With the widespread application of Dynamic Network forums and the discovery of Dynamic Network upload vulnerabilities and the increasing use of SQL injection attacks, WEBSHELL makes the firewall useless. Even if a WEB server that has all Microsoft patches and only allows port 80 to be opened to the public can not escape the fate of being hacked. Are we really powerless? In fact, as long as you understand the permission setting problem under the NTFS system, we can say to the crackers: NO!
To build a secure WEB server, this server must use NTFS and Windows NT/2000/2003. As we all know, Windows is an operating system that supports multi-user and multi-tasking. This is the basis of permission settings. All permission settings are based on users and processes. Different users will have different permissions when accessing this computer.
The permissions of DOS and WinNT
DOS is a single-task, single-user operating system. But can we say that DOS does not have permissions? cannot! When we open a computer with a DOS operating system, we have the administrator rights of this operating system, and this permission is everywhere. So, we can only say that DOS does not support permission settings, and we cannot say that it does not have permissions. As people's security awareness increases, permission settings are born with the release of NTFS.
In Windows NT, users are divided into many groups, and there are different permissions between groups. Of course, users and users of a group can also have different permissions. Let’s talk about common user groups in NT.
Administrators, Administrators, by default, users in Administrators have unrestricted full access to the computer/domain. The default permissions assigned to this group allow full control of the entire system. Therefore, only trusted persons can become members of the group.
Power Users, Power Users, can perform any operating system tasks except tasks reserved for the Administrators group. The default permissions assigned to the Power Users group allow members of the Power Users group to modify settings for the entire computer. However, Power Users does not have permission to add itself to the Administrators group. In permission settings, the permissions of this group are second only to Administrators.
Users: Normal user group, users of this group cannot make intentional or unintentional changes. Therefore, users can run verified applications, but not most legacy applications. The Users group is the safest group because the default permissions assigned to the group do not allow members to modify the operating system settings or user profile. The Users group provides the safest program running environment. On NTFS-formatted volumes, the default security settings are designed to prohibit members of the group from jeopardizing the integrity of the operating system and installed programs. Users cannot modify system registry settings, operating system files or program files. Users can shut down the workstation, but not the server. Users can create local groups, but can only modify local groups you create.
Guests: Guest group, by default, guests have the same access rights as ordinary Users members, but the guest accounts are more restricted.
Everyone: As the name implies, all users, all users on this computer belong to this group.
In fact, there is another group that is also very common. It has the same permissions as Administrators and even higher than it. However, this group does not allow any user to join. When viewing the user group, it will not be displayed. It is the SYSTEM group. The permissions required for the normal operation of system and system-level services are all granted by it. Since the group has only one user, SYSTEM, it may be more appropriate to classify the group as a user.
Permissions' power size analysis
Permissions are divided into high and low. Users with high permissions can operate on low permissions, but users in other groups cannot access other user profiles on NTFS volumes unless they are authorized by these users. Users with low permissions cannot perform any operations on users with high permissions.
When we use computers, we don’t feel that we have permission to prevent you from doing something. This is because when we use computers, we use users in Administrators to log in. This has both advantages and disadvantages. Of course, the advantage is that you can do anything you want without encountering permission restrictions. The disadvantage is that running a computer as a member of the Administrators group will make the system vulnerable to * horses, viruses and other security risks. Simple actions to access an Internet site or open an email attachment can destroy the system.
Unfamiliar Internet sites or email attachments may have * horse codes that can be downloaded to the system and executed. If you log in as an administrator of your local computer, the * may reformat your hard drive with administrative access, causing immeasurable losses, so it is best not to log in with users in Administrators if it is not necessary. Administrators has a default user created when the system is installed - Administrator. The Administrator account has full control over the server and can assign user rights and access control rights to the user as needed.
Therefore, it is highly recommended to set this account to use a strong password. You can never delete an Administrator account from the Administrators group, but you can rename or disable it. Since everyone knows that "administrators" exist on many versions of Windows, renaming or disabling this account will make it more difficult for malicious users to try and access the account. For a good server administrator, they usually rename or disable this account. Under the Guests user group, there is also a default user---Guest, but by default, it is disabled. If not particularly necessary, this account is not required.
Small help: What is a strong password? It is a complex password greater than 8 digits combined with letters, numbers, and sizes, but this does not completely prevent many hackers, but it is difficult to crack to a certain extent.
We can view the user group and the users under this group through "Control Panel"--Administrative Tools"--Computer Management--User and User Groups".
We right-click an NTFS volume or a directory under an NTFS volume, select "Properties" - "Safe" to set permissions for a volume or a directory under a volume. At this time, we will see the following seven permissions: full control, modification, reading and running, listing folder directories, reading, writing, and special permissions. "Full Control" means having unrestricted full access to this volume or directory. Status is just like Administrators' position in all groups. "Full Control" is selected, and the following five attributes will be automatically selected.
"Modify" is like Power users. If "Modify" is selected, the following four attributes will be automatically selected. When any of the following items are not selected, the Modify condition will no longer hold. "Read and Run" is to allow any file to be read and run under this volume or directory. "List folder directory" and "Read" are necessary conditions for "Read and Run".
"List folder directory" means that you can only browse the volume or subdirectories under the directory, cannot be read or run. "Read" is the ability to read data in the volume or directory. "Write" means that you can write data to the volume or directory. "Special" means that the above six permissions are subdivided. Readers can conduct a deeper study of "special" by themselves, so I will not elaborate on it here.
Settings example operation of a simple server:
Below we will conduct a comprehensive analysis of a WEB server system and its permissions that have just installed the operating system and service software. The server uses Windows 2000 Server version, and SP4 and various patches are installed. The WEB service software uses IIS 5.0, which comes with Windows 2000, and deletes all unnecessary mappings. The entire hard disk is divided into four NTFS volumes, and drive C is the system volume, and only the system and drivers are installed; drive D is the software volume, and all the installed software on the server is in the D disk; drive E is the WEB program volume, and the website programs are in the WWW directory under the volume; drive F is the website data volume, and all the data called by the website system are stored in the WWWDATABASE directory of the volume.
This classification is quite in line with the standards of a security server. I hope that all novice administrators can classify your server data reasonably, which is not only convenient to search, but more importantly, it greatly enhances the security of the server, because we can set different permissions for each volume or each directory as needed. Once a network security accident occurs, the losses can be minimized.
Of course, the website data can also be distributed on different servers to make it a server group. Each server has a different username and password and provides different services, which is more secure. However, people who are willing to do this have one characteristic - being rich :).
Okay, let's get back to the point. The database of this server is MS-SQL. The MS-SQL service software SQL2000 is installed in the directory d:\ms-sqlserver2K. It has set a password of sufficient strength for the SA account and installed the SP3 patch. In order to facilitate web page producers to manage web pages, the website also has an FTP service. The FTP service software uses SERV-U 5.1.0.0 and is installed in the directory d:\ftservice\serv-u. Antivirus software and firewall use Norton Antivirus and BlackICE respectively, with the paths d:\nortonAV and d:\firewall\blacice respectively. The virus database has been upgraded to the latest, and the firewall rule library definition is only 80 and 21 ports open to the public. The content of the website is a forum using Dynamic Network 7.0, and the website program is under e:\www\bbs.
Careful readers may have noticed that I did not use the default path to install these service software or just change the default path of the drive letter. This is also a security requirement, because if a hacker enters your server through some channels but does not obtain administrator rights, the first thing he does will be to check which services you open and which software you installed, because he needs to use these to increase his permissions.
An incomprehensible path plus good permission settings will block him out. I believe that the WEB server configured in this way is enough to resist most hackers who are not good at learning skills. Readers may ask again: "This does not use permission settings at all! I have done all the other security work. Is the permission settings still necessary?" Of course there is! A wise man will make a mistake even if he has made the system security perfect now, you must know that new security vulnerabilities are always being discovered.
Instance Attack
Permissions will be your last line of defense! Then let’s conduct a simulated attack on this server that has not been set up in any permissions and uses Windows default permissions to see if it is really implicit.
Suppose that the domain name outside the server is, after scanning it with scanning software, it is found that the WWW and FTP services are open, and it is found that its service software is using IIS 5.0 and Serv-u 5.1. After using some overflow tools for them, it is found that it is invalid, so it gave up the idea of direct remote overflow.
When I opened the website page, I found that I was using the forum system of Dynamic Network, so I added / to the back of its domain name. I found that there was a file upload vulnerability, so I caught the package and submitted the modified ASP * in NC. It prompted that the upload was successful and WEBSHELL was successfully obtained. I opened the ASP * that I just uploaded and found that MS-SQL, Norton Antivirus and BlackICE were running. It was judged that the firewall had restricted it and the SQL service port was blocked.
The PIDs of Norton Antivirus and BlackICE were viewed through the ASP *, and a file that can kill the process was uploaded through the ASP *. After running, Norton Antivirus and BlackICE were killed. After scanning again, I found that port 1433 is open. At this point, there are many ways to obtain administrator permissions. You can view the username and password of the SQL in the website directory, then log in to SQL to add users and increase administrator permissions. You can also grab the modifications under SERV-U and upload them to obtain system administrator permissions.
You can also transfer the local overflow SERV-U tool to directly add the user to Administrators, etc. As you can see, once the hacker finds the entry point, the hacker will obtain administrator rights smoothly without permission restrictions.
Then let’s take a look at the default permission settings for Windows 2000 now. For the root directory of each volume, the Everyone group is given full control by default. This means that any user entering the computer will do whatever they want in these root directories without restrictions.
There are three special directories under the system volume. The system gives them limited permissions by default. These three directories are Documents and settings, Program files and Winnt. For Documents and settings, the default permissions are allocated as follows: Administrators have full control; Everyone has read, column and read permissions; Power users have read, column and read permissions; SYSTEM and Administrators; Users have read, column and read permissions. For Program files, Administrators have full control; Creator owners have special permissions; Power users have full control; SYSTEM and Administrators; Terminal server users have full control, and Users have read & shipping, column and read permissions.
For Winnt, Administrators have full control; Creator owner has special permissions; Power users have full control; SYSTEM and Administrators; Users have read & shipping, column and read permissions. All directories not under the system volume will inherit the permissions of their parent directory, which means the full control of the Everyone group!
Now you know why we were able to obtain administrator permissions smoothly during the test? The permissions are set too low! When a person visits a website, he will be automatically assigned to an IUSR user, which is affiliated with the Guest group. The permissions were not high, but the system defaults to the full control of the Everyone group, but it "doubles its value", and in the end it can get Administrators.
So, how to set permissions to this WEB server is considered safe? Everyone should keep in mind a saying: "The least service + the smallest permissions = the greatest security." For services, do not install them if they are not necessary. You must know that the operation of the service is SYSTEM level. For permissions, it is allocated based on the principle that enough is good.
For the WEB server, take the server just now, this is how I set permissions. You can refer to it: the root directory, Documents and settings and Program files of each volume, only give the Administrator full control, or simply delete the Program files directly; add an additional read and write rights for Everyone to the root directory of the system volume; give the e:\www directory, that is, the website directory reading and write rights.
Finally, this file must be dug out and only gives Administrator full control. After this setup, it is impossible to complete the task to hack into this server through the method I just made. Maybe at this time, some readers may ask: "Why do you need to give the root directory of the system volume a read and write rights to everyone? Does the ASP file in the website require running permissions?" The question is good, and it has depth. That's right. If the system volume does not give everyone the read and write rights, the computer will report an error when starting the computer and it will prompt that the virtual memory will be insufficient.
Of course, there is also a prerequisite for this - virtual memory is allocated on the system disk. If virtual memory is allocated on other volumes, you have to give the volume Everyone's read and write rights. The way ASP file is run is executed on the server, and only the execution result is passed back to the end user's browser. This is true, but the ASP file is not an executable file in the system sense. It is interpreted and executed by the WEB service provider IIS, so its execution does not require running permissions.
Understand the meaning of permissions
After the above explanation, you must have a preliminary understanding of the permissions, right? If you want to have a deeper understanding of permissions, you must know some of the characteristics of permissions. Permissions are inherited, accumulated, prioritized, and cross-cut.
Inheritance means that the lower-level directory has the permissions set at the previous level before it is reset. There is another situation to explain here. When copying a directory or file in a partition, copying the past directory and file will have the previous directory permission settings of its current location. However, when moving directories or files in the partition, moving past directories and files will have its original permission settings.
Accumulation means that if there are two users in a group GROUP1, USER1 and USER2, whose access rights to a certain file or directory are "read" and "write" respectively, then the access rights of group GROUP1 to the file or directory are the sum of the access rights of USER1 and USER2, which is actually the largest one, that is, "read" + "write" = "write". For example, if a user USER1 belongs to the same group GROUP1 and GROUP2, and GROUP1 has access to a certain file or directory as "read-only" type, and GROUP2 has access to this file or folder as "full control", then the user USER1 has access to the file or folder as accumulated from the two groups of permissions, namely: "read-only" + "full control" = "full control".
Priority, this feature of permissions includes two sub-character features. One is the access permissions of the file to prioritize the permissions of the directory, which means that the file permissions can exceed the permissions of the directory, regardless of the settings of the previous folder. Another feature is that the "denied" permission takes priority to other permissions, that is, the "denied" permission can transcend all other permissions. Once the "denied" permission is selected, the other permissions cannot take any effect, which is equivalent to no setting.
Intersection refers to when the same folder sets the shared permissions for a certain user and sets the access permissions of the folder for the user, and the set permissions are inconsistent, its principle of choice is to obtain the intersection of two permissions, that is, the strictest and smallest permissions. If the sharing permission set by directory A for user USER1 is "read-only", and the access permission set by directory A for user USER1 is "full control", then the final access permission of user USER1 is "read-only".
That's all about permission setting. At the end, I would like to remind all readers that permission settings must be implemented in the NTFS partition. FAT32 does not support permission settings. Also, I would like to give some suggestions to administrators:
1. Develop good habits, classify the server hard disk when partitioning the server hard disk, lock the server when not using the server, update various patches and upgrade antivirus software frequently.
2. Setting a password with sufficient strength is a cliché, but there are always administrators who set weak or even empty passwords.
3. Try not to install various software in the default path
4. When English level is not a problem, try to install the English version of the operating system.
5. Do not install software or unnecessary services on the server.
6. Remember: There is no permanently safe system, update your knowledge frequently.