Build a virtual host from FSO threats)

Currently, most virtual hosts disable the standard ASP Component FileSystemObject,
This component provides ASP with powerful file system access capabilities, allowing you
Read, write, copy, delete, and rename any file on the hard disk (of course, this is
In Windows NT/2000 with the default settings ). However, this group is disabled.
The consequence is that all Asp that utilize this component cannot run and cannot be full.
Meet customer needs.
How to allow the FileSystemObject component without affecting the security of the server (I .e:
Different VM users cannot use this component to read or write other users' files? Here we will introduce
I have obtained a method in this experiment. The following uses Windows 2000 Server as an example.
Open the resource manager on the server, right-click each hard disk partition or volume
Drive letter, select "properties" in the pop-up menu, and select the "Security" tab. Now you can see
To which accounts can access this partition (volume) and access permissions. After the default installation
Yes. "everyone" has full control permissions. Click "add" to add "Administrators ",
"Backup Operators", "Power Users", and "users"
Give "Full Control" or corresponding permissions. Note that do not give "guests" group or "IUSR _ Machine
Device Name. Then, remove the "everyone" group from the list,
Only authorized groups and users can access this hard disk partition. When ASP is executed
The "IUSR _ machine name" Identity accesses the hard disk. the user account is not authorized here, So ASP does not
You can read and write files on the hard disk.
The following is to set a separate user account for each VM user, and then
Each account is assigned a directory that allows its full control.
As shown in, choose Computer Management> local users and groups> Users, and click
Right-click the column and select "new user" from the context menu ":

In the pop-up "new user" dialog box, enter "User Name", "Full name ",
"Description", "password", "Confirm Password", and before "the user must change the password upon next login"
And select "user cannot change password" and "Password Never Expires ". In this example
A vm user creates a built-in account "iusr_vhos" for anonymous access to Internet Information Services.
T1 ", that is, all clients use the http://xxx.xxx.xxxx/; when accessing this Vm
Identity. After entering the information, click "CREATE. You can create multiple users as needed.
After creation, click "close ":

Now the newly created user is in the account list. Double-click the account in the list,
For further settings:

In the pop-up "iusr_vhost1" (that is, the newly created account) attribute dialog box
Click the "affiliated" tab:

The created account belongs to the "users" group by default. Select this group and click "delete ":

As shown in, click "add" again ":

In the pop-up "select group" dialog box, find "guests" and click "add ".
In the text box below, click "OK ":

As shown in, click "OK" to close this dialog box:

Open "Internet Information Service" and start setting the virtual host. In this example
For example, right-click the Host Name and choose
Select "attribute ":

The "first VM property" dialog box is displayed.
The VM user uses the "F: \ vhost1" folder:

Switch to "Resource Management
Administrator, find the "F: \ vhost1" folder, right-click and select "properties"> "security"
Tab, you can see that the default security setting for this folder is "everyone" full control
(According to different situations, the content is not exactly the same .)
The system's inherited permissions can be propagated to this object. "Remove the front check mark:

The "security" Warning shown in is displayed. Click "delete ":

In this case, all groups and users in the Security tab are cleared (if not,
Use "delete" to clear it), and then click "add.

"Administrator" and the new account created earlier
After "iusr_vhost1" is added, the system will grant full control permissions. You can also
Add other groups or users as needed, but do not set "guests" group,
"IUSR _ machine name" is added to anonymous access accounts!

Switch to the "First Virtual Host attribute" dialog box that opens.
On the "Directory Security" tab, click "edit" for anonymous access and verification control ":

In the pop-up "Verification Method" box (as shown in), click "edit ":

The "Anonymous User Account" is displayed. The default value is "IUSR _ machine name". Click "Browse ":

In the "Select User" dialog box, find the newly created account "iusr_vhost1" and double-click:

In this case, the anonymous user name has been changed. In the Password box, enter the account
Set password:

Confirm the password again:

OK. Click OK to close these dialog boxes.
After this setting, the user of "First Virtual Host" uses ASP's FileSystemObject
The component can only access the content in its own directory: F: \ vhost1. when attempting to access other content
, Such as "no permission", "Hard Disk not ready", "500 server internal error", etc.
Error prompt.
In addition, if the user needs to read the partition capacity of the hard disk and the serial number of the hard disk, such settings
Will make it unreadable. If you want to allow it to read the content related to the entire partition, right-click
Select "properties"> "security" for the partition (volume) of the hard disk to add the user's account to the column.
Table with at least "read" permission. Because all subdirectories under the volume have been set to "Disable
The inherited permissions from the parent tree are transmitted to this object. Therefore, the permission settings of the sub-directories below are not affected.