Windows Server Iis6+php+mysql installation configuration detailed

Used to use Apache, because the job needs, to configure the PHP environment of IIS, the Internet to find some information, a bit on the configuration, in fact, with the experience of Apache+php+mysql, this is easy to understand.

now The iron is hot, before you forget, the general steps to sum up.

First step: Download the program

Download "Php-5.2.0-win32.zip", "Mysql-noinstall-5.0.22-win32.zip", Baidu above all have.

Step Two: Install PHP

(1) The download of "Php-5.2.0-win32.zip" copy to D disk, and then the right key to extract the Php-5.2.0-win32 directory;

(2) After finding the "php.ini-dist" file in the D:/php-5.2.0-win32 folder, copy a copy of it first, making it easy to restore after the error. Then rename the copied file to "PHP.ini";

(3) Use Notepad to open "php.ini" file, look for "Extension_dir", and then Extension_dir = "./" To Extension_dir = "D:/php-5.2.0-win32/ext"; (note: The slash should be used here.) /instead of backslashes). The following figure;

(4) then configure the PHP extension support to find the following line in the php.ini file: "; Extension=php_mysql.dll"; "; Extension=php_gd2.dll"; extension=php_ Mbstring.dll "The preceding semicolon is removed, which means that PHP supports these extensions;"

(5) Save and close the php.ini file, and then copy it to the C:/windows directory;

(6) Locate the file named Php5ts.dll,libmysql.dll under the D:/php-5.2.0-win32 folder and copy it to the C:/windows/system32 folder (Note: IIS handles PHP 5 and MySQL requires the file).

At this point, PHP installation completed!

Step Three: Install the configuration IIS

I believe this is no stranger to us.

(1) Control Panel-> Add/Remove Programs-> Add/Remove Windows components, check IIS. If there is no installation disk, you can go to the next network from the installation disk extracted from the IIS package. After the installation is complete, there will be a Inetpub folder in C disk.

(2) Open the Internet Information Services (IIS) Manager in the Administrative tools, or determine after entering "inetmgr" (excluding quotes) in the Run dialog box.

(3) Right-click the "Web Site" under "Internet Information Services" on the left. Then choose Properties, or pop up a familiar site properties panel, switch to the Home Directory tab, click Configure below to pop up an application configuration box and click the Add button below. Finally, in the pop-up box "executable" to navigate to "D:/php-5.2.0-win32/php5isapi.dll", in the "extension" text box, enter ". php" (Note: Add before the extension), click OK. The following figure;

(4) Right-click Web Service Extensions under Internet Information Services on the left, click "Add a new Web service extension", and then add a new Web Extender-enter: PHP, then point the executable file to the path to Php5isapi.dll and set to " Allow ", and finally Click" OK "(I began to miss this step leading to access to the PHP file Times 403 page inaccessible phenomenon, and then groped for half a day to discover). The following figure;

At this point, IIS is basically configured and don't forget to reboot IIS.

net stop w3svc

net start w3svc

Fourth step: Install MySQL

This is not said, basically next, the next step is done. If there is not too clear can go to Baidu, the text of the tutorial is also very detailed.

Last step: Test configuration success

Create a new site under IIS, then create a new "test.php" file in the site directory, write a word "", and save the shutdown. Then use the browser to access, if you can open this page and the following screen will indicate that the configuration was successful. Slowly slide down the Web page, if there is a MySQL option then the MySQL installation is also successful.

This method is the success of my configuration summed up, if there are questions to my message.

Environmental configuration Okay, let's take a look.

iis+php Security Configuration

One, php.ini file abnormal configuration

Since it is the security configuration of Windows iis+php, the first security setting is PHP, in the last article only to php.ini made some necessary settings, so that it can explain PHP script, there are many default settings is not safe.

Let's begin by understanding some of the basic concepts of php.ini. The format of the instruction is as follows: directive = value Directive Name (Directive) is case sensitive! So "Foo=bar" is different from "Foo=bar". Values (value) can be:

1. Strings (e.g. "foo") defined in quotation marks

2. A number (integer or floating-point numbers, such as: 0,1,34,-1,33.55)

3. A PHP constant (such as: E_ALL,M_PI)

4. An INI constant (on,off,none)

5. An expression (e.g.: E_all & ~e_notice)

Another is to set a Boolean value, 1 is on, and 0 is off. PHP.ini a lot of parts, such as: module section, PHP Global configuration, database configuration, and so on. Once we have understood the basic concepts, we can start to configure them.

Setting parameters and annotations

1, Register_globals

Note: This configuration affects how PHP receives the passed parameters, which means that register_globals is registered as a global variable, so when the parameter is value on, the passed value is directly registered as a global variable, and when the parameter value is off, We need to get it from a specific array. Many of the PHP vulnerabilities are exploited because register_globals is on, so it is strongly recommended that this parameter be modified to off,php the current maximum version of this parameter is off, if you use the version of older must be modified here.

2, MAGIC_QUOTES_GPC

Note: If you set the MAGIC_QUOTES_GPC to OFF, PHP will not escape 4 characters ' (single quotes), (double quotes), (backslashes) and null characters, which can cause the server to be illegally injected. But if you set MAGIC_QUOTES_GPC to ON, PHP will give $_post,$_get,$_cookie a variable that has four characters in it, plus a backslash. This will greatly improve the security of PHP. It is strongly recommended that MAGIC_QUOTES_GPC be set to ON.

3, Display_errors

Note: PHP's display_errors parameter is to help developers locate and identify these errors. But if the information provided by PHP is understood by hackers, this is bad. This is very important information for hackers, because many times the infiltration needs to know the Web directory, such as Webshell write and so on. So it is highly recommended that you set this parameter to OFF. This parameter has been explained in the previous article and set to OFF, but it is still listed as an emphasis

4, Safe_mode

Note: That's what we always say about safe mode. PHP's Safe mode is a very important embedded security mechanism, can control some PHP functions, such as system () and other functions, while the many file operation functions of the rights control, also does not allow access to some key files, such as/etc/passwd, But the default php.ini is not open safe mode, turn it on. Safe_mode = on.

5, Open_basedir

Note: Using the OPEN_BASEDIR option to control the PHP script can only access the specified directory, so that you can avoid PHP script access to the file should not be accessed, to some extent limit the harm of Webshell, can be set to only access the site directory (assuming that the site directory is e: TEST): Open_basedir = E:test

6, Disable_functions

Note: Using disable_functions can limit some functions that are very threatening to the system.

For example, we see the phpinfo () function in the first part of the Web page can see the PHP environment variables, and so on. You can also use functions like system,exec to execute system commands, and so on. The recommended filtering function is as follows. Disable_functions = Phpinfo,passthru,exec,system,chroot,scandir,chgrp,chown,shell_exec,proc_open,proc_get_status , ini_alter,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,popepassthru,stream_socket_ Server If you don't understand a function, Google can search for the function, and then decide if your own server is banned.

7, com.allow_dcom

Note: The PHP scripting Platform under Windows platform has a security vulnerability that allows the attacker to use the COM () function to create system components to execute arbitrary commands even in Safe mode (Safe_mode). The vulnerability arises because the PHP platform in safe mode, although the system ();p Athru () function is blocked, the com.allow_dcom setting is still true. So that an attacker could use the COM () function to create system component objects to run system commands. If the default Apache setting or Web server runs with Loacalsystem or administrators privileges, an attacker can use this vulnerability to elevate permissions. So we have to close off com.allow_dcom This parameter defaults to true, we need to modify this parameter to Com.allow_dcom=false.

8, expose_php

Note: This parameter determines whether the exposed PHP is installed on the server. If this parameter is set to ON, the PHP version will be leaked. The recommended setting is off.

Note: After you modify php.ini, you must restart IIS, or the content you set will not take effect immediately.

Ii. Security Configuration for IIS

IIS security settings mainly through the realization of two functions, IIS above the security configuration is more flexible, to learn to extrapolate.

The first feature: a specific directory or Web site cannot run PHP. If we create a new images directory under the Web site, and then a phpinfo.php file is created under the images directory, the content is phpinfo. By default, the PHP file under this directory is executable, so open this file in a browser to see the configuration information for PHP, as shown in Figure 1. To reach this directory the PHP file below cannot be executed with two methods.

First, open the IIS Information Service Manager, find our site and open, and then find just the newly created directory click the left key properties, as shown in Figure 2, the red line where there are three options, are none, pure script and script and executable files. As long as we choose None, then click OK to complete the button.

Figure 1

Figure 2

Method Two: Use the application pool to configure, as shown in Figure 3, select the directory you want to set, right-click to select Properties, and then click Create a red line, then create an application pool that is the same as the name of the site, and then click the Configuration button to appear as shown in Figure 4. To get rid of the PHP extensions in the application extensions. Determine return.

Both of these methods allow you to implement a specific directory that cannot execute PHP without affecting the calls of pictures and other files.

Figure 3

Figure 4

The second feature: the ability to integrate Windows 2003 on a specific directory, such as the background of a Web site, and if the background directory is admin, then there will be two authenticated users and passwords for the background of the Web site after the authentication of the Integrated Windows 2003 on the Admin directory.

The first protection is integrated authentication on the server, which is to add a user to the server and then set up a very sick password.

The second protection is the site's own user name and password, of course, these two protection password must not be the same, or as useless. Next, let's implement this feature. For example, the directory we want to configure is admin, right-click the admin attribute, as shown in Figure 5, we click the Edit button under Authentication and access control, and pop up the dialog shown in Figure 6, we choose Integrated Windows Authentication and remove the "Enable anonymous" The previous check box, and then click the OK button. Once again we have access to the background directory, and the picture shown in Figure 7 asks us to enter the username and password on the Windows Server.

Then create a new local user test, and then set his permissions to the minimum. The new user procedure is slightly. Here's how to lower the test user's permissions, right click on "My Computer", select Manage, Pop-up Computer Management dialog box, as shown in Figure 15, choose right click the new test User Select "Properties", we select the user "Password never expires", and then select the Dial-in select Deny access point to determine , as shown in Figure 8. Back to the directory, we entered our new users can be viewed.

Figure 5

Figure 6

Figure 7

Third, the Web directory permissions settings

The rights configuration principle has been involved in the second part, and there are not too many settings in this section. For example, our web directory is D:web, just right-click the Select attribute and then select the Security tab, just keep the administrator account and system and the IIS anonymous account in the group and user Names column, and give the administrator and the System account full control of permissions in the Permissions field, giving IIS an anonymous account Read and run, List folder directories, and read these three permissions. But many of our sites will have the ability to upload, if there is no written permission, the upload function on our site can not be used, this time we only need to upload a directory such as D:webimages IIS Anonymous account to add Write permission on it.