Web site security, the implementation of the directory is very sensitive to the permissions, in general, can be written to the directory is not able to have the execution permissions of the script, like the DEDECMS system, can be written to two directory data, Uploads,data directory is mainly basic configuration files and cached data, Uploads is the attachment upload saved directory, this article will be for different server environment to explain how to cancel the execution of these two directories, of course, we also recommend some other users to generate pure static HTML directory, with writable permission to remove all the execution permissions, so the system will be more secure.
IIS under Windows
IIS6.0
Open the site in IIS, right-click on the site uploads directory, data directory, and static HTML build directory, select "Properties" in the menu, and choose "None" in the Directory Properties panel. (Figure 1)
(Figure 1)
IIS7
IIS7 is similar to IIS6.0, select the corresponding directory of the site, data, uploads and static HTML file directory, double-click the function to try the panel "handler mapping" (Figure 2)
(Figure 2)
In the Edit feature permission ..., we directly remove the script execution permissions. (Figure 3)
(Figure 3)
Apache Execute permission settings for directory scripts
Standalone Host Configuration
In Apache, there is no graphical management interface for IIS under Windows, and we need to manually modify the Apache configuration file to set the execution permissions for the directory script.
First we find Apache's profile httpd.conf, which is typically in the Conf folder under the Apache installation directory (Figure 4).
(Figure 4)
Open the httpd.conf file and find the location of Figure 5 in the content:
(Figure 5)
Add the directory configuration where you want to restrict the execution of script files to the following:
Configuration content is:
1
2
3 Deny from all
4
5
Dir in configuration content is the directory that needs to limit the execution of script files, and the FilesMatch content is the name of the script suffix that needs to be qualified for execution. For example, to prevent the running of php,asp,jsp scripts under the Uploads folder in the test site, configure the following figure 6:
(Figure 6)
After the configuration is complete, restart Apache, the configuration will take effect!
Before the operation, I created a new index.php file under the Uploads folder, and Figure 7 is not configured for prior access
(Figure 7)
Figure 8 The effect of accessing this page after restarting Apache.
(Figure 8)
Virtual Host/Space configuration
Before configuring, you need to verify that your space supports. htaccess and rewrite, which is based on the use of rewrite in the. htaccess file to prevent the specified script from running.
The contents of the rules are as follows:
1RewriteEngine on Rewritecond%!^$
2RewriteRule uploads/(. *). (PHP) $–[f]
3RewriteRule data/(. *). (PHP) $–[f]
4RewriteRule templets/(. *). (PHP) $–[f]
Execute PHP script restrictions for uploads,data,templets three directories;
Store the contents to the. hatccess file, and store the file in your site root directory.
In this way, the execution permissions of the directory scripts are controlled, and the effect of the rules before and after the upload is the same as Figure 7, figure 8.