FSO security solutions content:
1. Setting method and environment in this article: Practical for Microsoft WinNT/2000 Server/Advanced Server IIS5.0
2. Ensure that IIS and each virtual host website are running normally, and the mapping of unsafe application extensions in IIS such as . (other topics are not within the scope of this article, if you need to know more, you can see another article "Detailed explanation of Microsoft Win 2000 IIS WEB Server Overall Security Solution")
3. Open ------>Start ------->Programs ------->Administrative Tools ------>Computer Management ------>Local Users and Groups, and then create some new users (assuming: IUSR_0001 to IUSR_0050, if there are 50 virtual hosts on your WEB SERVER, you can add some new users if you have more. The purpose is to use different anonymous user access mechanisms to ensure that your server can fully use the FSO component functions of ASP without being threatened by such as ASP *s). Here you can decide whether to set a password according to your appropriate security level and actual requirements. In fact, it is not a big deal to be empty.
4. Remove the permissions of the User group from IUSR_0001 to IUSR_0050 that have just been created and add them to the Guests group uniformly. (Because Microsoft Windows defaults to new users are automatically in the Users group, be sure to be careful not to forget to drive IUSR_xxxx out of the Users group^_^). For better safety, you can add another IIS_USERS group and add all IUSR_XXXX to this group for easy use when setting up other systems.
5. Set IIS | Open ------>Start ------->Programs ------->Administrative Tools ------>Internet Service Manager ----->Open the IIS management interface, and then the site properties of your first virtual host will be opened. In the IIS dialogue interface that comes out, click "Catalog Security" and click "Edit" in the "Authentication and Access Control" section, and then click "Edit" in the "Anonymous Access" section of the "Verification Method" interface that appears. The interface of anonymous user account will appear. At this time, you select "Browse" and select the first Guest user newly created in 3 steps, that is, select "IUSR_0001". If you create a new user with a password that is empty and is empty, you can enter the password of this user without the empty one. Then select the "Allow IIS control password" below, and then click OK.
[Also note: In order to facilitate management and set directory permissions later, it is best to compare the website description with IUSR_XXXX. For example, if your above operation is a website described as a website, then you can change the website description to: (IUSR_0001). This makes it easier to manage at a glance.
6. Disk permissions: Make sure that ACLs permissions for disks such as C, D, E, and F are already done. (That is, the "full control" rights of all disks must be removed. This is very dangerous. Only give them necessary rights) At the same time, set the corresponding permissions of your website virtual directory, that is, the ACLs access permissions in NTFS. Select the total directory of virtual hosts on which your website is located and remove Everyone and access permissions. Only add Administrators - full control, System - full control. (System is the permissions required for FTP upload and download such as Serv-U, because Serv-U starts the service as System). Then select your IUSR_0001. Assume that this is the root directory of the (IUSR_0001) website. Then right-click ---->Properties -------->Safety, add our IUSR_0001 and give read permissions. If it is a single HTML, you can only give read permissions. If it is an ASP+ACESS database, you also need to add "write" permissions. If the ASP program of the website needs to use FSO to modify and delete website content online, then we generally give "full control" rights to IUSR_XXXX.
7. Okay, the first virtual host settings have finally been completed ^_^. Let's put a Webshell in the website directory, then browse / Hehe, try it, and then use the FSO function to access other website directories, will it be impossible to access, let alone edit and delete the web page files of other virtual host users:) The rest of the work is to repeat steps 3, 4, 5, 6, and set all sites. As far as I know, some virtual host management systems are carried out using this principle! It's just that these steps are written into the virtual host's management system program.
Author of this article: Lee Bolin/LeeBolin Senior systems engineer and professional network security consultant. It has successfully provided complete network security solutions to many large and medium-sized enterprises and ISP service providers in China. He is especially good at the design of overall network security solutions, planning of large-scale network projects, and providing a complete comprehensive security solution of various server series.