Eric et al;
START BY MAKING A FULL AND COMPLETE BACKUP OF YOUR MACHINE! IF you make an
error with USERS, GROUPS and PERMISSIONS, you might lock yourself completely
out of the machine and not be able to regain access to your drives and
directories without a complete reinstall of the Windows 2000 Operating
System.
The first thing that anyone who is running Windows 2000 should do is to
format the logical drives using NTFS - this allows for MUCH greater file
security than other file systems.
The next thing to do is to DELETE the permissions for the GROUP "EVERYONE"
from all of your logical drives. To DELETE the permissions for the GROUP
"EVERYONE" from the directory that is going to contain the actual files for
the web site. If we assume that the name of the site is
"WWW.PHPHEADACHES.COM and the directory in which the files are located is
"PHPHEADACHES", then we would highlight the directory "PHPHEADACHES", right
click on the directory, goto the SECURITY TAB and /UNCHECK the box that is
at the bottom of the SECURITY WINDOW that states: "Allow Inheritable
Permissions from Parent to Propagate to this Object."
At that point you should receive an option window that will allow you to:
COPY
REMOVE or
CANCEL
You want to select COPY. This will COPY all of the users and groups
permissions to the local directory
Next, HIGHLIGHT the GROUP named "EVERYONE" and press the DELETE key. The
"EVERYONE" GROUP has now been deleted from the directory and has no
permissions and you have now locked out anyone except the users and groups
to which you specifically give permissions.
For the purposes of PHP, the "everyone" user, as referenced in the
installation instructions, can be replaced with the GROUP of "USERS" (no
quotes) from the LOCAL MACHINE on which IIS and PHP are installed, and that
use can be given the "write" permissions where the "EVERYONE" user used to
be required to have them.
If you are running on a network with a DOMAIN SERVER, do NOT use the group
"your_network_domain_name\DOMAIN USERS" as they will not have any
permissions on the local machine unless the "DOMAIN USERS" group has been
specifically added to the "local_machine_name\USERS" group.
Next, REMOVE the "USERS" group from each of your IIS web site directories.
The only users who should have permissions in those sites are:
1. "IUSER_local_machine_name" where "local_machine_name" is the actual name
of the local machine WITHOUT the name of the domain appended to it. ie: if
the fully qualified domain name is "foo.bar.com", then the
"local_machine_name" will be "foo" and the username added to the directory
will be "IUSER_foo" with permissions set to READ & EXECUTE, LIST and READ -
there should be NO other permissions set for this user.
2. The username of the person who is responsible for sending the files to
the site via FTP. Remember, that user must be a user on the LOCAL machine -
in this case the "FOO" machine. If the name of the web site directory for
the hosted site is "PHPHEADACHES" and the site is named
"www.phpheadaches.com", on the machine named "FOO" and the username of the
person responsible for maintaining the web site www.phpheadaches.com named
"KONG" and "KONG" is using FTP to send the files up to the site hosted on
"FOO", then "KONG", a user on the "FOO" machine will have permissions to the
directory "PHPHEADACHES" with the permissions of MODIFY, READ & EXECUTE,
LIST, READ, and WRITE.
The user "KONG" should NOT have the FULL CONTROLL permissions as this will
allow him to "take ownership" of the various files and system files that
might be created in the directory. If you do not want "KONG" to be able to
execute scripts or other files in the "PHPHEADACHES" directory, then you
should UNCHECK the READ & EXECUTE setting for the user "KONG" as well.
As the "ADMINISTRATOR" of the machine on which the web site is hosted, you
will want the local machine administrator account, in this case
"FOO\ADMINISTRATOR" to have FULL CONTROL of the web site directory
"PHPHEADACHES". If the web site machine "FOO" is part of a domain and your
administrative account get's it's administrative permissions from a domain
controller, you will also want to add the ADMINISTRATOR(S)" account for the
domain to the directory "PHPHEADACHES" and give that account FULL CONTROLL
as well. In this case, the addition of the domain administrator(s) account
would look like this
"BAR.COM\ADMINISTRATOR(S)". The "BAR.COM\ADMINISTRATOR(S)" account should
have FULL CONTROLL in the directory PHPHEADACHES.
If you have users on the domain bar.com who are responsible for maintaining
the web site and they are not part of the administrators group of
"BAR.COM\ADMINISTRATORS" and you want them to have access in the directory
"PHPHEADACHES", then you need to also add those users to the directory
"PHPHEADACHES" with the appropriate level of permissions.
Next you should have the "SYSTEM" account for the "LOCAL MACHINE", in this
case "FOO", added to the directory with FULL access to the directory.
When you APPLY the permissions, you should make sure you check the box that
applies the users and permissions to the SUB-DIRECTORIES as well.
If the web site is running Front Page Server Extensions, then it will also
contain three additional groups. Those groups will be specific to the web
site name. In the case of www.phpheadaches.com the groups will be:
"www.phpheadaches.com Admins"
"www.phpheadaches.com Authors"
"www.phpheadaches.com Browsers"
You will need to add the appropriate users from the LOCAL MACHINE or from
the DOMAIN to each of these GROUPS on the LOCAL MACHINE.
To complete the installation, follow the instructions supplied with PHP for
Windows 2000 Server and you should have no problems. If you have any
problems, just remember to run PHPINFO() from within a script and check the
results against what you think they should be.
If you are setting up a new server, you should remove the EVERYONE group
from all logical drives IMMEDIATELY - before allowing any user other than
the ADMINISTRATOR to have access to the system for the first time. If you
have already installed software on the system and have users with
established rights to specific directories and files, this may cause some
problems for you and you will have to create new groups with permissions to
access those specific directories.
Remember, SECURITY is the MOST IMPORTANT item in the installation of any
Windows 2000 Server and IIS installation. KEEP IT ON THE BASIS OF ONLY THOSE
USERS AND GROUPS WHO NEED ACCESS HAVE ACCESS - NO ONE ELSE!
Making certain that only those users and groups who absolutely must have
permissions to any given directory on the machine, and that they have the
APPROPRIATE permissions in those directories where they have been granted
access, will save you from countless headaches, attempted server break-ins
and lots of lost revenue from downtime.
For more information on Windows 2000 Security, do a search at the Microsoft
Technet location of
"http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsoluti
ons/howto/admhow.asp" (You may be asked to establish an account on the
site, a rather lengthy process, but well worth the work for anyone who works
with Windows 2000 or any other Windows product.) Microsoft Technet provides
lots of good information and lots of other server geeks who can assist you
in locating the information if you can't find it on your own.
Bruce Barnes
======================================================
Now Providing High-Speed Internet Access from DSL.NET!
from xDSL to a full T-1 - need some? Call or visit
our web site at http://www.ChicagoNetTech.com/dsl.html
======================================================
ChicagoNetTech
3401 W Beach Ave
Chicago IL 60651-2332
mailto:[EMAIL PROTECTED]
http://www.ChicagoNetTech.com
773.365.0105 Office
773.365.0108 Fax
773.491.9019 Cell
======================================================
Secure & Encrypted Remote Data Backup
Server Co-Location Services
Computer Network Design, Installation & Maintenance
Telecomm Network Design, Installation & Maintenance
Web Site Design & Hosting
======================================================
It ALWAYS costs less to do it right the FIRST time!
======================================================
-----Original Message-----
From: Eric Gentry [mailto:[EMAIL PROTECTED]]
Sent: Monday, April 01, 2002 09:15
To: [EMAIL PROTECTED]
Subject: [PHP-WIN] Configuring securely in IIS5
I have been able to install php and get it running on our test server
running IIS5. Everything is going fine, but now I am beginning to ponder the
question, how do I secure this when it goes live?
I have read through the installation documentation, and read the security
chapter of the php manual that I downloaded from the php.net website.
Various queries to Google have been unproductive, so I thought I may check
here.
Now, I am not talking about script internals security (that will be handled
more by our development team), just mainly how to configure php on the
server so that I don't have people tearing the darn thing down when this
site goes live. We are using the ISAPI module.
I have seen numerous tidbits on Apache, but we are going to be using IIS.
Can anyone point me to a book, FAQ, examples, anything to set me on the way?
Thanks a ton
--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
