Windows system >> Windows tutorial synthesis  >> Windows skills

Windows permission settings detailed

  
With the wide application of the dynamic network forum and the discovery of dynamic online vulnerability and the increasing use of SQL injection attacks, WEBSHELL makes the firewall useless, even if you hit all Microsoft patches, only let The 80-port open-access WEB server can't escape the fate of being hacked. Are we really powerless? In fact, as long as you understand the permissions settings under the NTFS system, we can say to the crackers: NO! To build a secure WEB server, then this server must use NTFS and Windows NT/2000/2003. As we all know, Windows is a multi-user, multi-tasking operating system. This is the basis of permission settings. All permission settings are based on users and processes. Different users will have different access to this computer. Permissions. The difference between DOS and WinNT permissions
DOS is a single-tasking, single-user operating system. But can we say that DOS does not have permission? No! When we open a computer with a DOS operating system, we have administrator privileges for the operating system, and this permission is everywhere. Therefore, we can only say that DOS does not support the setting of permissions, it can not be said that it does not have permissions. As people's security awareness increased, permission settings were born with the release of NTFS. In Windows NT, users are divided into groups, and groups and groups have different permissions. Of course, users in a group can have different permissions. Let's talk about the common user groups in NT. Administrators, Administrators Group, by default, users in Administrators have unrestricted full access to computers/domains. The default permissions assigned to this group allow full control of the entire system. Therefore, only trusted personnel can become members of the group. Power Users, Power Users groups, Power Users can perform any operating system tasks other than those reserved for the Administrators group. The default permissions assigned to the Power Users group allow members of the Power Users group to modify settings for the entire computer. However, Power Users does not have permission to add itself to the Administrators group. In the permission settings, the permissions of this group are second only to Administrators. Users: Ordinary user groups, users of this group cannot make intentional or unintentional changes. Therefore, users can run authenticated applications, but not most legacy applications. The Users group is the most secure group because the default permissions assigned to the group do not allow members to modify operating system settings or user profiles. The Users group provides one of the most secure program execution environments. On NTFS-formatted volumes, the default security settings are designed to prevent members of this group from compromising the integrity of the operating system and installed programs. Users cannot modify system registry settings, operating system files, or program files. Users can shut down the workstation but cannot shut down the server. Users can create local groups, but only local groups that they create themselves. Guests: Guest group, by default, the guest has the same access rights as the members of the ordinary Users, but the guest account has more restrictions. Everyone: As the name suggests, all users, all users on this computer belong to this group. In fact, there is also a group that is very common. It has the same permissions as Administrators, but it does not allow any users to join. When viewing the user group, it will not be displayed. It is SYSTEM group. The permissions required for system and system level services to function properly are assigned to it. Since this group has only one user SYSTEM, it may be more appropriate to classify the group as a user. Power size analysis of permissions
Permissions are high and low. Users with high privileges can operate on low-privileged users, but users other than Administrators cannot access other NTFS volumes. User profiles unless they are authorized by these users. Users with low privileges cannot perform any operations on users with high privileges. We usually don't feel that there is permission to obstruct you to do something in the process of using the computer. This is because we use the user in the Administrators to log in when using the computer. There are advantages and disadvantages to this. Of course, you can do whatever you want without going through the restrictions. The disadvantage is that running the computer as a member of the Administrators group will make the system vulnerable to Trojan horses, viruses, and other security risks. Simple actions to access an Internet site or open an email attachment can damage the system. Unfamiliar Internet sites or email attachments may have Trojan horse code that can be downloaded to the system and executed. If you are logged in as the administrator of the local machine, the Trojan may use administrative access to reformat your hard drive, causing immeasurable damage, so it is best not to log in to the user in Administrators if it is not necessary. Administrators has a default user, Administrator, created at system installation. The Administrator account has full control over the server and can assign user rights and access control rights to users as needed. It is highly recommended that this account be set to use a strong password. The Administrator account can never be removed from the Administrators group, but it can be renamed or disabled. Since everyone knows that "administrators" exist on many versions of Windows, renaming or disabling this account will make it more difficult for a malicious user to try and access the account. For a good server administrator, they usually rename or disable this account. Under the Guests group, there is also a default user----Guest, but by default it is disabled. It is not necessary to activate this account if it is not necessary. Little help: What is a strong password? It is a complex password with more than 8 digits combined with letters and numbers and sizes, but this does not completely prevent many hackers, but it is difficult to crack to some extent.


We can view the user group and the users under the group through the "Control Panel" - "Administrative Tools" - "Computer Management" - "Users and User Groups". We right click on a directory under an NTFS volume or NTFS volume, select "Properties" - "Security" to set permissions on a volume, or a directory under a volume, we will see the following seven Permissions: Full control, modification, read and run, list of folder directories, read, write, and special permissions. "Full control" is an unrestricted full access to this volume or directory. Status is like the status of Administrators in all groups. With "Full Control" selected, the following five attributes will be automatically selected. "Modify" is like Power users, "Modify" is selected, and the following four attributes will be automatically selected. When any of the following items are not selected, the "Modify" condition will no longer be true. "Read and Run" is any file that allows reading and running under this volume or directory. "Listing Folder Directory" and "Reading" are necessary for "Read and Run". "Listing a folder directory" means that you can only browse subdirectories under the volume or directory, and cannot be read or run. "Read" is the ability to read data from that volume or directory. "Write" is the ability to write data to the volume or directory. The "special" is a breakdown of the above six permissions. Readers can conduct more in-depth research on "special" on their own, and there are not many details here. A simple server setup example operation: Below we have a comprehensive analysis of a WEB server system and its permissions that have just installed the operating system and service software. The server uses Windows 2000 Server and installs SP4 and various patches. The WEB service software uses IIS 5.0 that comes with Windows 2000 and removes all unnecessary mappings. The whole hard disk is divided into four NTFS volumes, the C disk is the system volume, only the system and driver are installed; the D disk is the software volume, all the installed software on the server is in the D disk; the E disk is the WEB program volume, the website The program is in the WWW directory under the volume; the F disk is the website data volume, and all data called by the website system is stored in the WWWDATABASE directory of the volume. Such a classification is still a standard that is more in line with a secure server. I hope that each novice administrator can reasonably classify your server data, which is not only convenient to find, but more importantly, it greatly enhances the security of the server, because we can give each volume or each directory as needed. Set different permissions and minimize losses in the event of a network security incident. Of course, you can also distribute the data of the website on different servers to make it a server group. Each server has a different username and password and provides different services, which is more secure. But those who are willing to do so have a feature -- have money :). Well, get down to business, the database of the server is MS-SQL, the MS-SQL service software SQL2000 is installed in the d:ms-sqlserver2K directory, the SA account is set with a strong enough password, and the SP3 patch is installed. In order to facilitate the web page producer to manage the web page, the website also has an FTP service. The FTP service software uses SERV-U 5.1.0.0 and is installed in the d:ftpserviceserv-u directory. The antivirus software and firewall are Norton Antivirus and BlackICE respectively. The paths are d:nortonAV and d:firewallblackice. The virus database has been upgraded to the latest. The firewall rule base defines only ports 80 and 21 to be open to the public. The content of the website is a forum using the Web 7.0, and the website program is under e:wwwbbs. Careful readers may have noticed that the path to install these service software I did not use the default path or just change the default path of the drive letter, which is also a security need, because a hacker enters your way through certain channels. The server, but did not get administrator privileges, the first thing he will do is to see which services you have open and which software is installed, because he needs to use these to improve his permissions. A hard-to-guess path plus good permission settings will keep him out. I believe that the WEB server configured in this way is enough to withstand most hackers who are not good at learning. The reader may ask again: "This does not use the permission settings at all! I have done all the other safe work, is the permission setting necessary?" Of course! The wise man must have a loss, even if you have perfected the security of the system, you must also know that new security vulnerabilities are constantly being discovered. Instance Attack
Permissions will be your last line of defense! Then let's take a mock attack on this server that has not been set up with any permissions and all use Windows default permissions to see if it is really impregnable. Assume that the domain name of the server external network is http://www.webserver.com, scan it with scanning software and find that it opens the WWW and FTP services, and finds that its service software uses IIS 5.0 and Serv-u 5.1, with some targeting Their overflow tool found invalid, and gave up the idea of ​​direct remote overflow. Open the website page and find that it is using the forum system of the mobile network, so add a /upfile.asp behind its domain name, find a file upload vulnerability, then capture the package, and submit the modified ASP Trojan with NC, prompting the upload success. Successfully got WEBSHELL, opened the ASP Trojan just uploaded, found that MS-SQL, Norton Antivirus and BlackICE are running. It is judged that the firewall has made restrictions and blocked the SQL service port.

Windows skills
Windows system
Windows system font installation method: create font shortcut method

windows system font installation method: create font shortcut method Method 1: 1, open the system

Windows 7 method to adjust screen brightness

windows 7 method to adjust screen brightness 1, start-control panel 2, click system and security

Windows 7 Settings Pop-up Blocker Exception Site

Windows 7 Settings Pop-up Blocker Exception Site 1. In the Internet Explorer browser, press the A
How to restore the default settings of the firewall in Windows 7

How to restore the default settings of the firewall for Windows 7 1, open the Control Panel and c
How to change the sound scheme for Windows 7

How to change the sound scheme for Windows 7 1 Start - Control Panel 2 Control Panel - Sound 3 Cl
Windows 7 method to modify the size of the taskbar icon

How to modify the size of the taskbar icon in Windows 7 1, right click on the blank space of the

  • About windows
  • System FAQ
  • System installation tutorial
  • Windows information
  • Windows skills
  • System command
  • System Optimization
  • U disk mount

    • Windows 8 system prevents system leakage privacy

    Win10 preview version 9879OneNote, Mail and Reade can not be updated processing method

    XP system to modify the ip prompt to restart the solution

    Uncovering hidden processes in Windows system startup process

    More powerful than Vista Windows7 Firewall Quest

    Win8 system start screen calendar application detailed

    What if the Win7 wireless network icon disappears?

    Why is the available space on the Windows 7 C disk getting smaller and smaller?

    Windows 8 Metro Application Design Guide Chinese version download

    How to set up ip address win10? Win10 configure static IP address

  • Windows XP System Tutorial
  • Windows 7 System Tutorial
  • Windows 8 System Tutorial
  • Windows 10 System Tutorial
  • Windows 2003 System Tutorial
  • Windows 2008 System Tutorial
  • Windows Vista System Tutorial
  • Windows tutorial synthesis
  • Windows Server System Tutorial
  • Linux system Tutorial
  • Computer software Tutorial
  • Windows NT Tutorial
    • Copyright © Windows knowledge All Rights Reserved