Microsoft Windows NT 4.0 Guide Instrukcja Użytkownika Pobierz pdf (Strona 100)

Microsoft

Windows Server

™

2003 White Paper

Windows NT 4.0 Server Upgrade Guide 95

You cannot configure a computer to use both isolation modes at the same time. If you upgrade a

computer from Windows NT Server 4.0 to Windows Server 2003, the IIS 5.0 isolation mode is

used. You may want to switch to worker process isolation mode and verify that your applications

are compatible with this setting. To do this, right-click Web Sites, select Properties, click the

Service tab, and then click to clear the Run WWW service in IIS 5.0 isolation mode check box.

For more information about these modes, see the Internet Information Services (IIS) 6.0

section

later in this guide.

New Security-Related Policy Changes

Root Access Control List (ACL)

A stronger ACL is set to stop access to the root directory (C:\). This change prevents non-

administrators from modifying files created in off-root directories by other users. Stronger root

ACLs also prevent users from writing files to the root directory, which is a known way to attack the

operating system, because the root directory is in the system path. Users maintain the ability to

create subdirectories of the root as well as the ability to create subdirectories and files in other

users’ directories. This concession is made for application compatibility. The ACL default share

was also changed from Everyone Full Control to Everyone Read.

DLL Search Order Changed

Search order has been changed for DLLs. The current directory has been moved after system

directories. This change affects only the applications that were using SetCurrentDirectory to load

private versions of libraries found in system directories, such as %windir%\system32.

This setting was not safe for multiple threads nor even particularly necessary, because the

directory from which an executable is launched is given preference anyway. Moreover, the setting

may have opened up multiple-user and corporate networks to attacks based on spoofing system

DLLs.

This change has been back ported to service packs for earlier systems, and no substantial

compatibility problems have been reported.

Increased Restrictions on Anonymous Users

Anonymous users are no longer members of the Everyone group by default. On servers,

Anonymous SID\Name translation is disabled; however, this setting is not disabled on the default

on domain controllers. If your application made use of guest accounts, do extensive testing. Guest

and anonymous users have been removed as a default member of the Everyone group. If your

application requires guest access, you must explicitly give it.

Limits on Blank Passwords

Local accounts that have blank passwords cannot be used to connect remotely to a computer

anymore.

1 2 ... 95 96 97 98 99 100 101 102 103 104 105 ... 154 155

Brak uwag

Microsoft Windows NT 4.0 Guide Instrukcja Użytkownika Strona 100