Bruce, Thanks for all of you input, it is much appreciated it.
I do know about securing IIS, but I was concerned about security when adding PHP into the mix. >From the answers I received, I am assuming that the security is in the OS/Server software, and that there aren't any inherent security measure to be taken with PHP? In short, if the OS/web server is fairly secure, PHP does not break that, correct? That is my main concern. Thanks, Eric -----Original Message----- From: Bruce Barnes [mailto:[EMAIL PROTECTED]] Sent: Monday, April 01, 2002 8:24 PM To: [EMAIL PROTECTED] Subject: RE: [PHP-WIN] Configuring securely in IIS5 under Windows 2000 Server Eric et al; START BY MAKING A FULL AND COMPLETE BACKUP OF YOUR MACHINE! IF you make an error with USERS, GROUPS and PERMISSIONS, you might lock yourself completely out of the machine and not be able to regain access to your drives and directories without a complete reinstall of the Windows 2000 Operating System. The first thing that anyone who is running Windows 2000 should do is to format the logical drives using NTFS - this allows for MUCH greater file security than other file systems. The next thing to do is to DELETE the permissions for the GROUP "EVERYONE" from all of your logical drives. To DELETE the permissions for the GROUP "EVERYONE" from the directory that is going to contain the actual files for the web site. If we assume that the name of the site is "WWW.PHPHEADACHES.COM and the directory in which the files are located is "PHPHEADACHES", then we would highlight the directory "PHPHEADACHES", right click on the directory, goto the SECURITY TAB and /UNCHECK the box that is at the bottom of the SECURITY WINDOW that states: "Allow Inheritable Permissions from Parent to Propagate to this Object." At that point you should receive an option window that will allow you to: COPY REMOVE or CANCEL You want to select COPY. This will COPY all of the users and groups permissions to the local directory Next, HIGHLIGHT the GROUP named "EVERYONE" and press the DELETE key. The "EVERYONE" GROUP has now been deleted from the directory and has no permissions and you have now locked out anyone except the users and groups to which you specifically give permissions. For the purposes of PHP, the "everyone" user, as referenced in the installation instructions, can be replaced with the GROUP of "USERS" (no quotes) from the LOCAL MACHINE on which IIS and PHP are installed, and that use can be given the "write" permissions where the "EVERYONE" user used to be required to have them. If you are running on a network with a DOMAIN SERVER, do NOT use the group "your_network_domain_name\DOMAIN USERS" as they will not have any permissions on the local machine unless the "DOMAIN USERS" group has been specifically added to the "local_machine_name\USERS" group. Next, REMOVE the "USERS" group from each of your IIS web site directories. The only users who should have permissions in those sites are: 1. "IUSER_local_machine_name" where "local_machine_name" is the actual name of the local machine WITHOUT the name of the domain appended to it. ie: if the fully qualified domain name is "foo.bar.com", then the "local_machine_name" will be "foo" and the username added to the directory will be "IUSER_foo" with permissions set to READ & EXECUTE, LIST and READ - there should be NO other permissions set for this user. 2. The username of the person who is responsible for sending the files to the site via FTP. Remember, that user must be a user on the LOCAL machine - in this case the "FOO" machine. If the name of the web site directory for the hosted site is "PHPHEADACHES" and the site is named "www.phpheadaches.com", on the machine named "FOO" and the username of the person responsible for maintaining the web site www.phpheadaches.com named "KONG" and "KONG" is using FTP to send the files up to the site hosted on "FOO", then "KONG", a user on the "FOO" machine will have permissions to the directory "PHPHEADACHES" with the permissions of MODIFY, READ & EXECUTE, LIST, READ, and WRITE. The user "KONG" should NOT have the FULL CONTROLL permissions as this will allow him to "take ownership" of the various files and system files that might be created in the directory. If you do not want "KONG" to be able to execute scripts or other files in the "PHPHEADACHES" directory, then you should UNCHECK the READ & EXECUTE setting for the user "KONG" as well. As the "ADMINISTRATOR" of the machine on which the web site is hosted, you will want the local machine administrator account, in this case "FOO\ADMINISTRATOR" to have FULL CONTROL of the web site directory "PHPHEADACHES". If the web site machine "FOO" is part of a domain and your administrative account get's it's administrative permissions from a domain controller, you will also want to add the ADMINISTRATOR(S)" account for the domain to the directory "PHPHEADACHES" and give that account FULL CONTROLL as well. In this case, the addition of the domain administrator(s) account would look like this "BAR.COM\ADMINISTRATOR(S)". The "BAR.COM\ADMINISTRATOR(S)" account should have FULL CONTROLL in the directory PHPHEADACHES. If you have users on the domain bar.com who are responsible for maintaining the web site and they are not part of the administrators group of "BAR.COM\ADMINISTRATORS" and you want them to have access in the directory "PHPHEADACHES", then you need to also add those users to the directory "PHPHEADACHES" with the appropriate level of permissions. Next you should have the "SYSTEM" account for the "LOCAL MACHINE", in this case "FOO", added to the directory with FULL access to the directory. When you APPLY the permissions, you should make sure you check the box that applies the users and permissions to the SUB-DIRECTORIES as well. If the web site is running Front Page Server Extensions, then it will also contain three additional groups. Those groups will be specific to the web site name. In the case of www.phpheadaches.com the groups will be: "www.phpheadaches.com Admins" "www.phpheadaches.com Authors" "www.phpheadaches.com Browsers" You will need to add the appropriate users from the LOCAL MACHINE or from the DOMAIN to each of these GROUPS on the LOCAL MACHINE. To complete the installation, follow the instructions supplied with PHP for Windows 2000 Server and you should have no problems. If you have any problems, just remember to run PHPINFO() from within a script and check the results against what you think they should be. If you are setting up a new server, you should remove the EVERYONE group from all logical drives IMMEDIATELY - before allowing any user other than the ADMINISTRATOR to have access to the system for the first time. If you have already installed software on the system and have users with established rights to specific directories and files, this may cause some problems for you and you will have to create new groups with permissions to access those specific directories. Remember, SECURITY is the MOST IMPORTANT item in the installation of any Windows 2000 Server and IIS installation. KEEP IT ON THE BASIS OF ONLY THOSE USERS AND GROUPS WHO NEED ACCESS HAVE ACCESS - NO ONE ELSE! Making certain that only those users and groups who absolutely must have permissions to any given directory on the machine, and that they have the APPROPRIATE permissions in those directories where they have been granted access, will save you from countless headaches, attempted server break-ins and lots of lost revenue from downtime. For more information on Windows 2000 Security, do a search at the Microsoft Technet location of "http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itso luti ons/howto/admhow.asp" (You may be asked to establish an account on the site, a rather lengthy process, but well worth the work for anyone who works with Windows 2000 or any other Windows product.) Microsoft Technet provides lots of good information and lots of other server geeks who can assist you in locating the information if you can't find it on your own. Bruce Barnes ====================================================== Now Providing High-Speed Internet Access from DSL.NET! from xDSL to a full T-1 - need some? Call or visit our web site at http://www.ChicagoNetTech.com/dsl.html ====================================================== ChicagoNetTech 3401 W Beach Ave Chicago IL 60651-2332 mailto:[EMAIL PROTECTED] http://www.ChicagoNetTech.com 773.365.0105 Office 773.365.0108 Fax 773.491.9019 Cell ====================================================== Secure & Encrypted Remote Data Backup Server Co-Location Services Computer Network Design, Installation & Maintenance Telecomm Network Design, Installation & Maintenance Web Site Design & Hosting ====================================================== It ALWAYS costs less to do it right the FIRST time! ====================================================== -----Original Message----- From: Eric Gentry [mailto:[EMAIL PROTECTED]] Sent: Monday, April 01, 2002 09:15 To: [EMAIL PROTECTED] Subject: [PHP-WIN] Configuring securely in IIS5 I have been able to install php and get it running on our test server running IIS5. Everything is going fine, but now I am beginning to ponder the question, how do I secure this when it goes live? I have read through the installation documentation, and read the security chapter of the php manual that I downloaded from the php.net website. Various queries to Google have been unproductive, so I thought I may check here. Now, I am not talking about script internals security (that will be handled more by our development team), just mainly how to configure php on the server so that I don't have people tearing the darn thing down when this site goes live. We are using the ISAPI module. I have seen numerous tidbits on Apache, but we are going to be using IIS. Can anyone point me to a book, FAQ, examples, anything to set me on the way? Thanks a ton -- PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
