How to set security permissions for windows

  

With the wide application of the dynamic network forum and the discovery of loopholes in the online network and the increasing use of SQL injection attacks, WEBSHELL makes the firewalls useless, even if they hit All Microsoft patches, Web servers that only open port 80, can't escape the fate of being hacked. Are we really powerless? In fact, as long as you understand the permissions settings under the NTFS system, we can say to the crackers: NO! To build a secure Web server, then this server must use NTFS and Windows NT/2000/2003. As we all know, Windows is a multi-user, multi-tasking operating system. This is the basis of permission settings. All permissions settings are based on users and processes. Different users will have different access to this computer. Permissions. DOS is a single-tasking, single-user operating system. But can we say that DOS does not have permission? No! When we open a computer with a DOS operating system, we have administrator privileges for the operating system, and this permission is everywhere. Therefore, we can only say that DOS does not support the setting of permissions, it can not be said that it does not have permissions. As people's security awareness increased, permission settings were born with the release of NTFS.

In Windows NT, users are divided into groups, and groups and groups have different permissions. Of course, users in a group can have different permissions. Let's talk about the common user groups in NT.

Administrators, Administrators Group, by default, users in Administrators have unrestricted full access to computers/domains. The default permissions assigned to this group allow full control of the entire system. Therefore, only trusted personnel can become members of the group.

Power Users, Power Users, Power Users can perform any operating system tasks other than those reserved for the Administrators group. The default permissions assigned to the Power Users group allow members of the Power Users group to modify settings for the entire computer. However, Power Users does not have permission to add itself to the Administrators group. In the permission settings, the permissions of this group are second only to Administrators.

Users: Ordinary user groups, users of this group cannot make intentional or unintentional changes. Therefore, users can run authenticated applications, but not most legacy applications. The Users group is the most secure group because the default permissions assigned to the group do not allow members to modify operating system settings or user profiles. The Users group provides one of the most secure program execution environments. On NTFS-formatted volumes, the default security settings are designed to prevent members of this group from compromising the integrity of the operating system and installed programs. Users cannot modify system registry settings, operating system files, or program files. Users can shut down the workstation but cannot shut down the server. Users can create local groups, but only local groups that they create themselves.

Guests: Guest groups, by default, guests have the same access as regular users, but the guest account has more restrictions.

Everyone: As the name implies, all users, all users on this computer belong to this group.

In fact, there is also a group that is very common. It has the same permissions as Administrators, but it does not allow any users to join. When viewing the user group, it will not It is displayed, it is the SYSTEM group. The permissions required for system and system level services to function properly are assigned to it. Since this group has only one user SYSTEM, it may be more appropriate to classify the group as a user.

Permissions are high and low. Users with high privileges can operate on low-privileged users, but users other than Administrators cannot access other user data on NTFS volumes unless they Obtained authorization from these users. Users with low privileges cannot perform any operations on users with high privileges.

We don't feel that we have permission to do something in the process of using the computer. This is because we use the user in the Administrators to log in when using the computer. There are advantages and disadvantages to this. Of course, you can do whatever you want without going through the restrictions. The disadvantage is that running the computer as a member of the Administrators group will make the system vulnerable to Trojan horses, viruses, and other security risks. Simple actions to access an Internet site or open an email attachment can damage the system. Unfamiliar Internet sites or email attachments may have Trojan horse code that can be downloaded to the system and executed. If you are logged in as the administrator of the local machine, the Trojan may use administrative access to reformat your hard drive, causing immeasurable damage, so it is best not to log in to the user in Administrators if it is not necessary.

There is a default user in the Administrators that was created when the system was installed --Administrator. The Administrator account has full control over the server and can assign user rights and access control rights to users as needed. It is highly recommended that this account be set to use a strong password. The Administrator account can never be removed from the Administrators group, but it can be renamed or disabled. Since everyone knows that "admin" is present on many versions of Windows, renaming or disabling this account will make it more difficult for a malicious user to try and access the account. For a good server administrator, they usually rename or disable this account. Under the Guests group, there is also a default user----Guest, but by default it is disabled. It is not necessary to activate this account if it is not necessary. We can view user groups and users under this group through “Control Panel   Administrative Tools>--&&&&&&&&&&&&&&&&&&&&&&&&&&&"

We right-click on a directory under an NTFS volume or NTFS volume and select "Properties" to access a volume, or a directory under a volume. Settings, at this point we will see the following seven permissions: full control, modify, read and run, list folder directory, read, write, and special permissions. “Full Control" is an unrestricted full access to this volume or directory. Status is like the status of Administrators in all groups. With the selected "Full Control", the following five attributes will be automatically selected. “Modify” like Power users, selected "Modify", the following four attributes will be automatically selected. When any of the following items are not selected, the “Modify” condition will no longer be true. “Read & Run” is to allow any file to be read and run in this volume or directory, “list folder directory” and “read” is <;read & run” Necessary conditions. “Listing folder directories” means that you can only browse subdirectories under the volume or directory, which cannot be read or run. “Read” is able to read the data in the volume or directory. “ Write & rdquo; is able to write data to the volume or directory. And "special" is to subdivide the above six permissions. Readers can conduct a more in-depth study of “special”, and the rest of the people will not go into details here.

Below we have a comprehensive analysis of a WEB server system and its permissions that have just installed the operating system and service software. The server uses Windows 2000 Server and installs SP4 and various patches. Web service software uses Windows 2000's own IIS 5.0, removing all unnecessary mappings. The entire hard disk is divided into four NTFS volumes, the C disk is the system volume, and only the system and drivers are installed; the D disk is the software volume, and all installed software on the server is in the D disk; the E disk is the Web program volume, the website The program is in the WWW directory under the volume; the F disk is the website data volume, and all data called by the website system is stored in the WWWDATABASE directory of the volume. Such a classification is still a standard that is more in line with a secure server.

I hope that each novice administrator can reasonably classify your server data, which is not only convenient to find, but more importantly, it greatly enhances the security of the server, because we can give each one as needed. Volumes or each directory have different permissions, and in the event of a network security incident, losses can be minimized. Of course, you can also distribute the data of the website on different servers to make it a server group. Each server has a different username and password and provides different services, which is more secure. But those who are willing to do so have a feature -- have money :). Well, get down to business, the database of the server is MS-SQL, the MS-SQL service software SQL2000 is installed in the d:\\ms-sqlserver2K directory, the SA account is set with a strong enough password, and the SP3 patch is installed.

In order to facilitate web page producers to manage web pages, the website also has an FTP service. The FTP service software uses SERV-U 5.1.0.0 and is installed in the d:\\ftpservice\\serv-u directory. The antivirus software and firewall are Norton Antivirus and BlackICE. The paths are d:\ ortonAV and d:\\firewall\\blackice respectively. The virus database has been upgraded to the latest. The firewall rule base defines only ports 80 and 21 to be open to the public. The content of the website is a forum using the Web 7.0, and the website program is under e:\\www\\bbs. Careful readers may have noticed that the path to install these service software I did not use the default path or just change the default path of the drive letter, which is also a security need, because a hacker enters your way through certain channels. The server, but did not get administrator privileges, the first thing he will do is to see which services you have open and which software is installed, because he needs to use these to improve his permissions.

Permissions are high and low. Users with high privileges can operate on low-privileged users, but users other than Administrators cannot access other user data on NTFS volumes unless they Obtained authorization from these users. Users with low privileges cannot perform any operations on users with high privileges.

We don't feel that we have permission to do something in the process of using the computer. This is because we use the user in the Administrators to log in when using the computer. There are advantages and disadvantages to this. Of course, you can do whatever you want without going through the restrictions. The disadvantage is that running the computer as a member of the Administrators group will make the system vulnerable to Trojan horses, viruses, and other security risks. Simple actions to access an Internet site or open an email attachment can damage the system. Unfamiliar Internet sites or email attachments may have Trojan horse code that can be downloaded to the system and executed. If you are logged in as the administrator of the local machine, the Trojan may use administrative access to reformat your hard drive, causing immeasurable damage, so it is best not to log in to the user in Administrators if it is not necessary.

There is a default user in the Administrators that was created when the system was installed --Administrator. The Administrator account has full control over the server and can assign user rights and access control rights to users as needed. It is highly recommended that this account be set to use a strong password. The Administrator account can never be removed from the Administrators group, but it can be renamed or disabled. Since everyone knows that "admin" is present on many versions of Windows, renaming or disabling this account will make it more difficult for a malicious user to try and access the account. For a good server administrator, they usually rename or disable this account. Under the Guests group, there is also a default user----Guest, but by default it is disabled. It is not necessary to activate this account if it is not necessary.

Copyright © Windows knowledge All Rights Reserved