Home > Article > Backend Development > Install IIS under Win2K and configure asp+cgi+php+mysql_PHP tutorial
Install win2K, install IIS, among which Indexing Service, FrontPage 2000 Server Extensions, Internet Service Manager (HTML) should be installed, and there are others. In short, do not install any that are not needed. (According to the security principle, the least services + the least permissions = the greatest security.)
First, open the Internet Manager (Start-->Programs-->Management-->Internet Service Management) if installed as above , there is a default site and an SMTP service item. Select the default site and delete all directories below it. (Press the delete key on your keyboard) The easiest way to stop iis is: Start-->Run-->type net stop iisadmin Select Y and press Enter (the startup command is: net start w3svc) put Inetpub on the C drive Delete the directory completely (can only be deleted after stopping iis), create a new directory on another disk, and point the default site's home directory to the newly created directory in the IIS manager. If you need any permissions, you can slowly create the directory yourself. What is needed? What permissions are given?
(Pay special attention to the write permission and the permission to execute the program. Don't give it unless absolutely necessary. It is not given by default, so you don't need to study, haha...)
Application configuration: In IIS Manager Delete any useless mappings except those that are necessary, leaving ASP, ASA and other file types that you really need to use (except cgi, php, I think you have no use for the others. Delete htw, htr, idq, ida... ) Don’t know where to delete it? ? Method: Open Internet Service Management->Select Site->Properties->WWW Service->Edit->Home Directory->Configuration->Application Mapping, and then start deleting them one by one (it is really troublesome not to select them all). Then change the script error message to send text in the application debugging bookmark of the window just now (unless you want the user to know your program/network/database structure when an ASP error occurs). What should you write in the error text? Whatever you like, it's up to you. When you click OK to exit, don't forget to let the virtual directory inherit the attributes you set.
In order to deal with the increasing number of CGI vulnerability scanners, there is another tip you can refer to. Redirect the HTTP404 Object Not Found error page to a customized HTM file through the URL in IIS, which can scan most of the current CGI vulnerabilities. The device malfunctions. In fact, the reason is very simple. For convenience when writing, most CGI scanners judge whether the vulnerability exists by looking at the HTTP code of the returned page. For example, the famous IDQ vulnerability is generally tested by taking 1.idq. If If HTTP200 is returned, it is considered that there is a vulnerability. On the contrary, if HTTP404 is returned, it is considered that there is not. If you redirect the HTTP404 error message to the HTTP404.htm file through the URL, then all scans will return HTTP200 regardless of whether there is a vulnerability, 90% of the time. The CGI scanner will think that you have all kinds of vulnerabilities, but in the end, it will cover up your real vulnerabilities, leaving intruders at a loss and nowhere to start. However, from a personal point of view, I still think that doing a solid job in security settings is better than such a little trick. Much more important.
Win2000 account security is another key point. First of all, the default installation of Win2000 allows any user to obtain all accounts/share lists in the system through an empty user. This is originally to facilitate LAN users to share files, but a remote user can also obtain it. your user list and use brute force to crack user passwords. Many friends know that you can prohibit 139 empty connections by changing the registry Local_MachineSystemCurrentControlSetControlLSA-RestrictAnonymous = 1. In fact, the local security policy of win2000 (if it is a domain server, it is in the domain server security and domain security policy) has such an option RestrictAnonymous ( Additional restrictions on anonymous connections), this option has three values:
0: None. Rely on default permissions (None, depends on the default permissions)
1: Do not allow enumeration of SAM accounts and shares (do not allow Enumerate SAM accounts and shares)
2: No access without explicit anonymous permissions (no access is allowed without explicit anonymous permissions)
0 This value is the system default, there are no restrictions, remote users can know you All accounts, group information, shared directories, network transmission lists (NetServerTransportEnum, etc.) on the machine are very dangerous for the server.
1 This value only allows non-NULL users to access SAM account information and shared information. .
2 This value is only supported in win2000. It should be noted that once you use this value, your sharing will probably be ruined, so I recommend that you set it to 1. >Okay, now the intruder has no way to get our user list, our account is safe... Wait, there is at least one account that can change the password. This is the built-in administrator of the system. What should I do? To change it, right-click administrator in Computer Management->User Account and change the name to whatever you want, as long as you can remember it. After changing the super-admin user name, you can still see it on the login interface of Terminal Service (you can change it to whatever you like). You will remember it after logging in). Modification method: run regedit, find the Don't Display Last User Name string data in the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersionwinlogon item and change it to 1, so that the system will not automatically display the last login user name.
For security, you can also turn on TCP/IP filtering, right-click Network Places on the desktop->Properties->right-click the network card you want to configure->Properties->TCP/IP->Advanced->Options->TCP /IP filtering, there are three filters here, namely: TCP port, UDP port and IP protocol TCP port. Click "Only allow", and then add the port you need to open below. Generally speaking, the WEB server only needs to open 80 (www), the FTP server needs to open 20 (FTP Data), 21 (FTP Control), 3306 (Mysql), 3389 (remote terminal control, if your host is hosted in someone else's computer room and cannot be operated directly, you need this) The mail server may need to open 25 (SMTP) and 110 (POP3). I have not researched the ports, but if you follow the services provided in this article, you only need to open the above few. (80, 20, 21, 25, 3306, 3389)
cgi support
Download activeperl (available at