The permissions setting under Windows

With the wide application of the dynamic network forum and the discovery of the vulnerability of the online transmission and the increasing use of SQL injection attacks, WEBSHELL makes the firewall useless, even if it hits all The Microsoft patch, the WEB server that only allows port 80 to open to the outside world, can't escape the fate of being hacked. Are we really powerless? In fact, as long as you understand the permissions settings under the NTFS system, we can say to the crackers: NO!

To build a secure web server, then this server must use NTFS and Windows. NT/2000/2003. As we all know, Windows is a multi-user, multi-tasking operating system. This is the basis of permission settings. All permission settings are based on users and processes. Different users access this computer. , will have different permissions.

The difference between DOS and WinNT permissions

DOS is a single-tasking, single-user operating system. But can we say that DOS does not have permission? No! When we open a computer with a DOS operating system, we have administrator privileges for the operating system, and this permission is everywhere. Therefore, we can only say that DOS does not support the setting of permissions, it can not be said that it does not have permissions. As people's security awareness increased, permission settings were born with the release of NTFS.

In Windows NT, users are divided into groups, and groups and groups have different permissions. Of course, users in a group can have different permissions. Let's talk about the common user groups in NT.

Administrators, Administrators Group, by default, users in Administrators have unrestricted full access to computers/domains. The default permissions assigned to this group allow full control of the entire system. Therefore, only trusted personnel can become members of the group.

Power Users, Power Users, Power Users can perform any operating system tasks other than those reserved for the Administrators group. The default permissions assigned to the Power Users group allow members of the Power Users group to modify settings for the entire computer. However, Power Users does not have permission to add itself to the Administrators group. In the permission settings, the permissions of this group are second only to Administrators.

Users: Ordinary user groups, users of this group cannot make intentional or unintentional changes. Therefore, users can run authenticated applications, but not most legacy applications. The Users group is the most secure group because the default permissions assigned to the group do not allow members to modify operating system settings or user profiles. The Users group provides one of the most secure program execution environments. On NTFS-formatted volumes, the default security settings are designed to prevent members of this group from compromising the integrity of the operating system and installed programs. Users cannot modify system registry settings, operating system files, or program files. Users can shut down the workstation but cannot shut down the server. Users can create local groups, but only local groups that they create themselves.

Guests: Guest groups, by default, guests have the same access as regular users, but the guest account has more restrictions.

Everyone: As the name implies, all users, all users on this computer belong to this group.

In fact, there is also a group that is very common. It has the same permissions as Administrators, but it does not allow any users to join. When viewing the user group, it will not It is displayed, it is the SYSTEM group. The permissions required for system and system level services to function properly are assigned to it. Since this group has only one user SYSTEM, it may be more appropriate to classify the group as a user.

Power size analysis of permissions

Permissions are high and low. Users with high privileges can operate on low-privileged users, but users other than Administrators cannot. Access other user profiles on NTFS volumes unless they are authorized by those users. Users with low privileges cannot perform any operations on users with high privileges.

We don't feel that we have permission to do something in the process of using the computer. This is because we use the user in the Administrators to log in when using the computer. There are advantages and disadvantages to this. Of course, you can do whatever you want without going through the restrictions. The disadvantage is that running the computer as a member of the Administrators group will make the system vulnerable to Trojan horses, viruses, and other security risks. Simple actions to access an Internet site or open an email attachment can damage the system.

Unfamiliar Internet sites or email attachments may have Trojan horse code that can be downloaded to the system and executed. If you are logged in as the administrator of the local machine, the Trojan may use administrative access to reformat your hard drive, causing immeasurable damage, so it is best not to log in to the user in Administrators if it is not necessary. Administrators has a default user, Administrator, created at system installation. The Administrator account has full control over the server and can assign user rights and access control rights to users as needed.

It is highly recommended to set this account to use strong passwords. The Administrator account can never be removed from the Administrators group, but it can be renamed or disabled. Since everyone knows that "admin" exists on many versions of Windows, renaming or disabling this account will make it more difficult for a malicious user to try and access the account. For a good server administrator, they usually rename or disable this account. Under the Guests group, there is also a default user----Guest, but by default it is disabled. It is not necessary to activate this account if it is not necessary.

Little help: What is a strong password? It is a complex password with more than 8 digits combined with letters and numbers and sizes, but this does not completely prevent many hackers, but it is difficult to crack to some extent.

We can view the user group and the group under the control panel "&"Administrative Tools"--"Computer Management"--"Users and User Groups" user.

We right-click on an NTFS volume or a directory under an NTFS volume and select "Properties"--"Security" to access a volume, or a directory under a volume. Settings, at this point we will see the following seven permissions: full control, modify, read and run, list folder directory, read, write, and special permissions. "Full Control" is an unrestricted full access to this volume or directory. Status is like the status of Administrators in all groups. With "Full Control" selected, the following five attributes will be automatically selected.

"Modify" Just like Power users, select "Modify", the following four attributes will be automatically selected. When any of the following items are not selected, the "Modify" condition will no longer be true. "Read & Run" is to allow any file to be read and run under this volume or directory, "list folder directory" and "read"is"read & run" Necessary conditions.

"Listing folder directories" means that you can only browse subdirectories under the volume or directory, which cannot be read or run. "Read" is able to read data from the volume or directory. "Write" is the ability to write data to the volume or directory. And "special" is a breakdown of the above six permissions. Readers can conduct a more in-depth study of "special" on their own, and there are not many details here.