Jump to content
The Uniform Server Community
Yoni

Uniform Server - Services as Administrator

Recommended Posts

I have tried to tight up my server as much as possible. Uniform Server seems to be pretty much secure right out of the box but I have some concerns for those who, like me, run their servers in production open to the world.

 

The first thing that I noticed was apache and mysql services running as Administrator. I understand .vbs scripts and .bat files cannot run in Windows without elevated privileges in some cases; this is not one of them though.

 

For all those running Uniform Server as Administrator, please reconsider your NTFS permissions! and the account(s) your apache and MySQL services are running under.

 

I'm attaching a securitycheck.php file to my post. Upload that to your wwwroot and browse to it over http. Welcome to the show! And be extremely careful while testing your security. You will find it crazy but you will have full access to your system because that script is being executed under apache AS ADMINISTRATOR, without proper NTFS permissions your entire server is ONE click away from being wiped out. These are the basics to understand why your NTFS permissions are so darn important and shouldn't be ignored under IIS, apache or any other http server.

 

In my personal case, I have created 2 new users (1 for apache, 1 for MySQL) and 1 Group to manage NTFS permissions more easily).

 

1 - Create your 2 user accounts (apache, mysql). Make sure the user CANNOT change the password and also the PASSWORD NEVER EXPIRES.

2- Create a new group (let's call it webservices1).

3- Add apache and mysql users to that group (webservices1).

4- HOST your Uniserver Folder off of your C: drive (that's your OS drive after all)

5- Deny ALL permissions to webservices1 GROUP (apache and mysql users) to C:

6- Deny delete and WRITE to your Uniserver folder. Propagate permissions and allow WRITE only where required, ex: X:/Uniserver/tmp

8- Make sure mysql service has MODIFY permission to /Uniserver/usr/local/mysql

9- Make sure apache service has MODIFY permission to apache logs or the service won't start

10- Make sure you go to services and change US_APACHE1 and US_MYSQL1 to run with the new credentials created in step1.

 

There is a lot more to do and denying DELETE might be inconvenient to some admins when updating files but it is a lot more secure. It takes 10 seconds to edit NTFS security permissions (enable DELETE), update your server files, apps, etc. Go back and DENY delete.

 

Hope this helps some of us.

securitycheck.zip

Share this post


Link to post
Share on other sites

Thanks Yoni!

 

You've reminded me of why I don't normally run Web servers from my home machine!

 

We'll have to add this type of material to the Wiki, and do a lot more research to come up with a list of "things to do and NOT do" when opening up to the Internet.

 

Regards,

BobS

Share this post


Link to post
Share on other sites

I do not run apache and mysql as Administrator. They both have their limited accounts setup in my server and they run fine.

 

I actually have a guide that I'm working on to jail these services. I'm working on it atm.

Share this post


Link to post
Share on other sites

The guide is now online, guys. It can be found Here

 

Hope you find it useful. Your ideas an suggestions to improve it are always welcome.

 

Happy web serving :)

Share this post


Link to post
Share on other sites

Thanks for the guide.

 

 

Btw.

Interessting that BobS always say "no, don't host your own site with UniServer".

 

Every company would die with this engagement.

 

Remembers me at the thread "don't eat the own dog food"

 

:)

Share this post


Link to post
Share on other sites

And the reason I would always say that was that we did NOT have this guide to secure against the Internet world sufficiently! It still won't change the issue of hosting management.

 

I plan on writing a "Hardening The Uniform Server for the Internet" for the Wiki, based on this and other information. At least that way, if you want to actually open up your site to the WorldWildWeb, you can do so without leaving your machine open to compromise.

 

If you'd like to help, send me a PM for a Wiki logon.

 

Regards,

BobS

Share this post


Link to post
Share on other sites

Wow thanks for this big time.

 

Read through it one time already have many questions but will hold back until I go through everything here http://unlockforus.com/archives/uniform-se...rvices-security a few times as it might answer most my questions.

 

Do you have that page with a white background and black letters, the color combination of that page is messing with my eyes big time, by time I made it down to the localsystem thing I was done had to close the page.

 

Thanks

Share this post


Link to post
Share on other sites

Not sure if that black is really hard to the eyes. For me it is refreshing as I read mostly during night time. Anyways, I made it white with black fonts taking your feedback into consideration. I hope you find it useful.

Share this post


Link to post
Share on other sites

Not sure if that black is really hard to the eyes. For me it is refreshing as I read mostly during night time. Anyways, I made it white with black fonts taking your feedback into consideration. I hope you find it useful.

 

Hi sorry for the delay in my reply, the page comes up dark gray on my end with white fonts on my end but its much better, I also think some of the images are missing?

 

That is a great write up and great advice it points out many things I would have never thought about, I have read many articles over the years about building a home server you cover things nobody else has ever mention.

 

As soon as I get caught up here I will be applying these using your page as step by step instructions, I only have one drive in the computer I plan to use and it only has one partition on that drive so I will need to add another drive first or can the one drive have another partition added without formatting and starting over, it currently has WinXP installed.

 

Thanks again so much you should be proud of your work nobody else offers this.

Share this post


Link to post
Share on other sites

Hello,

 

I feel like i have hit a dead end trying to setup local user accounts to use for the apache/mysql services. After following the guide and checking permissions many times over, neither of my services will start. The only information I can gather from the event log is "error code 1" for apache. I can switch back to local system account and they run every time (of course), so I'm certain it's a permissions issue somewhere. I am running on Windows Server 2008 R2 SP1. Has anyone else managed to get this working on that OS ?

 

thanks,

Clint

Share this post


Link to post
Share on other sites

Hi,

 

Sorry I hadn't seen this post up until now. Server 2008 R2 should be no different. I have a live server 2008R2 in production with no issues whatsoever.

 

I believe you should double check your permissions. It is obvious you do not have permissions where permissions are required.

 

As a troubleshooting step, you can remove the NTFS permissions temporarily and run the services under their respective accounts... This will help you understand if the issue is related to NTFS permissions or to the accounts itself. In my opinion it is an NTFS permission issue though since you can run the server under SYSTEM.

 

Let us know

Share this post


Link to post
Share on other sites

Hi sorry for the delay in my reply, the page comes up dark gray on my end with white fonts on my end but its much better, I also think some of the images are missing?

 

That is a great write up and great advice it points out many things I would have never thought about, I have read many articles over the years about building a home server you cover things nobody else has ever mention.

 

As soon as I get caught up here I will be applying these using your page as step by step instructions, I only have one drive in the computer I plan to use and it only has one partition on that drive so I will need to add another drive first or can the one drive have another partition added without formatting and starting over, it currently has WinXP installed.

 

Thanks again so much you should be proud of your work nobody else offers this.

Thank you for your kind comments. I do believe there are many people who do actually take precautions when running a webserver. They have just not dedicated the time to write it down and give a kick-back to the community. By the way, that server you hit there is running on the Uniserver. I moved the site off of IIS to lead by example...

 

You can create a partition in your XP and dedicate it to your Uniserver. I do believe it needs to be completely isolated for easier management. Once you apply your local policies for apache and mysql, try to open a command prompt under those credentials - (you cannot) :)

 

Good luck

Share this post


Link to post
Share on other sites

I enabled comments in that page so you can comment. I've been answering e-mails from people asking few questions and I believe it is more productive to just post there for others to see it.

 

Good luck, and my best to the UniServer team. This is indeed such a nice project!

Share this post


Link to post
Share on other sites

Hi,

 

Sorry I haven't seen this post until now. Server 2008 R2 should be no different. I have a live server 2008R2 in production with no issues whatsoever.

 

I believe you should double check your permissions. It is obvious you do not have permissions where permissions are required.

 

As a troubleshooting step, you can remove the NTFS permissions temporarily and run the services under their respective accounts... This will help you understand if the issue is related to NTFS permissions or to the accounts itself. In my opinion it is an NTFS permission issue though since you can run the server under SYSTEM.

 

Let us know

 

thanks for the suggestion I will try that tomorrow.

Share this post


Link to post
Share on other sites

Hello all,

 

I have done quite of bit of experimental research today with my service acounts / NTFS permissions. I was able to pinpoint and reliably reproduce the change that breaks Apache, but I do not yet know the exact cause. In the guide linked earlier in this thread, it is recommended to "Deny All" permissions on the OS drive. That is the point at which Apache reliably stops working. Mysql service will still start successfully, but not Apache. I can remove the Deny permissions on my OS drive and it will immediately work again, like flipping a light switch. Thoughts ?

 

-Clint

Share this post


Link to post
Share on other sites

If apache is already running under its own limited account and you have configured the local policies as suggested you do not need to worry on your server 2008R2 about denying anything in the OS drive. It doesn't have privileges to modify or change or create any files.

 

You can simply deny write to apache on C:\ (not that it can write to it afaik)

Remove the Uniserver group completely from C:\ and deny apache to write (optional)

 

Fire up a command prompt under apache credentials and test.. It should be fine. I'm gonna look at my server 2008R2 to double check my config. I'll let you know in a little bit.

Share this post


Link to post
Share on other sites

I'm not really comfortable letting apache read off the C:\ drive even if it cannot write. I would much rather find out specifically what it is trying to read that breaks the service and allow read only to that specific piece.

 

In either event, the guide clearly does not work as currently written. At least, not for me under Windows Server 2008 R2 SP1.

Share this post


Link to post
Share on other sites

Clint,

 

Coral doesn't even work out of the box under server 2008 R2. I believe this is a great opportunity to add some more info to the guide and not something to feel bad about.

 

The guide works as intended for the most part and it worked for you until the point in which it breaks because of the permissions on C: (Windows Server 2008R2 specifically)

 

Microsoft recommends not to modify permissions in the C: drive unless you absolutely understand the propose of it and the implications this may have.

 

Let's make from this a constructive thread. It is after all the propose of everyone here. Let me get to my office and check my server R2, we will go from there and update the guide as needed.

 

Thanks for your feedback

Share this post


Link to post
Share on other sites

I certainly don't know what you have done in your installation and maybe some information on your part will help us. I can confirm that denying everything to Uniserver Group on C:\ does not break apache.

 

As I type this I have a Server 2008R2 running. Are you running Uniserver on its own dedicated partition as the guide states or are you running it on the same OS drive?

Share this post


Link to post
Share on other sites

I certainly don't know what you have done in your installation and maybe some information on your part will help us. I can confirm that denying everything to Uniserver Group on C:\ does not break apache.

 

As I type this I have a Server 2008R2 running. Are you running Uniserver on its own dedicated partition as the guide states or are you running it on the same OS drive?

 

 

Hey Yoni,

 

I completely agree, I'm only giving feedback to try and improve the guide/thread. Absolutely not trying to be negative, I appreciate any effort people put into helping each other out.

 

My installation happens to be a Hyper-V FM running 2008R2. I have a C: drive for OS and an E: drive for uniserver. I followed the guide exactly, like I mentioned. I can reliably/repeatedly break apache by denying 'Read' on the C: drive. Could you post a screenshot of you exact "advanced" OS drive security properties?

Share this post


Link to post
Share on other sites

Here you go:

 

screenshot.png

 

I don't know if you feel comfortable with this but if possible I could remote in and take a look at it. Otherwise I can let you remote in into that server so you can take a look around o the configuration and try to figure out the issue yourself. that's the test server so there is nothing to worry about.

Share this post


Link to post
Share on other sites

Your article has been very useful, Thanks Yoni.

 

Maybe this approach can be built inside UniServer for production mode.

Share this post


Link to post
Share on other sites
Coral doesn't even work out of the box under server 2008 R2.

Fortunately, I believe this has been resolved as of Coral_8.4.0.

 

Maybe this approach can be built inside UniServer for production mode.

Since there are two separate aspects to this hardening process, that can't be done completely within The Uniform Server.

 

What should probably happen is to have a set of procedures and a checklist for the OS updates (accounts, permissions, etc.), and a plugin to modify the configuration files in The Uniform Server.

 

Regards,

BobS

Share this post


Link to post
Share on other sites

After getting a hart-attack after using security test php, I add some security measures..

Now I run 8.5.1 and its works with all the new security measures, but i do get some stuff when I load a page in my error.log

 

[Fri Apr 13 01:41:35.151499 2012] [mpm_winnt:notice] [pid 5160:tid 600] AH00428: Parent: child process exited with status 255 -- Restarting.
[Fri Apr 13 01:41:35.207502 2012] [auth_digest:notice] [pid 5160:tid 600] AH01757: generating secret for digest authentication ...
[Fri Apr 13 01:41:35.235504 2012] [mpm_winnt:notice] [pid 5160:tid 600] AH00455: Apache/2.4.1 (Win32) PHP/5.4.0 configured -- resuming normal operations
[Fri Apr 13 01:41:35.235504 2012] [mpm_winnt:notice] [pid 5160:tid 600] AH00456: Server built: Feb 14 2012 19:15:37
[Fri Apr 13 01:41:35.235504 2012] [core:notice] [pid 5160:tid 600] AH00094: Command line: 'D:\\UniServer\\usr\\local\\apache2\\bin\\httpd1.exe -d D:/UniServer/usr/local/apache2'
[Fri Apr 13 01:41:35.236504 2012] [mpm_winnt:notice] [pid 5160:tid 600] AH00418: Parent: Created child process 5580
[Fri Apr 13 01:41:35.706531 2012] [auth_digest:notice] [pid 5580:tid 204] AH01757: generating secret for digest authentication ...
[Fri Apr 13 01:41:35.747533 2012] [mpm_winnt:notice] [pid 5580:tid 204] AH00354: Child: Starting 64 worker threads.
[Fri Apr 13 01:41:38.763706 2012] [mpm_winnt:notice] [pid 5160:tid 600] AH00428: Parent: child process exited with status 255 -- Restarting.
[Fri Apr 13 01:41:38.830709 2012] [auth_digest:notice] [pid 5160:tid 600] AH01757: generating secret for digest authentication ...
[Fri Apr 13 01:41:38.859711 2012] [mpm_winnt:notice] [pid 5160:tid 600] AH00455: Apache/2.4.1 (Win32) PHP/5.4.0 configured -- resuming normal operations
[Fri Apr 13 01:41:38.859711 2012] [mpm_winnt:notice] [pid 5160:tid 600] AH00456: Server built: Feb 14 2012 19:15:37
[Fri Apr 13 01:41:38.859711 2012] [core:notice] [pid 5160:tid 600] AH00094: Command line: 'D:\\UniServer\\usr\\local\\apache2\\bin\\httpd1.exe -d D:/UniServer/usr/local/apache2'
[Fri Apr 13 01:41:38.859711 2012] [mpm_winnt:notice] [pid 5160:tid 600] AH00418: Parent: Created child process 2456
[Fri Apr 13 01:41:39.340739 2012] [auth_digest:notice] [pid 2456:tid 204] AH01757: generating secret for digest authentication ...
[Fri Apr 13 01:41:39.380741 2012] [mpm_winnt:notice] [pid 2456:tid 204] AH00354: Child: Starting 64 worker threads. 

 

For now its all works, but have no idea what the problem is.. :) maybe someone here knows?

Tomorrow I will setup my local dev server an see if its a bug in 8.5.1 or the new rights..

 

PS, I use windows 7 sp1 x64 ultimate is up to date..

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...