|
Basic
Security recommendation for Linux Hosted Web Sites :
Change
ALL 777 file permission back to 755 at least.
777 means world writable, that means what it says,
world writable anyone in the world can write to the
file.
Kind of like leaving your front door unlocked.
Sooner or later someone is going to walk in and put
a virus on your site
File Permissions -
Linux
The
permission description can be in the form of a
number that is exactly three digits. Each digit
of this number is a code for the permissions
level of three types of people that might access
this file:
-
Owner
(you)
-
Group
(a group of other users that you set up)
-
World
(anyone else browsing around on the file
system)
The value
of each digit is set according to what rights
each of the types of people listed above have to
manipulate that file.
Permissions
are set according to numbers. Read is 4. Write
is 2. Execute is 1. The sums of these numbers
give combinations of these permissions:
-
0 = no
permissions whatsoever; this person cannot
read, write, or execute the file
-
1 =
execute only
-
2 =
write only
-
3 =
write and execute (1+2)
-
4 =
read only
-
5 =
read and execute (4+1)
-
6 =
read and write (4+2)
-
7 =
read and write and execute (4+2+1)
Permissions
are given using these digits in a sequence of
three: one for owner, one for group, one for
world.
Here is a
screen shot from the Control Panel.
To change permissions :
File Permissions - Windows
Managing levels of
access to shares and
to files
You can use Simple
File Sharing to
configure five
different levels of
access to shares and
files:
|
• |
Level 1:
My Documents
(Private) |
|
• |
Level 2:
My Documents
(Default) |
|
• |
Level 3:
Files in
shared
documents
available to
local users |
|
• |
Level 4:
Shared Files
on the
Network
(Readable by
Everyone) |
|
• |
Level 5:
Shared Files
on the
Network
(Readable
and Writable
by Everyone) |
NOTES
|
• |
By default,
files that
are stored
in My
Documents
are at Level
2. |
|
• |
Levels 1, 2,
and 3
folders are
available
only to a
user who is
logging on
locally.
Users who
log on
locally
include a
user who
logs on to a
Windows XP
Professional-based
computer
from a
Remote
Desktop (RDP)
session. |
|
• |
Levels 4 and
5 folders
are
available to
users who
log on
locally and
remote users
from the
network. |
The following table
describes the
permissions:
|
Access Level |
Everyone (NTFS/File) |
Owner |
System |
Administrators |
Everyone
(Share) |
|
Level 1 |
n/a |
Full Control |
Full Control |
n/a |
n/a |
|
Level 2 |
n/a |
Full Control |
Full Control |
Full Control |
n/a |
|
Level 3 |
Read |
Full Control |
Full Control |
Full Control |
n/a |
|
Level 4 |
Read |
Full Control |
Full Control |
Full Control |
Read |
|
Level 5 |
Change |
Full Control |
Full Control |
Full Control |
Full Control |
Level 1: My
Documents (Private)
The owner of the
file or folder has
read and write
permission to the
file or folder.
Nobody else may read
or write to the
folder or the files
in it. All
subfolders that are
contained in a
folder that is
marked as private
remain private
unless you change
the parent folder
permissions.
If you are a
Computer
Administrator and
create a user
password for your
account by using the
User Accounts
Control Panel tool,
you are prompted to
make your files and
folder private.
Note The
option to make a
folder private
(Level 1) is only
available to a user
account in its own
My Documents folder.
To configure a
folder and all the
files in it to Level
1, follow these
steps:
|
1. |
Right-click
the folder,
and then
click
Sharing and
Security. |
|
2. |
Select the
Make this
Folder
Private
check box,
and then
click OK. |
Local NTFS
Permissions:
|
• |
Owner: Full
Control |
|
• |
System: Full
Control |
Network Share
Permissions:
Level 2 (Default):
My Documents
(Default)
The owner of the
file or folder and
local Computer
Administrators have
read and write
permission to the
file or folder.
Nobody else may read
or write to the
folder or the files
in it. This is the
default setting for
all the folders and
files in each user's
My Documents folder.
To configure a
folder and all the
files in it to Level
2, follow these
steps:
|
1. |
Right-click
the folder,
and then
click
Sharing and
Security. |
|
2. |
Make sure
that both
the
Make this
Folder
Private
and the
Share this
folder on
the network
check boxes
are cleared,
and then
click OK. |
Local NTFS
Permissions:
|
• |
Owner: Full
Control |
|
• |
Administrators:
Full Control |
|
• |
System: Full
Control |
Network Share
Permissions:
Level 3: Files in
shared documents
available to local
users
Files are shared
with users who log
on to the computer
locally. Local
Computer
Administrators can
read, write, and
delete the files in
the Shared Documents
folder. Restricted
Users can only read
the files in the
Shared Documents
folder. In Windows
XP Professional,
Power Users may also
read, write, or
delete any files in
the Shared Documents
Folder. The Power
Users group is only
available in Windows
XP Professional.
Remote users cannot
access folders or
files at Level 3. To
permit remote users
to access files, you
must share them out
on the network
(Level 4 or 5).
To configure a file
or a folder and all
the files in it to
Level 3, start
Microsoft Windows
Explorer, and then
copy or move the
file or folder to
the Shared Documents
folder under My
Computer.
Local NTFS
Permissions:
|
• |
Owner: Full
Control
|
|
• |
Administrators:
Full Control |
|
• |
Power Users:
Change |
|
• |
Restricted
Users: Read |
|
• |
System: Full
Control |
Network Share
Permissions:
Level 4: Shared on
the Network (Read
Only)
Files are shared for
everyone to read on
the network. All
local users,
including the Guest
account, can read
the files, but they
cannot modify the
contents. Any user
can read and change
your files.
To configure a
folder and all the
files in it to Level
4, follow these
steps:
|
1. |
Right-click
the folder,
and then
click
Sharing and
Security. |
|
2. |
Click to
select the
Share this
folder on
the network
check box |
|
3. |
Click to
clear the
Allow
network
users to
change my
files
check box,
and then
click OK. |
Local NTFS
Permissions:
|
• |
Owner: Full
Control
|
|
• |
Administrators:
Full Control |
|
• |
System: Full
Control |
|
• |
Everyone:
Read |
Network Share
Permissions:
Level 5: Shared on
the network (Read
and Write)
This level is the
most available and
least secure access
level. Any user
(local or remote)
can read, write,
change, or delete a
file in a folder
shared at this
access level.
Microsoft recommends
that this level be
used only for a
closed network that
has a firewall
configured. All
local users
including the Guest
account can also
read and modify the
files.
To configure a
folder and all the
files in it to Level
5, follow these
steps:
|
1. |
Right-click
the folder,
and then
click
Sharing and
Security |
|
2. |
Click to
select the
Share this
folder on
the network
check box,
and then
click OK. |
Local NTFS
Permissions:
|
• |
Owner: Full
Control
|
|
• |
Administrators:
Full Control |
|
• |
System: Full
Control |
|
• |
Everyone:
Change |
Network Share
Permissions:
Note All NTFS
permissions that
refer to Everyone
include the Guest
account.
All the levels that
this article
describes are
mutually exclusive.
Private folders
(Level 1) cannot be
shared unless they
are no longer
private. Shared
folders (Level 4 and
5) cannot be made
private until they
are unshared.
If you create a
folder in the Shared
Documents folder
(Level 3), share it
on the network, and
then permit network
users to change your
files (Level 5), the
permissions for
Level 5 are
effective for the
folder, the files in
that folder, and the
child folders. The
other files and
folders in the
Shared Documents
folder remain
configured at Level
3.
Note The only
exception is if you
have a folder (SampleSubFolder)
that is shared at
Level 4 inside a
folder (SampleFolder)
that is shared at
Level 5. Remote
users have the
correct access level
to each of the
shared folders.
Locally logged-on
users have writable
(Level 5)
permissions to the
parent (SampleFolder)
and child (SampleSubFolder)
folders.
Guidelines
Microsoft recommends
that you only share
folders on the
network that remote
users on other
computers must
access. Microsoft
recommends that you
do not share the
root of your system
drive. When you do
this your computer
is more vulnerable
to malicious remote
users. The
Sharing tab
of the drive's
Properties
dialog box contains
a warning when you
try to share a root
folder (for example,
C:\). To continue,
you must click the
If you understand
the risk but still
want to share the
root of the drive,
click here
link. Only computer
administrators can
share the root of
the drive.
Files on a read-only
device such as a
CD-ROM shared at
Level 4 or 5 are
only available if
the CD-ROM is in the
CD-ROM drive. Any
CD-ROM that is in
the CD-ROM drive is
available to all
users on the
network.
A file's permission
may differ from the
containing folder if
one of the following
conditions is true:
|
• |
You use the
move
command at a
command
prompt to
move a file
into the
folder from
a folder on
the same
drive that
has
different
permissions. |
|
• |
You use a
script to
move the
file into
the folder
from a
folder on
the same
drive that
has
different
permissions. |
|
• |
You run
Cacls.exe at
a command
prompt or a
script to
change file
permissions.
|
|
• |
Files
existed on
the hard
disk before
you
installed
Windows XP. |
|
• |
You changed
a file's
permissions
while Simple
File Sharing
was turned
off on
Windows XP
Professional. |
Note NTFS
permissions are not
maintained on file
move operations when
you use Windows
Explorer with Simple
File Sharing turned
on.
If you turn on and
turn off Simple File
Sharing, the
permissions on files
are not changed. The
NTFS and share
permissions do not
change until you
change the
permissions in the
interface. If you
set the permissions
with Simple File
Sharing enabled,
only Access Control
Entries (ACEs) on
files that are used
for Simple File
Sharing are
affected. The
following ACEs in
the Access Control
List (ACL) of the
files or folders are
affected by the
Simple File Sharing
interface:
|
• |
Owner |
|
• |
Administrators |
|
• |
Everyone |
|
• |
System |
Troubleshooting file
sharing in Windows
XP
Expected upgrade
behavior
A Windows 2000
Professional-based
or a Windows NT
4.0-based computer
that is joined to a
domain or a
workgroup that is
upgraded to Windows
XP Professional
maintains its domain
or workgroup
membership
respectively and has
the classic file
sharing and security
UI turned on. NTFS
and share
permissions are not
changed with the
upgrade.
By default, if you
upgrade a computer
that is running
Microsoft Windows
98, Windows 98
Second Edition, or
Windows Millennium
Edition that has
"per share" sharing
permissions to
Windows XP, Simple
File Sharing is
always turned on.
Shares that have
passwords assigned
to them are removed,
and shares that have
blank passwords
remain shared after
the upgrade.
If you upgrade a
computer that is
running Windows 98,
Windows 98 Second
Edition, or Windows
Millennium Edition
to Windows XP
Professional and
that computer is
logged on to a
domain, if that
computer has share
level access turned
on and joins the
domain while the
Setup program is
running, the
computer starts with
Simple File Sharing
turned off.
By default, a
Windows 98, Windows
98 Second Edition,
or Windows
Millennium
Edition-based
computer that is
upgraded to Windows
XP Home has Simple
File Sharing turned
on.
Known issues
For remote users to
access files from
the network (Levels
4 and 5), the
Internet Connection
Firewall (ICF) must
be disabled on the
network interface
that the remote
users connect
through.
For additional
information, click
the following
article number to
view the article in
the Microsoft
Knowledge Base:
298804
(http://support.microsoft.com/kb/298804/)
Internet
Connection
Firewall can
prevent browsing
and file share
When Simple File
Sharing is turned
on, remote
administration and
remote registry
editing does not
work as expected
from a remote
computer, and
connections to
administrative
shares (such as C$)
do not work because
all remote users
authenticate as
Guest. Guest
accounts do not have
administrative
rights. When Simple
File Sharing is
turned on, if you
configure specific
user ACEs, remote
users are not
affected when Simple
File Sharing is
turned on because
all remote users
authenticate as
Guest when Simple
File Sharing is
turned on.
Remote users may
receive an "Access
Denied" message on a
share that they had
connected to
successfully before.
This behavior occurs
after the hard disk
is converted to NTFS.
This behavior occurs
on Windows XP-based
computers that have
Simple File Sharing
turned on that were
upgraded from
Windows 98, Windows
98 Second Edition,
or Windows
Millennium Edition.
This behavior occurs
because the default
permissions of a
hard disk that is
converted to NTFS do
not contain the
Everyone group. The
Everyone group is
required for remote
users who are using
the Guest account to
access the files To
reset the
permissions, unshare
and reshare the
affected folders.
Behavior that is
affected when Simple
File Sharing is
turned on
|
• |
The Simple
File Sharing
UI in the
properties
of a folder
configures
both share
and file
permissions. |
|
• |
Remote users
always
authenticate
as the Guest
account.
For
additional
information,
click the
following
article
number to
view the
article in
the
Microsoft
Knowledge
Base:
302927
(http://support.microsoft.com/kb/302927/)
Computer
Management
displays
user
account
names
when
logged
on as
Guest
|
|
• |
Windows
Explorer
does not
retain
permissions
on files
that are
moved in the
same NTFS
drive. The
permissions
are always
inherited
from the
parent
folder. |
|
• |
On Windows
XP
Professional-based
computers
that have
Simple File
Sharing
turned on
and Windows
XP Home
Edition-based
computers,
the Shared
Folders (Fsmgmt.msc)
and Computer
Management (Compmgmt.msc)
tools
reflect a
simpler
sharing and
security UI. |
|
• |
In the
Computer
Management
and Shared
Folders
consoles,
the New
File Share
command is
unavailable
when you
right-click
the
Shares
icon. Also,
if you
right-click
any listed
share, the
Properties
and Stop
Share
commands are
unavailable. |
Behavior that is not
caused by turning on
Simple File Sharing
|
• |
In Windows
XP Home
Edition, the
Computer
Management
snap-in does
not display
the
Local Users
and Groups
node. The
Local Users
and Groups
snap-in
cannot be
added to a
custom
snap-in.
This
behavior is
a limitation
of Windows
XP Home
Edition. It
is not
caused by
Simple File
Sharing. |
|
• |
If you turn
off the
Guest
account in
the User
Accounts
Control
Panel tool,
only the
guest's
ability to
log on
locally is
affected.
The account
is not
disabled. |
|
• |
Remote users
cannot
authenticate
by using an
account that
has a blank
password.
This
authentication
is
configured
separately. |
|
• |
Windows XP
Home Edition
cannot join
a domain. It
can only be
configured
as a member
of a
workgroup.
For
additional
information,
click the
following
article
number to
view the
article in
the
Microsoft
Knowledge
Base:
303606
(http://support.microsoft.com/kb/303606/)
Can log
on
without
password
by using
Guest
account
after
upgrade
from
Windows
2000
|
|
|
