Here I will talk about the permission setting method of win2000 virtual host which I think is more secure just talk about permission setting.
一. Software and environment required by virtual host
1.Serv-U5.0.11 (it seems unsafe but not necessarily)
4.PcAnyWhere remote control
5. Antivirus software I generally use Norton 8.0
All of the above software except for the Mssql database should go to the official website to download the recommended version and install it. The following is the installation setup starting from the system installation. Assuming that the Windows 2000 Advanced Server Edition installed in the system the system is divided into c drive d drive and e drive all of which are in ntfs format.
二. System port settings
virtual host generally use PCanyWhere and terminal service to control at the same time terminal service needs to change the port for example modify it to 8735 port. According to the service to be opened set up TCP/IP filtering. Why not use local security policies? Personally think that TCP/IP filtering is more strict because here is to deny unless explicitly allowed and the local security policy is to allow unless explicitly denied. If I don’t understand it properly please advise. The TCP/IP filtering settings are as follows:
TCP port only allows 21805631873510001100021000310004 10005; IP protocol only allows 6; UDP port I have not done detailed testing I dare not talk nonsense I will add it after testing. The 10001-10005 in the TCP/IP port is the port used for setting the PASV mode of Serv-U of course other ports can also be used.
In the local connection properties uninstall all other protocols leaving only the Internet protocol (TCP/IP) by the way change the administrator account to a more complicated name and set it to not display in the local security policy Log in to the account one time and make appropriate settings for the account lock. Then restart the computer this step has been set up.
Now start to install the software all the software is installed in the d drive and the e drive is used for data backup. Install Serv-U to d:\\Serv-U first and crack it in Chinese by the way hehe. Then install to d drive in turn. Now start to set permissions. First of all aside from anything else delete Everyone from the security of the c drive d drive and e drive and add the renamed administrator and system to let them have complete control.
Advanced reset the permissions of all child objects and allow the propagation of inheritable permissions. In this way all files and directories of the system are controlled by the renamed administrator and system and automatically inherit the permissions of the upper-level directory. The following starts to set the corresponding permissions for each directory.
To run asp to establish a database connection you need to use the files in the C:\\Program Files\\Common Files directory. Here set the permission of C:\\Program Files\\Common Files add everyone the permission is read list the folder directory read and run. You can also use advanced tags for more stringent settings but I haven't done it before and I dare not talk nonsense.
To run php you need to set the permissions of c:\\winnt\\php.ini so that everyone has the read permission. If the php session directory is set to the c:\\winnt\\temp directory this directory should allow everyone to have read and write permissions. In order to improve performance php is set to use isapi to parse d:\\php directory allows everyone to read list folder directories read and run permissions. As for the settings of php.ini I won't talk about it here. First I don't understand very well and second I only talk about system permission settings.
Run cgi set d:\\perl so that everyone can read list folder directories read and run permissions. By the way cgi is set to use isapi to analyze it is good for security and performance.
Now let's talk about the settings of Serv-U which is so daunting. This thing is really powerful but the security is not very good we need to reform. The first is the overflow attack 5.0.11 seems to have no such flaw. The second is to modify the ini configuration file. There is no permission to modify it so skip it. As far as I know the only way now is to use the default management account and password to add an account with write execution permission to execute the Trojan.
Modify the default account password and it's over this thing can be modified directly by using an editor such as editplus to open ServUDaemon.exe and ServUAdmin.exe. If you are too lazy to bother it is easy to write a program in any language. I have written such a thing before which is convenient to set up by yourself. There is basically no problem with Serv-U now.
As for the database there is no need to set permissions anymore you can directly inherit the root directory of the d disk. As for how to set the account password inside I don't bother to say.
Now the last point is to set up the c:\\winnt\\system32 directory and some things under it. Many programs need the dynamic link library here to run and there are too many files here and I didn't understand all of them. Give everyone the directory c:\\winnt\\system32 to read list the folder directory read and run it. .
Actually this is not safe but don’t panic we are not over yet. Below this directory