Win2000 virtual host basic permission settings

On the article about script intrusion, the Internet is already flooding. Although there are many originals, there are also many plagiarism. Many people http://whois.webhosting.info query all the domain names of an IP, and then find a script vulnerability into the server to hackers. Unexplained vulnerabilities, I don't know, so please don't use it to hit me. Ok, I don't talk much about nonsense. Here I would like to say that I think the safer win2000 virtual host permissions setting method is just the permission setting.

A software and environment required for virtual hosting

1.Serv-U5.0.11 (it seems not safe, but not necessarily)

2.Mysql database

3.Mssql database

4.PcAnyWhere remote control

5. Antivirus software, I generally use Norton 8.0

6.php5

7 .ActivePerl5.8

The above various software, in addition to the Mssql database, the other should go to the official website to download the recommended version to install. The following is the installation setup, starting from the system installation. Assume that the system is installed with Windows 2000 Advanced Server Edition. The system is divided into c drive, d drive and e drive, all in ntfs format.
II. System port settings

Virtual host, generally using PcanyWhere and terminal services for control, terminal services to change the port, such as modified to 8735 port. Set up TCP/IP filtering based on the services you want to open. Why not use a local security policy? Personally think that the TCP/IP screening is strict, because it is rejected unless explicitly allowed, and the local security policy is allowed unless explicitly denied. If I don't understand it properly, please advise. The TCP/IP filtering settings are as follows:

The TCP port only allows 21, 80, 5631, 8735, 10001, 10002, 10003, 10004, 10005; the IP protocol only allows 6; the UDP port I have not done detailed testing, I dare not talk about it, and I will test it later. The 10001-10005 in the TCP/IP port is the port used to set the Serv-U's PASV mode. Of course, other ones can be used.

In the local connection properties, uninstall all other protocols, leaving only the Internet Protocol (TCP/IP), change the name of the administrator account to a complicated point by the way, and set it in the local security policy. Log in to the account and make the appropriate settings for account lockout. Then restart your computer and this step setup is complete.

III. System Permission Settings

Now install the software, all the software is installed on the d drive, and the e drive is used for data backup. First install Serv-U to d:\\Serv-U, and Hanhua by the way to crack, hehe. Then install to the d drive in turn. Now set the permissions. First of all, do not say, c disk, d disk and e disk security inside the Everyone delete, add the renamed administrator and system, let them fully control. Advanced resets the permissions of all child objects and allows the propagation of inheritable permissions. In this way, all the files and directories of the system are controlled by the renamed administrator and system, and the permissions of the upper directory are automatically inherited. The corresponding permissions are set for each directory below.

Running asp, you need to use the file under the C:\\Program Files\\Common Files directory to establish a database connection. Here, set the C:\\Program Files\\Common Files permission, add everyone, the permissions are read, the folder directory is listed, read and run. You can also use the advanced tags for more rigorous settings, but I haven't done it before, and I don't dare to talk nonsense.

To run php, you need to set the permissions of c:\\winnt\\php.ini so that everyone can have read permission. If php's session directory is set to c:\\winnt\\temp, this directory should allow everyone to read and write. To improve performance, php is set to use isapi parsing, d:\\php directory allows everyone to read, list folder directories, read and run permissions. As for the php.ini settings, I won't say it here. First, I don't understand very well. Second, I only talk about system permission settings.

Run cgi, set d:\\perl to have everyone read, list folder directory, read and run permissions. By the way, cgi is set to use isapi way to parse for security and performance.

Now let's talk about the settings of the big Serv-U. This thing is really powerful, but the security is not so good, we need to transform. The first is the overflow attack, 5.0.11 seems to have no such defect. The second is to modify the ini configuration file, there is no permission to modify here, skip it. As far as I know, the only way to do this is to use the default administrative account and password to add an account with write execution permission to execute the Trojan. After modifying the default account password, this thing can be modified directly by using the editor such as editplus to open ServUDaemon.exe and ServUAdmin.exe. If you are too lazy to trouble, it is easy to write a program in any language. I have written such a thing before, so I can set it myself. There is basically no problem with Serv-U now.

As for the database, the permissions have not been set, directly inherit the d disk root directory. As for how to set the account password inside, I am too lazy to say.

The last point is to set the c:\\winnt\\system32 directory and some of the things below him. Many programs need the dynamic link library here, and there are too many files here. I don't understand all of them. I give the directory c:\\winnt\\system32 to read, list the folder, read and run. . In fact, it is not safe to do so, but don't panic, we are not finished yet. Under this directory, we also need to make separate settings for several special programs. The first is cacls.exe, hey, let's set this up and say something else. This stuff is used to set permissions, so that it does not inherit the parent directory permissions, and let it refuse access to anyone, because we generally do not use this bird thing. The list of other programs to be set up is as follows: net.exe, cmd.exe, ftp.exe, tftp.exe, telnet.exe. These programs are set to allow only the renamed administrator to access.

Now think of so much, this is written in the free time of work today, and then add it later.

Supplement: Forbid the non-administrator group to access the winnt directory and then the file to be called from winnt. Give it a read path.