Securing PHP on an IIS Server

mcmcom

hi all,

i have installed php 4 on my development server (windows 2000 server, IIS 5) and its all working fine. However im not a php developer (but am a asp.net developer) and im wondering what steps i should take to secure my php server running on IIS. If anyone can point me to an article or links recommending best practices for securing php on my IIS server i would greatly appreciate it.

thanks,
mcm

comcentury

maybe you should be better off using apache.Go to the apache website and downlaod the latest version of apache server

mcmcom

running apache on our servers is not an option. However i did find a site that gave me a few pointers to secure my php server running off IIS i basically did the following in my php.ini file :

Safe_mode On
disable_functions = dl,system,exec,passthru,shell_exec
register_globals = Off

Anything else i may have forgot ?

thanks,
mcm

bradgrafelman

mcmcom wrote:
Anything else i may have forgot ?

You forgot that Safe Mode isn't the end-all solution, and is, in fact, deprecated - in PHP 6, it's not even an option :p.

MarkR

You can't reasonably defend against badly developed applications from creating problems.

The solution is to get the developers to write secure code - if they're unable or unwilling to do so, you should send them on some training or fire them respectively.

Mark

comcentury

mcmcom wrote:
running apache on our servers is not an option. However i did find a site that gave me a few pointers to secure my php server running off IIS i basically did the following in my php.ini file :

Safe_mode On
disable_functions = dl,system,exec,passthru,shell_exec
register_globals = Off

Anything else i may have forgot ?

thanks,
mcm

Is your server working now based on the site that you got the few pointers running off IIS,let me know and the site too,my apache is giving me problems,maybe i should follow your option

comcentury

mcmcom wrote:
hi all,

i have installed php 4 on my development server (windows 2000 server, IIS 5) and its all working fine. However im not a php developer (but am a asp.net developer) and im wondering what steps i should take to secure my php server running on IIS. If anyone can point me to an article or links recommending best practices for securing php on my IIS server i would greatly appreciate it.

thanks,
mcm

Can you please send me details on how you doownloaded your II ,i am using windows xp for it.Thanks

SpeedBird

I'd recommend running PHP in ISAPI (rather than CGI) mode. Probably not much better security-wise but a lot faster. It is also a good idea to set 'max_execution_time' to something reasonable in case you manage to build a script that enters into an infinite loop. Remember that some scripts, like upload scripts, can take a while to execute anyway. You might want to turn off 'file_uploads' if you don't need it, and if you do, you might want to set 'upload_max_filesize'.

Other than setting 'register_globals = off' I can't really think of anything else. I find most of the security settings I use are configured through IIS, file permissions or written in the script itself.

Roger_Ramjet

You might want to have a look at this Sitepoint article. A bit dated (2005) but still worth a read.

etully

mcmcom:

There are some things that you just shouldn't do. Like, trying to teach 8 year olds how to safely handle a live cobra... or drive an automobile.

I'm not calling you an 8 year old. I'm just saying that you should definitely not be securing a web server by yourself. You should spend some money to hire a consultant for 8-10 hours to secure your server - or maybe walk you though doing it yourself.

MarkR is right: There's nothing you can do to the server that will protect you against the inexperienced programmers who work for your company. All you can do is get them some training or fire them.

The most dangerous thing about this thread is that when people try to answer your question, it suggests that it's a question that is answerable.

Turning on Safe mode won't make you safe.
Reading a two year old Sitepoint article won't make you safe.
Turning off a few flags at the suggestion of some anonymous people in an online forum won't make you safe.

Get about 5 years experience installing IIS and Apache web servers, write some complex programs and learn how to defeat the security of the code you've written. Hire some good people who already have some experience.

The most dangerous thing about following some helpful little "checklist" of things that will supposedly make you secure is that it makes you falsely think you're secure when you're not. The converse of that is that it's better to be insecure and know it than to think you're secure when you're not.

Roger_Ramjet

Hey Tully, I only listed that article as a pointer to the common blunders made by inexperienced programmers - a starting point for developing some good coding practices and standards. It does contain some good advice and links for further study which is what was asked for.

Since it is an existing IIS development server and he is an experienced ASP programmer, one can assume that IIS security has already been addressed at some level and will be further addressed on production systems. So helpful php-specific links are the apt response not Trollish head-banging.

Curmudgeon is right - sheesh.

etully

Roger: No attack was meant on you or anyone. I'm definitely not critical of anyone who tried to help the OP. My opinion about security is that if you're not going to take it very seriously then you might as well simply ignore it. I felt the thread needed some direction and I wanted to set things straight before someone got hurt. No attack or criticism was meant on you.

Self admitted curmudgeon

Roger_Ramjet

None taken. I just felt you had missed the original point of this thread: an experienced ASP.NET programmer starting out with PHP who wants to get off on the right foot.

comcentury

mcmcom wrote:
hi all,

i have installed php 4 on my development server (windows 2000 server, IIS 5) and its all working fine. However im not a php developer (but am a asp.net developer) and im wondering what steps i should take to secure my php server running on IIS. If anyone can point me to an article or links recommending best practices for securing php on my IIS server i would greatly appreciate it.

thanks,
mcm

Do you have an idea how i can make my php,mysql and IIS connection to dreamweaver,8
I am having problems with that

comcentury

etully wrote:
mcmcom:

There are some things that you just shouldn't do. Like, trying to teach 8 year olds how to safely handle a live cobra... or drive an automobile.

I'm not calling you an 8 year old. I'm just saying that you should definitely not be securing a web server by yourself. You should spend some money to hire a consultant for 8-10 hours to secure your server - or maybe walk you though doing it yourself.

MarkR is right: There's nothing you can do to the server that will protect you against the inexperienced programmers who work for your company. All you can do is get them some training or fire them.

The most dangerous thing about this thread is that when people try to answer your question, it suggests that it's a question that is answerable.

Turning on Safe mode won't make you safe.
Reading a two year old Sitepoint article won't make you safe.
Turning off a few flags at the suggestion of some anonymous people in an online forum won't make you safe.

Get about 5 years experience installing IIS and Apache web servers, write some complex programs and learn how to defeat the security of the code you've written. Hire some good people who already have some experience.

The most dangerous thing about following some helpful little "checklist" of things that will supposedly make you secure is that it makes you falsely think you're secure when you're not. The converse of that is that it's better to be insecure and know it than to think you're secure when you're not.

Do you have an idea how i can make my php,mysql and IIS connection to dreamweaver,8

am having problems with that

comcentury

bradgrafelman wrote:
You forgot that Safe Mode isn't the end-all solution, and is, in fact, deprecated - in PHP 6, it's not even an option :p.

Do you have an idea how i can make my php,mysql and IIS connection to dreamweaver,8

am having problems with that