Windows Server 2003 System Security Configuration Method _win Server

First, the system installation

1, according to the WINDOWS2003 installation CD-ROM prompts installation, by default, 2003 did not install IIS6.0 installed in the system.

2, the installation of IIS6.0
Start Menu-> Control Panel-> Add or Remove Programs-> Add/Remove Windows Components
Application ——— ASP. NET (optional)
|--Enable network COM + access (required)
|--internet Information Services (IIS) ——— Internet Information Services Manager (required)
|--Public files (required)
|--World Wide Web service ——— Active Server pages (required)
|--internet data connector (optional)
|--webdav Release (optional)
|--WWW service (required)
|--on server-side include file (optional)
Then click OK-> next installation.

3, the System Patch update
Click Start Menu-> All Programs->windows update
Follow the prompts to install the patches.

4. Backup system
Use Ghost to back up the system.

5, the installation of commonly used software
For example: Antivirus software, decompression software and so on, after installation with Ghost again back up the system.

Second, the System permissions settings
1. Disk Permissions
system disk and all disks only give full control to the Administrators group and system
System disk \documents and Settings directory gives only full control to Administrators group and system
System disk \documents and Settings\All The Users directory only gives full control to the Administrators group and system
System disk \inetpub directory and all of the following directories, files only to the Administrators group and system Full Control permissions
System disk \windows\system32\cacls.exe, Cmd.exe, Net.exe, net1.exe files only give Full control to the Administrators group and system

2. Local Security policy settings
Start Menu-> Administration Tools-> Local Security Policy
A, local policy--> audit policy
Audit policy Change failed successfully
Audit logon event failed successfully
Audit object access failed
Audit process Tracking No audit
Audit directory service access failed
Audit privilege usage failed
Audit system Event failed successfully
Audit account logon event failed successfully
Audit account Management failed successfully

B, local policy--> user Rights Assignment
Shutdown system: Only Administrators group, all other delete.
Deny login via Terminal Services: Join guests, user group
Allow login via Terminal Services: Only join Administrators group, all other delete

C, Local policy--> security options
Interactive login: Do not display last user name enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares to enable
Network access: Enable for network authentication store credentials is not allowed
Network access: All shares that can be accessed anonymously are deleted
Network access: Anonymous access to all of the lives deleted
Network access: Remote access to the registry path all deleted
Network access: Remotely accessible registry paths and subpath Delete all
Account: Rename guest account rename an account
Accounts: Renaming a system administrator account renaming an account

3. Disabling unnecessary services
Start Menu-> management tools-> Services
Print Spooler
Remote Registry
TCP/IP NetBIOS Helper
Server

These are disabled in services that are started by default on the Windows Server 2003 system, and the default disabled service does not start if it is not specifically needed.

4. Enable firewall
Desktop-> Network Neighborhood-> (right) property-> Local Area Connection-> (right) property-> Advanced-> (checked) Internet Connection Firewall-> settings
Select the service port that you want to use on the server
For example: A Web server, to provide Web (80), FTP (21) services, and Remote Desktop Management (3389)
On the "FTP server", "Web server (HTTP)", "Remote Desktop" before the check mark
If you want to provide the service port is not inside, you can also click on "Add" ammonium Shilai Add, specific parameters can refer to the original parameters of the system.
then click OK. Note: If you are managing this server remotely, first determine if the remotely administered port is selected or added.
ASP virtual Host Security detection probe V1.5

Get out of Windows permissions Mihunzhen
The word "permission" is often seen in computer applications, especially when Windows 2000/XP is loaded into the computer by more and more friends, and readers often ask, what is the privilege? What's the use of it? Below we will use a few typical examples for you to explain the application of permissions in Windows, Not only will you be able to restrict access to your folders without installing any software, you can specify programs that users cannot use, but also have a knack for enhancing system security from within Microsoft.
——————————————————————————–

First knowledge of Windows permissions
First, to fully use all of the features of Windows permissions, make sure that the partition to which you apply permissions is the NTFS file system. This article will take the Windows XP Simplified Chinese Professional Edition +sp2 as an example to explain.
1. What is a privilege?
For example, Windows is like a lab with mentor A, mentor B, student A, student B. Everyone can finish the experiment in the lab. But here it is graded. Two instructors can specify what kind of experimental tools a student can use and what tools they can't touch, so that the lab does not use experimental tools for students. And there are problems. While Two mentors can also limit each other's use of experimental tools. therefore Permissions in Windows are methods of assigning and restricting power to a user or a user of the same level. It is with it that users in Windows follow this "unequal" system, and it is this system that allows Windows to better create a good, stable operating environment for the use of multiple users.
2. What does the permission contain?
In the NT-kernel-based Windows 2000/XP, permissions are divided into seven broad categories that are fully controlled, modified, read and run, List folder directories, read, write, and special permissions (see Figure 1).

Full Control includes the other six rights. As long as you have it, it is equivalent to having another six major permissions, and the remaining check boxes are automatically selected. Permission that belongs to the highest level.
The levels of other privileges are: Special permissions > Read and run > Modify > Write > Read.
By default, Windows XP enables simple file sharing, which means that the Security tab and advanced options for permissions are not available. You will not be able to perform those permissions application operations as described in this article. Right-click any file or folder now. Select Properties, and if you do not see the Security tab, you can open it by using the following method.
Open My Computer, click tools → folder options → view, and then click to cancel the use Simple File sharing (recommended) check box.
"Positive" application of actual combat authority
The following application of the premise is that the limited user is not in the Administrators group, otherwise will be unauthorized access, the back of the "reverse application" will be mentioned. Users performing permission settings need at least a member of the Power Users group to have sufficient permissions to set up.
Example 1: My Documents you don't look-protect your files or folders
Suppose a computer has three users, the user name is User1, User2, User3. Userl don't want User2 and User3 to view and manipulate their own "test" folders.
Step One: Right-click the "Test" folder and select "Properties" to go to the Security tab, and you will see that the "group or user name" column has Administrators (a\administrators), CREATOR OWNER, SYSTEM Users (a\ Users), User1 (A\ User1). They represent the Administrators group named a computer, create, owner group, System Group, user group, and user User1 permissions settings for this folder. Of course, different computer settings and software installation, the user or user group information in this column is not necessarily the same as I described. However, it will normally contain at least one of 3 items: Administrators, SYSTEM, users, or everyone (see Figure 2).

Step two: Select and delete Administrators, CREATOR OWNER, SYSTEM, and users in turn, leaving only the Userl account you use. You may encounter a hint box in Figure 3 in an operation.

In fact, just click the Advanced button, and on the Permissions tab, Cancel to inherit from the parent the permission entries that can be applied to child objects, including those explicitly defined here, and click Delete in the pop-up dialog box. This allows the folder to clear the Permissions settings inherited from the previous directory, and the User1 account you use is retained by the instrument.
Just so easily, you realize that other users, even system permissions, cannot access the purpose of the "test" folder.
★ Note that if you need to install the software in this folder, do not delete "system", or it may cause system access errors
★administrator is not the Supreme Commander: You may ask, why is there a "SYSTEM" account here? At the same time, many friends believe that the administrator in WINDOWS2000/XP is the most privileged user, in fact, this " System has the highest privileges, because it is "working as part of the operating system," and any user who obtains this permission in some way overrides everything.

——————————————————————————–
Example 2: Don't chat at work time-prohibit users from using a program
The first step: Find the main program of the chat program, such as QQ, the main program is the installation directory QQ.exe, open its Properties dialog box, go to the "Security" tab, select or add users you want to limit, such as User3.
Step two: Then select Full Control as reject, read and run also as reject.
Step three: Click the "Advanced" button to enter the advanced permissions are not set, select User3, click the "Edit" button to enter the permission item. In the Deny column here, select the check box for change permissions and get ownership.
You can also use the Group Policy Editor to implement this functionality, but security is not high on the above method. Click "Start → run", enter "Gpedit.msc", and then open Group Policy Editor after entering "computer settings →windows settings → security settings → software restriction policies → other rules", right click, select "All tasks → new path rule", Follow the prompts to set the main program path of the software you want to restrict, and then set the level of security you want, whether it is "disallowed" or "restricted."

——————————————————————————–
Example 3: A guest--The secret of Microsoft's internal system security enhancements
This actual combat content will require administrator privileges. An intrusion is nothing more than a way to obtain administrator-level or system-level privileges for next steps, such as adding your own users. What if you want the intruder to "come in" and not do anything? can always be a guest or even lower than this permission, even if the local login, even the shutdown can not. He would not, then, be able to carry out any destructive activity.
Note: This method is of high risk. It is recommended that readers who are not aware of the following program use do not try. In order to avoid misoperation caused the system can not enter or a lot of errors.
First step: Determine which program to set
Search the system directory of dangerous programs, they can be used to create users to capture and promote the rights of users with low privileges, format the hard drive, causing computer crashes and other malicious operations: Cmd.exe, Regedit.exe, Regsvr32.exe, Regedt32.exe, Gpedit.msc, Format.com, Compmgmt.msc, Mmc.exe, Telnet.exe, Tftp.exe, Ftp.exe, XCOPY. EXE, At.exe, Cacls.exe, Edlin.exe, Rsh.exe, Finger.exe, Runas.exe, Net.exe, Tracert.exe, Netsh.exe, Tskill.exe, Poledit.exe, Regini.exe, Cscript.exe, Netstat.exe, Issync.exe, Runonce.exe, Debug.exe, Rexec.exe, Wscript.exe, Command.com, Comsdupd.exe
Step two: Group settings by system call possibility
GROUP by following. Set these program permissions. After completing a group, it is recommended that you reboot the computer to confirm that the system is running properly, view Event Viewer, and have error messages (Control panel → admin tools → event viewer).
(1) Cmd.exe, Net.exe gpedit.msc telnet.exe Command.com
(Only keep your own users, system also delete)
(2) Mmc.exe, Tftp.exe, Ftp.exe, XCOPY. EXE, Comsdupd.exe
(Only keep your own users, system also delete)
(3) Regedit.exe, Regedt32.exe, Format.com, Compmgmt.msc, At.exe, Cacls.exe, Edlin.exe, Rsh.exe, Finger.exe, Runas.exe, Debug.exe, Wscript.exe, Cscript.exe, Rexec.exe
(Keep your own users and system)
(4) Tracert.exe, Netsh.exe, Tskill.exe, Poledit.exe, Regini.exe, Netstat.exe, Issync.exe, Runonce.exe, regsvr32.exe
(Keep your own users and system)
Step three: User name spoofing
This approach does not fool experienced intruders, but it can make a confused of bogus hackers who are not smart enough.
Open the Control Panel one administration tool Computer Management, find the user, swap the default administrator and guest names, including descriptive information. When you are done, double-click the fake "Administrator" user, the former guest user. In its Properties window, delete the Guests group that is attached to the list. Such This fake "admin" account becomes "independent" and does not belong to any group and does not inherit its permissions. This user's permissions are almost equal to 0, even the shutdown can not, the operation of the computer will be almost rejected. If anyone has deliberately acquired the permission of this user, then he must be vomiting blood.
Fourth step: Centralization control, improve security
The Group Policy Editor opens with the computer settings →windows settings → security settings → local policies → user rights Assignment (see Figure 4), which is then set according to the prompts below.

(1) Reduce the number of users who can access this computer and reduce the chance of being attacked
Locate and double-click "Access this computer from the network" to delete the user group in the account list, leaving only "Administrators";
Locate and double-click deny local logon, delete the Guest user in the list, and add the user group "Guests".
(2) To identify users who do not want to be accessed from the network, to join this "blacklist"
Locate and double-click "Deny access to this computer from the beginning", delete the "Guest" user in the Account list and add the user group "Guests";
Locate and double-click "Take ownership of files or other objects", add your favorite accounts and the administrator account that has been modified with the name "Guest", and then delete "Administrators" from the list.
(3) Prevent Cross folder operations
Locate and double-click Bypass traverse checking to add the account you are using and the administrator account that has been modified with the name "Guest", and then delete the "Administrators", "Everyone" and "users" groups in the Account list.
(4) Prevention of password guessing attempts through Terminal Services
Locate and double-click deny logon through Terminal Services to add a fake administrator account "Administrator"; find "allow login via Terminal Services", double click, add your usual account and the admin account with the modified name "Guest", then delete the " Administrators "," Remote Desktop user "and" helpassistant "(delete this user if you do not need Remote Assistance function).
(5) Avoid denial of service attacks
Locate and double-click adjust memory quotas for the process, add your favorite accounts, and then delete the "Administrators" in your account list.

——————————————————————————–
Example 4: "Your document" not exclusive-break the folder "private" restrictions
When Windows XP installation completes and enters the system, it asks if "My Documents" is private (private), and if yes, makes the My Documents folder under that user inaccessible to other users, deleted, and modified. In fact, this is the use of permission settings to remove the users and groups in the Access control List of this folder to only the system and your users, the owner is also set to the user all, the Administrators group of users can not directly access. This folder cannot be deleted or modified if you have set this folder to be private, but you have again installed the system on the disk. Follow these steps to get your access to this folder unimpeded.
Step one: Log in to an administrator's account, such as the system default administrator, find the "My Documents" that are set up as private, go to the "Security" tab of their properties, and you will see that your users are not inside, but you cannot add and delete them.
Step Two: Click the Advanced button, go to the Advanced Permissions setting, select the Owner tab, choose the user you are using, such as "Userl (A\userl)", in the list below "change owner to", and then select the Replace child container and owner of object check box, and then click Apply , waiting for the operation to complete.
The third step: again into this folder to see if you do not have any permission to the hint? Can I have a free visit? Look inside the file, copy, delete try. Is everything the same as "own"? hehe. If you want to delete the entire folder, there is nothing to stop you.

System\currentcontrolset\control\terminal Server\winstations\rdp-tcp changed 3389.

WINDOWS2003 Basic Web Server security settings
Column: | Author: Green Bird South Flight | Hits: 164 | Reply: 0 | 2006-6-26 14:40:39
Basic server security Settings
1, install the patch

After installing the operating system, it is best to install the patch before hosting, configure the network, if it is 2000 to determine the installation of the SP4, if it is 2003, it is best to install the SP1, then click Start →windows Update, install all the key updates.

2, install anti-virus software

As for antivirus software, I currently use two sections, A is rising, A is Norton, rising kill Trojan effect than Norton stronger, I tested virus package, rising to kill a lot of, but installed rising words will have a problem is will appear ASP dynamic can not access, this time need to repair, the specific steps are:

Turn off all real-time monitoring of antivirus software, script monitoring.

╭═══════════════╮╭═══════════════╮

In the DOS command line state, enter the following commands and press the ENTER key individually:

regsvr32 jscript.dll (Command function: Repair Java dynamic link library)

regsvr32 vbscript.dll (Command function: Repair VB dynamic link library)

╰═══════════════╯╰═══════════════╯

Do not expect anti-virus software to kill all Trojans, because the characteristics of the ASP Trojan Horse can be through a certain means to avoid the killing of anti-virus software.

3. Set port protection and fire prevention

2003 of the Port Shield can be resolved through its own firewall, which is better than filtering more flexibility, desktop-> Network Neighborhood-> (right) properties-> local connection-> (right) Properties-> Advanced-> (checked) Internet Connection Firewall- > Settings

Select the service port that you want to use on the server

For example: A Web server, to provide Web (80), FTP (21) services, and Remote Desktop Management (3389)

On the "FTP server", "Web server (HTTP)", "Remote Desktop" before the check mark

If you want to provide the service port is not inside, you can also click on "Add" ammonium Shilai Add, specific parameters can refer to the original parameters of the system.

then click OK. Note: If you are managing this server remotely, first determine if the remotely administered port is selected or added.

Permission settings

The principle of permission setting

? Windows users, most of the time in the Winnt system, divide permissions by User (group). Manage system users and user groups at the start → programs → administration tools → Computer Management → local users and groups.

? NTFS permission settings, remember to partition all the hard drives into an NTFS partition, and then we can determine the permissions that each partition opens for each user. The file (folder) right → properties → security "here to manage NTFS file (folder) permissions."

? IIS anonymous users, each IIS site or virtual directory, can set an anonymous access user (now call it "IIS anonymous user") when the user visits your site. ASP file, this. The permissions that an ASP file has, that is, the permissions that this "IIS anonymous user" has.

Permission settings

Disk Permissions

system disk and all disks only give full control to the Administrators group and system

System disk \documents and Settings directory gives only full control to Administrators group and system

System disk \documents and Settings\All The Users directory only gives full control to the Administrators group and system

System disk \inetpub directory and all of the following directories, files only to the Administrators group and system Full Control permissions

System disk \windows\system32\cacls.exe, Cmd.exe, Net.exe, net1.exe files only give Full control to the Administrators group and system

4. Disabling unnecessary services

Start Menu-> management tools-> Services

Print Spooler

Remote Registry

TCP/IP NetBIOS Helper

Server

These are disabled in services that are started by default on the Windows Server 2003 system, and the default disabled service does not start if it is not specifically needed.

Renaming or uninstalling unsafe components

Unsafe components not surprising

An unsafe component detection function was added to the 1.9 of a-river probe (in fact, it was written in reference to 7i24 code, just to change the interface a bit friendlier, the detection method and he is basically the same), this feature so many webmasters surprised not small, because he found that his server support a lot of unsafe components.

In fact, as long as the above permissions set, then FSO, XML, Strem are no longer unsafe components, because they do not have to cross their own folder or site permissions. That happy time not to fear, there are anti-virus software in the fear of what time ah.

The most dangerous component is WSH and shell, because it can run programs such as the EXE on your hard drive, such as it can run a lifting program to elevate Serv-u permissions and even use SERVU to run higher-privileged system programs.

Carefully decide whether to uninstall a component

Components are intended to be applied, not to be unsafe, and all components are useful, so before uninstalling a component, you must verify that the component is not required by your Web site program, or that it is not roughly the same if removed. Otherwise, you can only keep this component and do the same in your ASP program itself, to prevent others from coming in, rather than preventing others from coming in after the shell.

For example, FSO and XML are one of the most common components, and many programs use them. The WSH component will be used by some host management programs, as well as some packaging programs.

5, uninstall the most unsafe components

The easiest way to do this is to remove the appropriate program files after you uninstall them directly. Save the following code as one. BAT file, (WIN2000 for example, if 2003 is used, the system folder should be C:\WINDOWS\)

Regsvr32/u C:\WINNT\System32\wshom.ocx

Del C:\WINNT\System32\wshom.ocx

Regsvr32/u C:\WINNT\system32\shell32.dll

Del C:\WINNT\system32\shell32.dll

Then run it, Wscript.Shell, Shell.Application, and Wscript.Network will be unloaded. You may be prompted not to delete the file, do not worry about it, restart the server, you will find that all three prompts "x security".

Renaming unsafe components

Notice that the name of the component and the CLSID are changed, and that they are completely changed. The following is an example of shell.application to introduce the method.

Open Registry Editor start → Run →regedit carriage return, and then "edit → find → fill shell.application→ Find Next", this method can find two registry entries: "{13709620- c279-11ce-a49e-444553540000} "and" Shell.Application ". To ensure that it is foolproof, export the two registry keys and save them as a. reg file.

Like we want to make changes like this.

13709620-c279-11ce-a49e-444553540000 renamed as 13709620-c279-11ce-a49e-444553540001

Shell.Application renamed as Shell.application_ajiang

Then, replace the contents of the. reg file that you just exported with the corresponding relationship above, and then import the modified. reg file into the registry (double click), and after you import the renamed registry key, don't forget to delete the original two items. It should be noted here that the CLSID can only be 10 digits and abcdef six letters.

Here is my revised code (two files I come together):

Windows Registry Editor Version 5.00

[hkey_classes_root\clsid\{13709620-c279-11ce-a49e-444553540001}]

@= "Shell Automation Service"

[Hkey_classes_root\clsid\{13709620-c279-11ce-a49e-444553540001}\inprocserver32]

@= "C:\\winnt\\system32\\shell32.dll"

"ThreadingModel" = "Apartment"

[Hkey_classes_root\clsid\{13709620-c279-11ce-a49e-444553540001}\progid]

@= "Shell.application_ajiang.1″

[Hkey_classes_root\clsid\{13709620-c279-11ce-a49e-444553540001}\typelib]

@= "{50a7e9b0-70ef-11d1-b75a-00a0c90564fe}"

[Hkey_classes_root\clsid\{13709620-c279-11ce-a49e-444553540001}\version]

@= "1.1″

[Hkey_classes_root\clsid\{13709620-c279-11ce-a49e-444553540001}\versionindependentprogid]

@= "Shell.application_ajiang"

[Hkey_classes_root\shell.application_ajiang]

@= "Shell Automation Service"

[Hkey_classes_root\shell.application_ajiang\clsid]

@= "{13709620-c279-11ce-a49e-444553540001}"

[Hkey_classes_root\shell.application_ajiang\curver]

@= "Shell.application_ajiang.1″

You can save this as a. reg file. Try it, but don't do it, because if the hacker had read my article, he would have tried the name I had changed.

6. Prevent listing of user groups and system processes

In arjunolic ASP probe 1.9, the 7i24 method utilizes GetObject ("WINNT") to obtain a list of system users and system processes, which may be exploited by hackers and should be hidden by:

"Start → program → admin tools → services", find workstation, stop it, disable it.

Prevent serv-u privilege elevation

In fact, after the shell component is logged off, the intruder is less likely to run the lifting tool, but Prel and other scripting languages also have shell capabilities, in case, or set it up for good.

With UltraEdit open ServUDaemon.exe find Ascii:localadministrator, and #l@ $ak #.lk;0@p, modified to equal length of other characters on it, ServUAdmin.exe the same treatment.

Also note that you set the permissions of the folder in which Serv-u is located, and do not let IIS anonymous users have read permissions, or else you may be able to analyze your administrator name and password as you modify the file.

Common methods and precautions of exploiting ASP vulnerabilities

In general, hackers always aim at forums and other programs, because these programs have upload function, they can easily upload ASP trojan, even if set permissions, Trojan can also control the current site of all files. In addition, there is a Trojan horse and then upload the lifting tool to obtain higher privileges, we shut down the shell component is to a large extent to prevent the attacker to run the lifting tool.

If the Forum administrator turned off the upload function, the hacker will find a way to get the super tube password, for example, if you use the Dynamic Network forum and the database forgot to rename, people can directly download your database, and then distance to find the forum administrator password is not far away.

As an administrator, we first need to check our ASP program, do the necessary settings to prevent the site from being hacked into. The other is to prevent attackers from using a hacked web site to control the entire server, because if your server has a site for friends, you may not be sure that your friends will be able to put the forums he uploaded into the security settings. This is used to say that a lot of things, do those permissions settings and prevent the promotion, the hacker even entered a site, can not destroy the site outside of things.

QUOTE:
C:\
Administrators All
System All
IIS_WPG only This folder
List Folder/Read data
Read properties
Read Extended Properties
Read permissions

C:\inetpub\mailroot
Administrators All
System All
Service All

C:\inetpub\ftproot
Everyone read-only and run

C:\Windows
Administrators All
Creator owner
Not inherited.
Subfolders and files only
Completely
Power Users
Modify, read and run, List folder directories, read, write
System All
IIS_WPG reads and runs, lists folder directories, reads
Users Read and run (this permission can be canceled when the final adjustment is complete)

C:\WINDOWS\Microsoft.Net
Administrators All
Creator owner
Not inherited.
Subfolders and files only
Completely
Power Users
Modify, read and run, List folder directories, read, write
System All
Users Read and run, List folder directories, read

C:\WINDOWS\Microsoft.Net
Administrators All
Creator owner
Not inherited.
Subfolders and files only
Completely
Power Users
Modify, read and run, List folder directories, read, write
System All
Users Read and run, List folder directories, read

C:\WINDOWS\Microsoft.Net\temporary asp.net Files
Administrators All
Creator owner
Not inherited.
Subfolders and files only
Completely
Power Users
Modify, read and run, List folder directories, read, write
System All
Users All

C:\Program Files
Everyone only has this folder
Not inherited.
List Folder/Read data
Administrators All
IIS_WPG only This folder
List files/Read data
Read properties
Read Extended Properties
Read permissions

C:\Windows\Temp
Administrator All rights
System Full Permissions
Users All rights

C:\Program Files\Common Files
Administrators All
Creator owner
Not inherited.
Subfolders and files only
Completely
Power Users
Modify, read and run, List folder directories, read, write
System All
TERMINAL SERVER Users (if you have this user)
Modify, read and run, List folder directories, read, write
Users Read and run, List folder directories, read

If our software is installed:
C:\Program Files\liweiwensoft
Everyone reads and runs, lists folder directories, reads
Administrators All
System All
IIS_WPG reads and runs, lists folder directories, reads

C:\Program Files\dimac (If you have this directory)
Everyone reads and runs, lists folder directories, reads
Administrators All

C:\Program Files\complus Applications (if any)
Administrators All

C:\Program FILES\GFLSDK (if any)
Administrators All
Creator owner
Not inherited.
Subfolders and files only
Completely
Power Users
Modify, read and run, List folder directories, read, write
System All
TERMINAL SERVER Users
Modify, read and run, List folder directories, read, write
Users Read and run, List folder directories, read
Everyone reads and runs, lists folder directories, reads

C:\Program Files\installshield Installation Information (if any)
C:\Program files\internet Explorer (if available)
C:\Program files\netmeeting (if any)
Administrators All

C:\Program Files\Windowsupdate
Creator owner
Not inherited.
Subfolders and files only
Completely
Administrators All
Power Users
Modify, read and run, List folder directories, read, write
System All

C:\Program Files\Microsoft SQL (if SQL is installed in this directory)
Administrators All
Service All
System All

C:\Main (if the host control site is placed in this directory)
Administrators All
System All
iusr_*, default Internet Guest account (or dedicated running user)
Read and run

D:\ (If the user site content is placed in this section)
Administrators all permissions

D:\FreeHost (if this directory is used to place user site content)
Administrators all permissions
SERVICE Read and run
System Read and run (full permissions, if the first-class information monitoring is installed)

F:\ (If this partition is used to place the SQL2000 user database)
Administrators all permissions
System Full Permissions
Operation of SQL2000
Only this folder
List Folder/Read data
Read properties
Read Extended Properties
Read permissions

F:\SQLDATA (if this directory is used to place the SQL2000 user database)
Administrators all permissions
System Full Permissions
SQL2000 full permissions of the running user

From a security perspective, we recommend that Webeasymail (Winwebmail) be installed on separate disks, such as E:
E:\ (if Webeasymail is installed on this disk)
Administrators all permissions
System Full Permissions
iusr_*, default Internet Guest account (or dedicated running user)
Only this folder
List Folder/Read data
Read properties
Read Extended Properties
Read permissions
E:\WebEasyMail (if Webeasymail is installed in this directory)
Administrators All
System Full Permissions
SERVICE All
iusr_*, default Internet Guest account (or dedicated running user)
All permissions

C:\php\uploadtemp
C:\php\sessiondata
Everyone
All

C:\php\
Administrators All
System Full Permissions
SERVICE All
Users read-only and run

C:\windows\php.ini
Administrators All
System Full Permissions
SERVICE All
Users read-only and run