Windows system >> Computer software Tutorial >> Server technology  >> About the server

Web server maintenance and security management skills 3

  
                  

First, change the role, consider yourself as a possible attacker

Most of the time, if we just consider the problem from the perspective of the WEB administrator, we may not find the vulnerability of the Web server. On the contrary, if we can change our angles at this time and regard ourselves as possible attackers, we should use their means and which Web server vulnerabilities to attack. Perhaps we can discover the Web server. There may be security vulnerabilities, so as early as possible, fix security vulnerabilities and prevent attacks by Trojans or viruses.

Access your own web server from outside the company, perform a complete test, and then simulate attacking your own website to see what happens. This may be a good method for WEB security. If we can be an attacker, use the scanning tool to scan the web server to see if there are any services that can be attacked. Some things we may not cause us to pay attention to, but using the tools commonly used by hackers to scan, we will find some services or vulnerabilities that may be exploited by them. For example, when the server is installed, the operating system will install and start some unneeded services by default; or when the server is configured, some services need to be started, but it is not closed in time, which gives the attacker an opportunity to attack. . The most common ones are SNMP services, also known as simple network management protocols. This service is enabled by default after the system is installed. However, this service can provide attackers with detailed information about the server system, such as what operating system is used by the Web server, what services are opened on the server and the corresponding ports and so on. An attacker can only launch an attack if he or she understands the most basic information. //This article transferred from www.45it.com computer software and hardware application network

Our security management staff, may not find this problem in peacetime, but if you can use the hacker's scanning tool to scan, you can Find out where the problem is. Therefore, when necessary, you need to change the angle, from the role of the attack, consider what kind of attack method they will use. In this way, we can avoid the mistakes of the "authority fans" and ensure the security of the Web server.

Second, reasonable rights management

Sometimes, on a server, not only runs a web server, but also runs other network services such as FTP servers. Applying multiple network services on the same server is likely to cause mutual infection between services. In other words, an attacker can attack another service and use the relevant technology to compromise another application. Because the attacker needs to break through one of the services, you can use this service platform to attack other services from within the enterprise. In general, attacking from corporate content is much more convenient than attacking outside the enterprise.

Then someone might say that different services use different servers. In fact, this may be a waste for the enterprise. Because in terms of performance, it is completely feasible to deploy WEB service and FTP service on the current server, and performance will not be affected. To this end, companies will take a server from a cost perspective. Now, we have a problem for our security administrators. Is it possible to deploy two or more services on one server at the same time, how to protect their security and prevent them from infecting each other?

For example, there are three services running on the current web server. One is the traditional WEB service; the other is the FTP service; the third is the OA (office automation) service, because the service is in the WEB mode, and the Internet can also directly access the OA server, so he is deployed on this server. Since the configuration of this server is still relatively high, there is not much difficulty in running these three services, and performance will not be affected. The problem now is that, to protect their security, the security between the FTP server, the OA server and the Web server will not affect each other.

Now the Windows2003 server is used. In order to achieve this security requirement, Convert all the hard disks in the server to NTFS partitions. In general, NTFS partitions are much more secure than FAT partitions. Take advantage of the features that come with the NTFS partition and assign them relevant permissions. For example, different administrator accounts are configured for the three servers, and different accounts can only access specific partitions and directories. In this case, even if an administrator account is compromised, they can only access the storage space of one service, but not other services. For example, the WEB service is loaded into partition D, and the FTP service is placed in partition E. If the FTP account is compromised, it is exploited by the attack; however, because the FTP account does not have the right to read and write to the partition D, it does not perform any read or write operations on the content on the web server. This can be guaranteed, and it will not adversely affect the Web server after it has been compromised by the FTP server.

Although Microsoft's operating system is expensive and has more security vulnerabilities, its achievements on the NTFS partition are not bad. On the NTFS partition, a large degree of security management can be achieved to ensure the security of related services. So in the end, Microsoft's 2003 operating system was adopted as the server system, but not the Linux system.

Third, script security management

According to past experience, in fact, many Web servers are attacked because of attacks, are caused by bad scripts. In particular, attackers like to use CGI programs or PHP scripts to exploit their scripts or bugs.

In general, WEB applications need to pass some necessary parameters in order to be able to access normally. And this parameter can be divided into two categories, one is a parameter that can be trusted, and the other is a parameter that is not trustworthy. For example, an enterprise may manage its own web server instead of hosting it. They put the server inside the corporate firewall to improve the security of the web server. So in general, the parameters from inside the enterprise firewall are reliable and trustworthy; the parameters from outside the enterprise are not trustworthy. However, it is not a parameter that is not trustworthy or that the parameter Web server from outside the firewall is not used. Rather, when designing a Web server, you need to be aware that when you use these untrustworthy parameters, you need to check to see if it is legal; instead of the parameters from within the enterprise, regardless of the three seven twenty-one. They are all taken care of. This obviously threatens the security of the web server. If you do, the attacker can use TELNET to connect to port 80 to pass unsafe parameters to the CGL script.

So, when writing CGI programs or editing PHP scripts, we must pay attention to it, we must not allow them to accept the parameters of strangers, and do not deal with strangers. Before accepting the parameters, be sure to check the legality of the person providing the parameters or the parameters themselves. When the program or script is written, some judgment conditions can be added in advance. When the service period considers that the parameters provided are not legal, notify the administrator in time. This can also help us to detect possible attackers as soon as possible and take appropriate measures.

For script security, pay attention to the following issues:

1. When writing a script or program, you should not save any untrusted parameters directly as session variables. Because the session variable only saves the trust variable according to the design principle of the WEB application. That is to say, the value in the session variable, WEB service thinks it is trustworthy, will be used without thinking. The general design idea is to first set a temporary variable for storage, and then write a procedure or function to verify its legitimacy to verify its legitimacy. This value can only be passed to the session variable when validated. According to experience, if you have not experienced the painful lessons of the WEB administrator, you may not care about it. However, those who have had this lesson will value the test of this legitimacy very much. After all, it is a long-term wisdom, so the novice still needs to listen to the advice of people who come over, and will not suffer.

2. When there is no need, do not use scripts to make the page as simple as possible. In fact, the company's website is very different from the personal website. The company's website is as simple as it is, and does not require too much rendering. On the one hand, over-rendered websites can reduce the speed of user website access; on the other hand, this will also reduce the security of the network. Therefore, in the absence of sufficient necessity, do not share scripts or programs in the rendering of the site's flashy features.

3. Continuous monitoring of the execution of scripts or programs. When a website or a script is used as a last resort, it is necessary to audit the operation of these scripts or programs from time to time to see if they are suspected of being illegally exploited.

About the server
Windows system
DNS server address configuration

Client DNS server address configuration steps (Windows 2000, Windows XP operating system): 1, afte
The installer encountered an error resolution while setting the reporting service and share point exclusion paths.

Error: The installer encountered an error while setting up reporting service and share point exclusi
An example of IE access to IIS FTP timeout failure

Today installed IIS FTP on Windows 2003 Server, the server opened Windows Firewall, added an excepti
IIS server to do 301 permanent redirection settings explain

                   I didnt care much about 301 redirects. First, because there is no website to redi
Vista home audio and video server formation program

                   Lin Xin: I recently installed the Vista operating system on my desktop and laptop
Talking about the basic configuration of server security from the perspective of intruders

Since our defense is from the perspective of intruders, we first need to know the way intruders inva
  • DNS server
  • FTP server
  • Web server
  • Proxy server
  • Mail server
  • Server synthesis
  • About the server

    • How to partition Win10 new hard disk? New hard disk partitioning method

    4 tips for removing redundant users from your computer

    Win7 everyone permission setting diagram

    Resetting Win 2003 Internet Protocol

    There is a picture to prove that Win 8 VLC player is about to be completed

    How to retrieve the recycle bin and sidebar

    How to clean up Vista system garbage

    How to solve the problem that the computer graphics card driver can not be installed?

    A small software to help you get rid of the computer system Windows restart troubles

    Cad shape tolerance mark

  • Windows XP System Tutorial
  • Windows 7 System Tutorial
  • Windows 8 System Tutorial
  • Windows 10 System Tutorial
  • Windows 2003 System Tutorial
  • Windows 2008 System Tutorial
  • Windows Vista System Tutorial
  • Windows tutorial synthesis
  • Windows Server System Tutorial
  • Linux system Tutorial
  • Computer software Tutorial
  • Windows NT Tutorial
    • Copyright © Windows knowledge All Rights Reserved