
, priority, and cross-sex.

Inheritance is that the subordinate directory has the previous level of directory permissions set before it is reset. There is also a case in point where copying directories or files within a partition will have the same level of directory permissions set up in the directory as it is now located. But when you move directories or files within a partition, the directories and files that you move in the past will have their original permissions set.

Add up is that if there are two users USER1, USER2 in a group GROUP1, and they have access to a file or directory, respectively, read and write, the group GROUP1 access to the file or directory for USER1 and USER2 access rights, is actually the largest one, read + write = write.
Another example is that a user USER1 belong to group GROUP1 and GROUP2, and GROUP1 access to a file or directory is read-only, and GROUP2 access to this file or folder is "Full Control" type, The user USER1 access to the file or folder is cumulative by two group privileges, namely: Read Only + Full Control = Full Control.

Priority, this feature of the permission also contains two seed characteristics, one is the file access rights priority directory permissions, that is, file permissions can bypass the directory permissions, regardless of the previous level of folder settings. Another feature is that the Deny permission takes precedence over other permissions, which means that the Deny permission can cross all other permissions, and once the Deny permission is selected, the other permissions cannot take any action, equivalent to no settings.

Cross refers to when the same folder for a user set share permissions while the user set the access rights of the folder, and the set of permissions inconsistent, it is the principle of the choice of two permissions to the intersection, which is the most stringent, the smallest kind of permission. If the share permission set by directory A for user USER1 is read-only, and the access rights set by directory A for the user USER1 are full control, the user USER1 's final access is read-only.

Issue of permission settings I'm going to say this, and in the end I want to remind readers that the permissions settings must be implemented in an NTFS partition, and FAT32 does not support permission settings. At the same time, I would like to give you the administrator some suggestions:

1. Develop good habits, to the server hard disk partition when the classification is clear, when not using the server to lock the server, often update a variety of patches and upgrade anti-virus software.

2. Set a strong password, this is a cliché, but there are always administrators to set a weak password or even a blank password.

3. Try not to install all kinds of software under the default path

4. In the case of English proficiency is not a problem, try to install the English version of the operating system.

5. Avoid the installation of software or unnecessary services on the server.

6. Keep in mind: there is no permanent security system, often update your knowledge.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.