Sign In
Register
Help
Sections:
I. Windows - Secure your files with NTFS
II. IIS and Apache
III. PHP - Edit php.ini to make your php more secure
IV. MySQL - edit privledges of users as neccesary.
------------------------------------------------------------------------------------
I. Windows Security
Object: Secure file permissions, if system is breached by files being uploaded through web/ftp, limit it's impact.
*Note IIS configured with default annonymous access will use the IUSR_HOST account. IF changed, you must change anywhere IUSR is located. If in a domain, make sure you search the computer, not the domain for IUSR_HOST.
I always recommend partitions. Having your system files as C: and any kind of hosting done on D:/E:/etc.
As this is a server, and you would be logging in as an administrator, or a domain user(if in a domain). You can then get rid of almost all permissions on the drives.
Recommended Permissions:
C:\ Administrators(Hostname\Administrators): Full Control SYSTEM : Full Control
C:\php (or wherever your php install is) Administrators(Hostname\Administrators): Full Control SYSTEM : Full Control Internet Guest Account (HOST\IUSR_HOST): Read/Execute Network Service: Read/Execute
C:\php\tmp Administrators(Hostname\Administrators): Full Control SYSTEM : Full Control Network Service: Read/Execute/Modify
D:\ Administrators(Hostname\Administrators): Full Control SYSTEM : Full Control
D:\public_html Administrators(Hostname\Administrators): Full Control SYSTEM : Full Control Internet Guest Account (HOST\IUSR_HOST): Read/Execute (list directory if want)
------------------------------------------------------------------------------------
II. IIS/Apache Security
Object: Allow only certain modules to run, enable SSL, etc.
IIS: In IIS manager, go to web service extensions, prohibit all but PHP if using no other pages.
In IISM, right click the site that has php, go to properties. Click Home Directory Tab.
Change Execute permissions to Scripts only (if using asapi vs cgi). Click configuration.
go to .php extension, and click edit. Change Verbs to Limit to: GET,HEAD,POST,TRACE. (if other verbs used for applications other than eqdkp, you will need to add them here).
Apache: coming soon
------------------------------------------------------------------------------------
III. PHP Security
Object: Secure php.
; **You CAN safely turn this off for IIS, in fact, you MUST.**
; cgi.force_redirect = 0
Only change that if you are using the php.exe, instead of the asapi. Ignore it.
PHP.INI from php5
safe_mode = On
register_globals = Off
------------------------------------------------------------------------------------
IV. MySQL Security
Object: Limit mysql users to specific databases.
While a database can hold many tables, and applications can use prefixes to seperate them, be warned, if someone gets access to the username/pw, they can modify anything in that database. So keeping all eggs in one basket isn't very safe, but common for a website.
http://dev.mysql.com...guidelines.html explains most of what is here.
Back to top
MultiQuote