The importance of the permissions of the win 2003 system account is

Regardless of the system, the user accounts are authorized. On the one hand, the security of the system can be protected, and on the other hand, the security of the system can be verified. . With the wide application of the dynamic network forum and the discovery of loopholes in the online network and the increasing use of SQL injection attacks, WEBSHELL makes the firewalls useless. One even makes all the Microsoft patches and only opens the port 80. The web server can't escape the fate of being hacked. Can we really do nothing? In fact, as long as you understand the permissions settings under the NTFS system, we can say to the crackers: NO!

To build a secure web server, then this one The server must use NTFS and Windows NT/2000/2003. As we all know, Windows is a multi-user, multi-tasking operating system. This is the basis of permission settings. All permission settings are based on users and processes. Different users will have different access to this computer. Permissions.

The difference between DOS and WinNT permissions

DOS is a single-tasking, single-user operating system. But can we say that DOS does not have permission? No! When we open a computer with a DOS operating system, we have the administrator rights for this operating system, and this permission is everywhere. Therefore, we can only say that DOS does not support the setting of permissions, it can not be said that it does not have permissions. As people's security awareness increased, permission settings were born with the release of NTFS.

In Windows NT, users are divided into groups, and groups and groups have different permissions. Of course, users in a group can have different permissions. Let's talk about the common user groups in NT.

Administrators, Administrators Group, by default, users in Administrators have unrestricted full access to computers/domains. The default permissions assigned to this group allow full control of the entire system. Therefore, only trusted personnel can become members of the group.

Power Users, Power Users, Power Users can perform any operating system tasks other than those reserved for the Administrators group. The default permissions assigned to the Power Users group allow members of the Power Users group to modify settings for the entire computer. However, Power Users does not have permission to add itself to the Administrators group. In the permission settings, the permissions of this group are second only to Administrators.

Users: Ordinary user groups, users of this group cannot make intentional or unintentional changes. Therefore, users can run authenticated applications, but not most legacy applications. The Users group is the most secure group because the default permissions assigned to the group do not allow members to modify operating system settings or user profiles. The Users group provides one of the most secure program execution environments. On NTFS-formatted volumes, the default security settings are designed to prevent members of this group from compromising the integrity of the operating system and installed programs. Users cannot modify system registry settings, operating system files, or program files. Users can shut down the workstation but cannot shut down the server. Users can create local groups, but only local groups that they create themselves.

Guests: Guest groups, by default, guests have the same access as regular users, but the guest account has more restrictions.

Everyone: As the name implies, all users, all users on this computer belong to this group.

In fact, there is also a group that is very common. It has the same permissions as Administrators, but it does not allow any users to join. When viewing the user group, it will not It is displayed, it is the SYSTEM group. The permissions required for system and system level services to function properly are assigned to it. Since this group has only one user SYSTEM, it may be more appropriate to classify the group as a user.

Privilege Instance Attack

Permissions will be your last line of defense! Then we will now perform a simulated attack on this server that has no permissions set and all uses Windows default permissions. See if it is really impregnable.

Assuming the server's external domain name is scanned by the scanning software, it finds that the WWW and FTP services are open, and the service software is found to use IIS 5.0 and Serv-u 5.1, with some overflow tools for them. After discovering invalidity, I abandoned the idea of ​​direct remote overflow.

Open the website page and find that the forum system is used, so add /upfile.asp after the domain name, and find a file upload vulnerability, then capture the package, and modify the modified ASP Trojan with NC. Submit, prompt upload success, successfully get WEBSHELL, open the ASP Trojan just uploaded, found that MS-SQL, Norton Antivirus and BlackICE are running, it is judged that the firewall has made restrictions, the SQL service port is blocked.