W2k security

Anon

Hi,I'm running W2k, PHP 4.0.6 and MySQL 3.23.43. If I allow other people to setup community sites on my server how can I secure my server. i.e I don't want people to see system info (phpinfo() stuff) and such like. I've got the W2k and MySQL tightened down properly but how do I protect myself from PHP ? Because it'll be a free service, I don't have the resoures to personally check every upload (and probably wouldn't understand the advanced features anyway).

amcgrath

Just wondering, isn't the subject of this forum an oxymoron?

[deleted]

It is a bit of a strange combination: "secutiry & windows" :-)

My suggestion: forget about it and start using a unix machine as a webserver.

Anon

Vincent , at least I know that your web server should NOT be showing that your internal IP address is 10.0.0.2 which funnily enough is Microsofts default IP address from Windows NT / 2000 SBS servers. Your shopping site wouldn't be run on a Microsoft box now would it ?
You have to remember that before the Code Red worm, the Sun Solaris web server was THE MOST HACKED server on the net, yes, hacked even more than IIS. Why - because everyone jumped to Unix (or Solaris in this case) because it wasn't done by Bill but they knew nothing about simple security settings. Any competent computer engineer should know that changing one setting on a Win 2k box, with out applying any service packs or security patches, would have prevented the Code Red worm infecting and spreading. That is why forums like this are here. To make sure that PHP is not given a bad name because of security lapses/bad programming techniques etc.

Adrian

[deleted]

Adrian: the webserver you found at my IP adress is a development server, running Redhat 7.1. (You would have known that if you bothered to look up the names. The name of the site does NOT point to my development machine. oopsy!) So 'big deal' if it shows it's internal IP.

What's more, don't you think it's a little naive to assume someone is running IIS just because he uses the same internal IP that MS defaults to? Half the world uses the 10.x.x.x range for their internal nets.

The fact that Unx based machines (not SUN, SUN doesn't have a webserver) have been hacked more is simply due to the fact that there are many many more Unx based servers than MS based ones. Did you also look at how those machine were hacked? Well it wasn't by entering a slighty groovy URL like with IIS.

MS has some very cool ideas, they just never seem to be able to realize them in a secure way. There's always some nifty feature that turns the security into swiss cheese.

Now, enough of this Un*x vs MS crap.
The is a PHP forum after all.

Anon

Look at the safe_mode and disable_functions settings in php.ini.

http://www.php.net/manual/en/features.safe-mode.php#features.safe-mode

You can disable specific functions you don't want to be executed. To disable backticks you have to set safe_mode on.