Now most virtual hosts have disabled ASP's standard component: FileSystemObject, because this component provides ASP with powerful file system access capabilities, allowing you to read, write, copy, delete, change the name of any file on the server hard disk (of course, this means that you can only do it under Windows NT / 2000 with the default settings). However, after banning this component, the consequence is that all ASPs that utilize this component will not be able to run and cannot meet the needs of customers.
How to allow the FileSystemObject component without affecting the security of the server (that is, different virtual host users cannot use this component to read and write other people's files)? Here is a method I obtained in the experiment. Here is a description of Windows 2000 Server as an example.
Open Explorer on the server, right-click the drive letters of each hard disk partition or volume, select "Properties" in the pop-up menu, and select the "Security" tab. At this time, you can see which accounts can access this partition (volume) and access permissions. After default installation, what appears is that "Everyone" has full control permissions. Click "Administrators", "Backup Operators", "Power Users", "Users", etc., and give "full control" or corresponding permissions. Be careful not to give any permissions to the "Guests" group and "IUSR_Machine Name". Then delete the "Everyone" group from the list, so that only authorized groups and users can access this hard disk partition. When ASP executes, it accesses the hard disk as "IUSR_machine name". The user account permission is not given here, so ASP cannot read and write files on the hard disk.
What you need to do next is to set up a separate user account for each virtual host user, and then assign each account a directory that allows them to fully control.
As shown in the figure below, open "Computer Management" → "Local Users and Groups" → "Users", right-click in the right column, and select "New User" in the pop-up menu:
<IMG SRC="http://202.100.116.12/paddy/bbsimages/fsosafe/" border=0>
In the pop-up "New User" dialog box, enter "User Name", "Full Name", "Description", "Password", and "Confirm Password" according to actual needs, and remove the checkmark before "The user must change the password next time he logs in", and select "The user cannot change the password" and "Password never expires". This example is to establish an anonymous access to the Internet information service's built-in account "IUSR_VHOST1" for the user of the first virtual host, that is, all clients access this identity when using/accessing this virtual host. After entering, click "Create". You can create multiple users according to actual needs, and click "Close" after the creation is completed:
<IMG SRC="http://202.100.116.12/paddy/bbsimages/fsosafe/" border=0>
Now the newly created user has appeared in the account list. Double-click the account in the list to further set it:
<IMG SRC="http://202.100.116.12/paddy/bbsimages/fsosafe/" border=0>
Click the "Affiliate" tab in the pop-up "IUSR_VHOST1" (that is, the new account I just created) property dialog box:
<IMG SRC="http://202.100.116.12/paddy/bbsimages/fsosafe/" border=0>
The account you just created belongs to the "Users" group by default. Select this group and click "Delete":
<IMG SRC="http://202.100.116.12/paddy/bbsimages/fsosafe/" border=0>
What appears now is as shown in the figure below. Click "Add" again:
<IMG SRC="http://202.100.116.12/paddy/bbsimages/fsosafe/" border=0>
How to allow the FileSystemObject component without affecting the security of the server (that is, different virtual host users cannot use this component to read and write other people's files)? Here is a method I obtained in the experiment. Here is a description of Windows 2000 Server as an example.
Open Explorer on the server, right-click the drive letters of each hard disk partition or volume, select "Properties" in the pop-up menu, and select the "Security" tab. At this time, you can see which accounts can access this partition (volume) and access permissions. After default installation, what appears is that "Everyone" has full control permissions. Click "Administrators", "Backup Operators", "Power Users", "Users", etc., and give "full control" or corresponding permissions. Be careful not to give any permissions to the "Guests" group and "IUSR_Machine Name". Then delete the "Everyone" group from the list, so that only authorized groups and users can access this hard disk partition. When ASP executes, it accesses the hard disk as "IUSR_machine name". The user account permission is not given here, so ASP cannot read and write files on the hard disk.
What you need to do next is to set up a separate user account for each virtual host user, and then assign each account a directory that allows them to fully control.
As shown in the figure below, open "Computer Management" → "Local Users and Groups" → "Users", right-click in the right column, and select "New User" in the pop-up menu:
<IMG SRC="http://202.100.116.12/paddy/bbsimages/fsosafe/" border=0>
In the pop-up "New User" dialog box, enter "User Name", "Full Name", "Description", "Password", and "Confirm Password" according to actual needs, and remove the checkmark before "The user must change the password next time he logs in", and select "The user cannot change the password" and "Password never expires". This example is to establish an anonymous access to the Internet information service's built-in account "IUSR_VHOST1" for the user of the first virtual host, that is, all clients access this identity when using/accessing this virtual host. After entering, click "Create". You can create multiple users according to actual needs, and click "Close" after the creation is completed:
<IMG SRC="http://202.100.116.12/paddy/bbsimages/fsosafe/" border=0>
Now the newly created user has appeared in the account list. Double-click the account in the list to further set it:
<IMG SRC="http://202.100.116.12/paddy/bbsimages/fsosafe/" border=0>
Click the "Affiliate" tab in the pop-up "IUSR_VHOST1" (that is, the new account I just created) property dialog box:
<IMG SRC="http://202.100.116.12/paddy/bbsimages/fsosafe/" border=0>
The account you just created belongs to the "Users" group by default. Select this group and click "Delete":
<IMG SRC="http://202.100.116.12/paddy/bbsimages/fsosafe/" border=0>
What appears now is as shown in the figure below. Click "Add" again:
<IMG SRC="http://202.100.116.12/paddy/bbsimages/fsosafe/" border=0>