I have a reasonably hardened install of Win2k3 and IIS.  I am a .NET
developer, so I understand that world fairly well.  However, I now
have some php that needs to be run on the same server.  I'm looking
for a little insight and/or advice.

My primary concern is:  what security issues do I need to be aware of
in order to run PHP?  Although that is my primary concern, it's not
really where I should begin this post.

I know virtually nothing about PHP.  I just have a developer who needs
PHP support.  Are there different versions?  How compatible is it with
Perl, or is php just a subset?  Where should I be getting the binaries
from?  Is http://www.php.net the be-all and end-all of PHP, or should
I be looking at others as well?  If it's compatible with Perl, should
I just install Perl, and if so, where should I get that?

The bottom line, for me, is that I'd like to be able to offer my
developer php capability, but still keep the server as secure and
standard as possible.  Any help would be appreciated!

Thanks!
Brad.

[ Post a follow-up to this message ]

Hi,

You should probably be asking in the php world how you can secure it, but
here are some points to answer your post:
1) php is not Perl, and PERL is not PHP.  They are completely different
languages.  You probably go confused because they're both "CGI" programs.
CGI = Common (key word) Gateway Interface
2) www.php.net is the correct place
3) You can install PERL and php on the same server (get PERL from
http://www.activestate.com/)

--
--Jonathan Maltz [Microsoft MVP - Windows Server - IIS, Virtual PC]
http://www.visualwin.com - A Windows Server 2003 visual, step-by-step
tutorial site :-)
http://vpc.visualwin.com - Does <insert OS name> work on VPC 2004?  Find out
here
Only reply by newsgroup.  I do not do technical support via email.  Any
emails I have not authorized are deleted before I see them.


"Bradley Plett" <plettb@hotmail.com> wrote in message
 news:fqcki01o7glops5rfaul6jklcshvi3thb3@
4ax.com...
> I have a reasonably hardened install of Win2k3 and IIS.  I am a .NET
> developer, so I understand that world fairly well.  However, I now
> have some php that needs to be run on the same server.  I'm looking
> for a little insight and/or advice.
>
> My primary concern is:  what security issues do I need to be aware of
> in order to run PHP?  Although that is my primary concern, it's not
> really where I should begin this post.
>
> I know virtually nothing about PHP.  I just have a developer who needs
> php support.  Are there different versions?  How compatible is it with
> Perl, or is php just a subset?  Where should I be getting the binaries
> from?  Is http://www.php.net the be-all and end-all of PHP, or should
> I be looking at others as well?  If it's compatible with Perl, should
> I just install Perl, and if so, where should I get that?
>
> The bottom line, for me, is that I'd like to be able to offer my
> developer php capability, but still keep the server as secure and
> standard as possible.  Any help would be appreciated!
>
> Thanks!
> Brad.

[ Post a follow-up to this message ]

Thanks for your response!

Re. php vs. PERL - I got confused due to reading I did in newsgroups.
It seemed that some people used the terms interchangeably.  I
understand what CGI is, but didn't realize that php and PERL are
completely separate languages.  In fact, from some of my reading I was
beginning to assume that php was just a subset of Perl, which made me
wonder whether I should just install the standard PERL CGI to handle
the PHP.  Thanks for clearing this up for me!

WRT security:  yes, I'll be checking the php world.  I just wanted
confirmation that there weren't some obvious gotchas when running
under IIS that the php people might not be aware of or point out.  I
can review the php code to make sure it's reasonable, but I wanted to
know that installing php support on my machine to begin with didn't
introduce any big holes in IIS or Windows specifically.

Thanks!
Brad.

On Mon, 23 Aug 2004 14:42:01 -0400, "Jonathan Maltz [MS-MVP]"
<jmaltz@mvps.org> wrote:

>Hi,
>
>You should probably be asking in the php world how you can secure it, but
>here are some points to answer your post:
>1) php is not Perl, and PERL is not PHP.  They are completely different
>languages.  You probably go confused because they're both "CGI" programs.
>CGI = Common (key word) Gateway Interface
>2) www.php.net is the correct place
>3) You can install PERL and php on the same server (get PERL from
>http://www.activestate.com/)

[ Post a follow-up to this message ]

Installing php support (like any other application) increases security risk
by increasing the attack surface of the server.  IIS6 has taken precaution
against such risk by decreasing the privileges of the identity executing
user code like php and isolating configuration from user code, but
ultimately, security depends as much on your diligence in configuration as
well as IIS not having an exploitable platform (we're assuming the third
pillar of security -- that your computing environment encourages security
practices -- by you asking about security).

As for whether installing a program introduces a hole in IIS/Windows --
completely depends on what the setup program does and what you do
afterwards.  If it decides to weaken ACLs on files like CMD.EXE (so that
PHP's shell() command can work, for example), then obviously that weakens
overall system security.  That would be an example of a php security hole
and NOT a security hole in IIS/Windows (since CMD.EXE ACLs wouldn't be
weakened without PHP).

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Bradley Plett" <plettb@hotmail.com> wrote in message
 news:1vfki09taarvs2kq738017noi3d3pkha00@
4ax.com...
Thanks for your response!

Re. php vs. PERL - I got confused due to reading I did in newsgroups.
It seemed that some people used the terms interchangeably.  I
understand what CGI is, but didn't realize that php and PERL are
completely separate languages.  In fact, from some of my reading I was
beginning to assume that php was just a subset of Perl, which made me
wonder whether I should just install the standard PERL CGI to handle
the PHP.  Thanks for clearing this up for me!

WRT security:  yes, I'll be checking the php world.  I just wanted
confirmation that there weren't some obvious gotchas when running
under IIS that the php people might not be aware of or point out.  I
can review the php code to make sure it's reasonable, but I wanted to
know that installing php support on my machine to begin with didn't
introduce any big holes in IIS or Windows specifically.

Thanks!
Brad.

On Mon, 23 Aug 2004 14:42:01 -0400, "Jonathan Maltz [MS-MVP]"
<jmaltz@mvps.org> wrote:

>Hi,
>
>You should probably be asking in the php world how you can secure it, but
>here are some points to answer your post:
>1) php is not Perl, and PERL is not PHP.  They are completely different
>languages.  You probably go confused because they're both "CGI" programs.
>CGI = Common (key word) Gateway Interface
>2) www.php.net is the correct place
>3) You can install PERL and php on the same server (get PERL from
>http://www.activestate.com/)

[ Post a follow-up to this message ]