; with the wide application of the dynamic network forum and the discovery of dynamic online vulnerability and more and more SQL injection attacks are used, WEBSHELL makes the firewall useless, one even hits all Microsoft Patches, WEB servers that only open port 80 to the outside world can't escape the fate of being hacked. Can we really do nothing? In fact, as long as you understand the permissions settings under the NTFS system, we can say to the crackers: NO! To build a secure WEB server, then this server must use NTFS And Windows NT/2000/2003. As we all know, Windows is a multi-user, multi-tasking operating system. This is the basis of permission settings. All permission settings are based on users and processes. Different users will have different access to this computer. Permissions. The difference between DOS and WinNT permissions DOS is a single-tasking, single-user operating system. But can we say that DOS does not have permission? No! When we open a computer with a DOS operating system, we have the administrator rights for this operating system, and this permission is everywhere. Therefore, we can only say that DOS does not support the setting of permissions, it can not be said that it does not have permissions. As people's security awareness increased, permission settings were born with the release of NTFS. In Windows NT, users are divided into groups, and groups and groups have different permissions. Of course, users in a group can have different permissions. Let's talk about the common user groups in NT. Administrators, Administrators Group, by default, users in Administrators have unrestricted full access to computers/domains. The default permissions assigned to this group allow full control of the entire system. Therefore, only trusted personnel can become members of the group. Power Users, Power Users groups, Power Users can perform any operating system tasks other than those reserved for the Administrators group. The default permissions assigned to the Power Users group allow members of the Power Users group to modify settings for the entire computer. However, Power Users does not have permission to add itself to the Administrators group. In the permission settings, the permissions of this group are second only to Administrators. Users: Ordinary user groups, users of this group cannot make intentional or unintentional changes. Therefore, users can run authenticated applications, but not most legacy applications. The Users group is the most secure group because the default permissions assigned to the group do not allow members to modify operating system settings or user profiles. The Users group provides one of the most secure program execution environments. On NTFS-formatted volumes, the default security settings are designed to prevent members of this group from compromising the integrity of the operating system and installed programs. Users cannot modify system registry settings, operating system files, or program files. Users can shut down the workstation but cannot shut down the server. Users can create local groups, but only local groups that they create themselves. Guests: Guest group, by default, the guest has the same access rights as the members of the ordinary Users, but the guest account has more restrictions. Everyone: As the name suggests, all users, all users on this computer belong to this group. In fact, there is also a group that is very common. It has the same permissions as Administrators, but it does not allow any users to join. When viewing the user group, it will not be displayed. It is SYSTEM group. The permissions required for system and system level services to function properly are assigned to it. Since this group has only one user SYSTEM, it may be more appropriate to classify the group as a user. Permission Instance Attack Permissions will be your last line of defense! Then we will now perform a mock attack on this server that has no permissions set and all use Windows default permissions to see if it is really impregnable. Assume that the server external network domain name is http://www.webserver.com, scan it with scanning software and find that open WWW and FTP services, and found that its service software uses IIS5.0 and Serv-u 5.1, with some After finding out that their overflow tool was invalid, I abandoned the idea of direct remote overflow. Open the website page and find that it is using the forum system of the mobile network, so add a /upfile.asp behind its domain name, find a file upload vulnerability, then capture the package, and submit the modified ASP Trojan with NC, prompting the upload success. Successfully got WEBSHELL, opened the ASP Trojan just uploaded, found that MS-SQL, Norton Antivirus and BlackICE are running. It is judged that the firewall has made restrictions and blocked the SQL service port. Through the ASP Trojan, the PIDs of Norton Antivirus and BlackICE were viewed, and a file that could kill the process was uploaded via the ASP Trojan. After running, Norton Antivirus and BlackICE were killed. After scanning, I found that port 1433 is open. At this point, there are many ways to obtain administrator privileges. You can view the user name and password of conn.asp under the website directory, and then log in to SQL to add users and ask administrators. Permissions. You can also upload ServUDaemon.ini under SERV-U and upload it to get system administrator privileges. You can also pass the local overflow SERV-U tool to directly add users to the Administrators and so on. As you can see, once the hacker finds the entry point, the hacker will get the administrator rights smoothly without the permission restrictions. Then let's take a look at what the default permissions settings for Windows 2000 are. For the root of each volume, the Everyone group is given full control by default. This means that any user who enters the computer will be free to do whatever they want in these root directories. There are three directories under the system volume that are special. The system gives them restricted permissions by default. These three directories are Documents and settings, Program files, and Winnt. For Documents and settings, the default permissions are assigned as follows: Administrators have full control; Everyone has read & transport, column and read permissions; Power users have read & transport, column and read permissions; SYSTEM with Administrators; Users own Read & transport, column and read permissions. For Program files, Administrators have full control; Creator owner has special permissions; Power users have full control; SYSTEM and Administrators; Terminal server users have full control, and Users have read & transport, column and read permissions. For Winnt, Administrators have full control; Creator owner has special permissions; Power users have full control; SYSTEM and Administrators; Users have read & transport, column and read permissions. All directories under the non-system volume will inherit the permissions of their parent directory, that is, the Everyone group has full control! Now everyone knows why we just got the administrator rights when testing, and the permissions are set too low. A person will be automatically assigned to the IUSR user when he visits the website. It belongs to the Guest group. Originally, the permissions are not high, but the default ownership of the Everyone group given by the system is "multiple value", and finally the Administrators can be obtained. So, how to set permissions to this WEB server is considered safe? Everyone should keep in mind one sentence: "Minimum service + minimum authority = maximum security" For the service, if necessary, do not install it, you must know the operation of the service. It is the SYSTEM level. For the permission, it is allocated in a good enough way. For the WEB server, just take the server, I set the permissions like this, you can refer to: the root directory of each volume, Documents and settings and Program files, only give the full control of the Administrator, or simply put the Program directly Files are deleted; add the read and write rights of Everyone to the root directory of the system volume; to the e:www directory, which is the read and write rights of the website directory. Finally, you have to dig out the cmd.exe file and give the Administrator full control. After such a setup, it is impossible to complete the task by invading this server through my method. Perhaps some readers will ask at this time: "Why should I give the Everyone the right to read and write the root of the system volume? Does the ASP file in the website need to run without permission?" The question is good and deep. This is the case, if the system volume does not give Everyone read and write rights, when the computer is started, the computer will report an error and will indicate that the virtual memory is insufficient. Of course, this also has a premise ---- virtual memory is allocated in the system disk, if you allocate virtual memory on other volumes, then you have to give the volume Everyone read and write rights. The operation of the ASP file is performed on the server, and only the execution result is sent back to the end user's browser. This is true, but the ASP file is not an executable file in the system sense, it is provided by the provider of the WEB service -- --IIS to explain the execution, so its execution does not require permission to run.