Build a virtual host from FSO threats

Currently, many virtual hosts disable the standard ASP Component FileSystemObject, which provides ASP with powerful file system access capabilities, you can read, write, copy, delete, and rename any files on the server's hard disk (of course, this is done under the default Windows NT/2000 ). However, if this component is disabled, all ASP nodes that use this component cannot run and cannot meet customers' requirements.
How can we allow the FileSystemObject component without affecting the security of the server (that is, users on different virtual hosts cannot use this component to read or write files from other users? Here is a method I have obtained in my experiment. The following section uses Windows 2000 Server as an example.
Open the resource manager on the server, right-click the drive letter of each hard disk partition or volume, select "properties" in the pop-up menu, and select the "Security" tab, now you can see which accounts can access this partition (volume) and access permissions. After the default installation, "everyone" has full control permissions. Click "add" to add "Administrators", "Backup Operators", "Power Users", and "users" groups, and grant "Full Control" or corresponding permissions, note: do not grant the "guests" group or "IUSR _ machine name" account any permissions. Then, remove the "everyone" group from the list. In this way, only authorized groups and users can access the hard disk partition. When ASP is executed, access the hard disk as "IUSR _ machine name". asp cannot read or write files on the hard disk because the user account is not authorized.
The following is to set a separate user account for each VM user, and then assign each account a directory that allows its full control.
As shown in, choose "Computer Management"> "local users and groups"> "users", right-click on the right bar, and select "new user" in the pop-up menu ":

In the pop-up "new user" dialog box, enter "User Name", "Full name", "Description", "password", and "Confirm Password" as needed ", remove the check box before "the user must change the password upon next login", and select "the user cannot change the password" and "the password will never expire ". In this example, create an anonymous built-in account "iusr_vhost1" for the first VM user, that is, when all clients use http://xxx.xxx.xxxx/to access this Vm, they are all accessed in this identity. After entering the information, click "CREATE. You can create multiple users as needed. Click "close" after creation ":
　
Now the newly created user has appeared in the account list. Double-click the account in the list for further settings:

In the pop-up "iusr_vhost1" (that is, the new account you just created) attribute dialog box, click the "affiliated" tab:

The created account belongs to the "users" group by default. Select this group and click "delete ":

As shown in, click "add" again ":

In the pop-up "select group" dialog box, find "guests" and click "add". The group will appear in the text box below, and click "OK ":

As shown in, click "OK" to close this dialog box:

Open "Internet Information Service" and start setting the virtual host. In this example, the "First Virtual Host" setting is used as an example. Right-click the Host Name, select "properties" in the pop-up menu ":

The "first VM properties" dialog box is displayed. The "F:/vhost1" folder is used by the VM user:

No matter the "First VM properties" dialog box, switch to "Resource Manager", find the "F:/vhost1" folder, right-click, select the "properties"> "security" tab. You can see that the default security setting for this folder is "everyone" with full control (the content displayed varies with the situation ), first, remove the check mark before "allow spreading the inherited permissions from the parent to this object:

 

The "security" Warning shown in is displayed. Click "delete ":

In this case, all the groups and users in the Security tab will be cleared (if not, use "delete" to clear it), and then click "add.

Adding the "Administrator" and the newly created account "iusr_vhost1" as shown in will grant full control permissions. You can also add other groups or users as needed, but do not add anonymous access accounts such as "guests" and "IUSR _ machine name!

Switch to the "First VM properties" dialog box that is opened earlier, open the "Directory Security" tab, and click "edit" for anonymous access and verification control ":

In the pop-up "Verification Method" box (as shown in), click "edit ":

The "Anonymous User Account" is displayed. The default value is "IUSR _ machine name". Click "Browse ":

In the "Select User" dialog box, find the newly created account "iusr_vhost1" and double-click:

In this case, the anonymous user name has been changed. In the Password box, enter the password set for this account when you created it:

Confirm the password again:

OK. Click OK to close these dialog boxes.
After this setting, users of the "First Virtual Host" can only access the content in their directory F:/vhost1 by using the FileSystemObject component of ASP. when attempting to access other content, an error message is displayed, such as "no permission", "the hard disk is not ready", and "500 internal server error.
In addition, if the user needs to read the partition capacity of the hard disk and the serial number of the hard disk, this setting will make it unreadable. If you want to allow it to read the content related to the entire partition, right-click the partition (volume) of the hard disk and choose "attribute"> "security ", add the user's account to the list and grant at least the "read" permission. The sub-directories under the volume have been set to "prohibit the propagation of inherited permissions from the parent class to this object", so the permission settings of the sub-directories below will not be affected.