Jump to content


Photo

Uniform Server - Services as Administrator


  • Please log in to reply
32 replies to this topic

#1 Yoni

Yoni

    Support Team Member

  • Support Team
  • PipPip
  • 97 posts
  • Gender:Male
  • Main OS: Other

Posted 06 January 2012 - 02:48 PM

I have tried to tight up my server as much as possible. Uniform Server seems to be pretty much secure right out of the box but I have some concerns for those who, like me, run their servers in production open to the world.

The first thing that I noticed was apache and mysql services running as Administrator. I understand .vbs scripts and .bat files cannot run in Windows without elevated privileges in some cases; this is not one of them though.

For all those running Uniform Server as Administrator, please reconsider your NTFS permissions! and the account(s) your apache and MySQL services are running under.

I'm attaching a securitycheck.php file to my post. Upload that to your wwwroot and browse to it over http. Welcome to the show! And be extremely careful while testing your security. You will find it crazy but you will have full access to your system because that script is being executed under apache AS ADMINISTRATOR, without proper NTFS permissions your entire server is ONE click away from being wiped out. These are the basics to understand why your NTFS permissions are so darn important and shouldn't be ignored under IIS, apache or any other http server.

In my personal case, I have created 2 new users (1 for apache, 1 for MySQL) and 1 Group to manage NTFS permissions more easily).

1 - Create your 2 user accounts (apache, mysql). Make sure the user CANNOT change the password and also the PASSWORD NEVER EXPIRES.
2- Create a new group (let's call it webservices1).
3- Add apache and mysql users to that group (webservices1).
4- HOST your Uniserver Folder off of your C: drive (that's your OS drive after all)
5- Deny ALL permissions to webservices1 GROUP (apache and mysql users) to C:
6- Deny delete and WRITE to your Uniserver folder. Propagate permissions and allow WRITE only where required, ex: X:/Uniserver/tmp
8- Make sure mysql service has MODIFY permission to /Uniserver/usr/local/mysql
9- Make sure apache service has MODIFY permission to apache logs or the service won't start
10- Make sure you go to services and change US_APACHE1 and US_MYSQL1 to run with the new credentials created in step1.

There is a lot more to do and denying DELETE might be inconvenient to some admins when updating files but it is a lot more secure. It takes 10 seconds to edit NTFS security permissions (enable DELETE), update your server files, apps, etc. Go back and DENY delete.

Hope this helps some of us.

Attached Files


Yoni


#2 BobS

BobS

    Project Helper

  • Super Moderator
  • PipPipPip
  • 334 posts
  • Location:Santiago Chile
  • Interests:Retiring, computer systems, system design, model railroads....
  • Wiki ID: BobS
  • Main OS: Windows 7

Posted 09 January 2012 - 03:06 PM

Thanks Yoni!

You've reminded me of why I don't normally run Web servers from my home machine!

We'll have to add this type of material to the Wiki, and do a lot more research to come up with a list of "things to do and NOT do" when opening up to the Internet.

Regards,
BobS

#3 Yoni

Yoni

    Support Team Member

  • Support Team
  • PipPip
  • 97 posts
  • Gender:Male
  • Main OS: Other

Posted 09 January 2012 - 08:27 PM

I do not run apache and mysql as Administrator. They both have their limited accounts setup in my server and they run fine.

I actually have a guide that I'm working on to jail these services. I'm working on it atm.

Yoni


#4 Yoni

Yoni

    Support Team Member

  • Support Team
  • PipPip
  • 97 posts
  • Gender:Male
  • Main OS: Other

Posted 10 January 2012 - 09:42 AM

The guide is now online, guys. It can be found Here

Hope you find it useful. Your ideas an suggestions to improve it are always welcome.

Happy web serving :)

Yoni


#5 traxxus

traxxus

    Member

  • Member
  • PipPip
  • 80 posts
  • Location:Switzerland
  • Main OS: Windows 7

Posted 10 January 2012 - 10:08 AM

Thanks for the guide.


Btw.
Interessting that BobS always say "no, don't host your own site with UniServer".

Every company would die with this engagement.

Remembers me at the thread "don't eat the own dog food"

:)

#6 BobS

BobS

    Project Helper

  • Super Moderator
  • PipPipPip
  • 334 posts
  • Location:Santiago Chile
  • Interests:Retiring, computer systems, system design, model railroads....
  • Wiki ID: BobS
  • Main OS: Windows 7

Posted 10 January 2012 - 01:01 PM

And the reason I would always say that was that we did NOT have this guide to secure against the Internet world sufficiently! It still won't change the issue of hosting management.

I plan on writing a "Hardening The Uniform Server for the Internet" for the Wiki, based on this and other information. At least that way, if you want to actually open up your site to the WorldWildWeb, you can do so without leaving your machine open to compromise.

If you'd like to help, send me a PM for a Wiki logon.

Regards,
BobS

#7 rustyp

rustyp

    Member

  • Member
  • PipPip
  • 73 posts
  • Main OS: Windows Vista

Posted 21 January 2012 - 12:49 PM

Wow thanks for this big time.

Read through it one time already have many questions but will hold back until I go through everything here http://unlockforus.c...rvices-security a few times as it might answer most my questions.

Do you have that page with a white background and black letters, the color combination of that page is messing with my eyes big time, by time I made it down to the localsystem thing I was done had to close the page.

Thanks

#8 Yoni

Yoni

    Support Team Member

  • Support Team
  • PipPip
  • 97 posts
  • Gender:Male
  • Main OS: Other

Posted 22 January 2012 - 12:16 AM

Not sure if that black is really hard to the eyes. For me it is refreshing as I read mostly during night time. Anyways, I made it white with black fonts taking your feedback into consideration. I hope you find it useful.

Yoni


#9 rustyp

rustyp

    Member

  • Member
  • PipPip
  • 73 posts
  • Main OS: Windows Vista

Posted 24 January 2012 - 10:47 AM

Not sure if that black is really hard to the eyes. For me it is refreshing as I read mostly during night time. Anyways, I made it white with black fonts taking your feedback into consideration. I hope you find it useful.


Hi sorry for the delay in my reply, the page comes up dark gray on my end with white fonts on my end but its much better, I also think some of the images are missing?

That is a great write up and great advice it points out many things I would have never thought about, I have read many articles over the years about building a home server you cover things nobody else has ever mention.

As soon as I get caught up here I will be applying these using your page as step by step instructions, I only have one drive in the computer I plan to use and it only has one partition on that drive so I will need to add another drive first or can the one drive have another partition added without formatting and starting over, it currently has WinXP installed.

Thanks again so much you should be proud of your work nobody else offers this.

#10 Clint Payton

Clint Payton

    Newbie

  • Member
  • Pip
  • 6 posts
  • Main OS: Windows 7

Posted 31 January 2012 - 05:33 PM

Hello,

I feel like i have hit a dead end trying to setup local user accounts to use for the apache/mysql services. After following the guide and checking permissions many times over, neither of my services will start. The only information I can gather from the event log is "error code 1" for apache. I can switch back to local system account and they run every time (of course), so I'm certain it's a permissions issue somewhere. I am running on Windows Server 2008 R2 SP1. Has anyone else managed to get this working on that OS ?

thanks,
Clint

#11 Yoni

Yoni

    Support Team Member

  • Support Team
  • PipPip
  • 97 posts
  • Gender:Male
  • Main OS: Other

Posted 31 January 2012 - 11:26 PM

Hi,

Sorry I hadn't seen this post up until now. Server 2008 R2 should be no different. I have a live server 2008R2 in production with no issues whatsoever.

I believe you should double check your permissions. It is obvious you do not have permissions where permissions are required.

As a troubleshooting step, you can remove the NTFS permissions temporarily and run the services under their respective accounts... This will help you understand if the issue is related to NTFS permissions or to the accounts itself. In my opinion it is an NTFS permission issue though since you can run the server under SYSTEM.

Let us know

Yoni


#12 Yoni

Yoni

    Support Team Member

  • Support Team
  • PipPip
  • 97 posts
  • Gender:Male
  • Main OS: Other

Posted 31 January 2012 - 11:50 PM

Hi sorry for the delay in my reply, the page comes up dark gray on my end with white fonts on my end but its much better, I also think some of the images are missing?

That is a great write up and great advice it points out many things I would have never thought about, I have read many articles over the years about building a home server you cover things nobody else has ever mention.

As soon as I get caught up here I will be applying these using your page as step by step instructions, I only have one drive in the computer I plan to use and it only has one partition on that drive so I will need to add another drive first or can the one drive have another partition added without formatting and starting over, it currently has WinXP installed.

Thanks again so much you should be proud of your work nobody else offers this.

Thank you for your kind comments. I do believe there are many people who do actually take precautions when running a webserver. They have just not dedicated the time to write it down and give a kick-back to the community. By the way, that server you hit there is running on the Uniserver. I moved the site off of IIS to lead by example...

You can create a partition in your XP and dedicate it to your Uniserver. I do believe it needs to be completely isolated for easier management. Once you apply your local policies for apache and mysql, try to open a command prompt under those credentials - (you cannot) :)

Good luck

Yoni


#13 Yoni

Yoni

    Support Team Member

  • Support Team
  • PipPip
  • 97 posts
  • Gender:Male
  • Main OS: Other

Posted 01 February 2012 - 12:02 AM

I enabled comments in that page so you can comment. I've been answering e-mails from people asking few questions and I believe it is more productive to just post there for others to see it.

Good luck, and my best to the UniServer team. This is indeed such a nice project!

Yoni


#14 Clint Payton

Clint Payton

    Newbie

  • Member
  • Pip
  • 6 posts
  • Main OS: Windows 7

Posted 01 February 2012 - 01:01 AM

Hi,

Sorry I haven't seen this post until now. Server 2008 R2 should be no different. I have a live server 2008R2 in production with no issues whatsoever.

I believe you should double check your permissions. It is obvious you do not have permissions where permissions are required.

As a troubleshooting step, you can remove the NTFS permissions temporarily and run the services under their respective accounts... This will help you understand if the issue is related to NTFS permissions or to the accounts itself. In my opinion it is an NTFS permission issue though since you can run the server under SYSTEM.

Let us know


thanks for the suggestion I will try that tomorrow.

#15 Clint Payton

Clint Payton

    Newbie

  • Member
  • Pip
  • 6 posts
  • Main OS: Windows 7

Posted 01 February 2012 - 06:06 PM

Hello all,

I have done quite of bit of experimental research today with my service acounts / NTFS permissions. I was able to pinpoint and reliably reproduce the change that breaks Apache, but I do not yet know the exact cause. In the guide linked earlier in this thread, it is recommended to "Deny All" permissions on the OS drive. That is the point at which Apache reliably stops working. Mysql service will still start successfully, but not Apache. I can remove the Deny permissions on my OS drive and it will immediately work again, like flipping a light switch. Thoughts ?

-Clint

#16 Clint Payton

Clint Payton

    Newbie

  • Member
  • Pip
  • 6 posts
  • Main OS: Windows 7

Posted 01 February 2012 - 06:26 PM

Additional info: allowing read/execute on the OS drive but denying list/write also works.

#17 Yoni

Yoni

    Support Team Member

  • Support Team
  • PipPip
  • 97 posts
  • Gender:Male
  • Main OS: Other

Posted 01 February 2012 - 06:39 PM

If apache is already running under its own limited account and you have configured the local policies as suggested you do not need to worry on your server 2008R2 about denying anything in the OS drive. It doesn't have privileges to modify or change or create any files.

You can simply deny write to apache on C:\ (not that it can write to it afaik)
Remove the Uniserver group completely from C:\ and deny apache to write (optional)

Fire up a command prompt under apache credentials and test.. It should be fine. I'm gonna look at my server 2008R2 to double check my config. I'll let you know in a little bit.

Yoni


#18 Clint Payton

Clint Payton

    Newbie

  • Member
  • Pip
  • 6 posts
  • Main OS: Windows 7

Posted 01 February 2012 - 07:07 PM

I'm not really comfortable letting apache read off the C:\ drive even if it cannot write. I would much rather find out specifically what it is trying to read that breaks the service and allow read only to that specific piece.

In either event, the guide clearly does not work as currently written. At least, not for me under Windows Server 2008 R2 SP1.

#19 Yoni

Yoni

    Support Team Member

  • Support Team
  • PipPip
  • 97 posts
  • Gender:Male
  • Main OS: Other

Posted 01 February 2012 - 07:18 PM

Clint,

Coral doesn't even work out of the box under server 2008 R2. I believe this is a great opportunity to add some more info to the guide and not something to feel bad about.

The guide works as intended for the most part and it worked for you until the point in which it breaks because of the permissions on C: (Windows Server 2008R2 specifically)

Microsoft recommends not to modify permissions in the C: drive unless you absolutely understand the propose of it and the implications this may have.

Let's make from this a constructive thread. It is after all the propose of everyone here. Let me get to my office and check my server R2, we will go from there and update the guide as needed.

Thanks for your feedback

Yoni


#20 Yoni

Yoni

    Support Team Member

  • Support Team
  • PipPip
  • 97 posts
  • Gender:Male
  • Main OS: Other

Posted 01 February 2012 - 07:47 PM

I certainly don't know what you have done in your installation and maybe some information on your part will help us. I can confirm that denying everything to Uniserver Group on C:\ does not break apache.

As I type this I have a Server 2008R2 running. Are you running Uniserver on its own dedicated partition as the guide states or are you running it on the same OS drive?

Yoni





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users