Detailed settings of Winwebmail Security

In the past, WINWEBMAIL was installed. Generally, you can refer to the official instructions to grant write permissions to the users group or even Everyone in the Winwebmail directory. In this way, the settings can basically meet the running requirements of winwebmail. However, some servers have other asp or asp.net sites at the same time, such as service providers that act as virtual hosts. This setting is easily related to cross-site attacks when other sites are hacked.

In a better way, the installation directory of Winwebmail is complicated to avoid cross-site attacks by hackers.

In this regard, I think WINWEBMAIL's official setting of directory permissions is too simple and irresponsible.

In the afternoon, I carefully analyzed WINWEBMAIL's Directory Security Settings. Even if some special settings have been processed to prevent ASP cross-site attacks, ASP. NET cross-site attacks are still very easy. In fact, after testing, I ran into the Winwebmail directory of a gay server that assisted the test without much effort. And you can modify the content at will.

Next, let's talk about the specific grass-roots process,

1. After installing WINWEBMAIL, the basic things are not described in detail.

2. Create a USER that belongs to the GUESTS group, for example, mail_vistor. (* Note: if you use the IUSR_XXX Guest user that comes with iis, the default user is used in the image. This step can be omitted ).

3. Create a new USER that belongs to the IIS_WPG group, for example, mail_user.

4. Open IIS and create a new process pool named mail_process. Set the start permission to mail_user.

5. Open IIS, create a new site, and specify the main document directory as the WEB directory under WINWEBMAIL. And specify the process pool as mail_process.
In Directory Security, edit the anonymous access user mail_vistor (or IUSR_XXX by default. select one of the two users, and use the default IIS user in the image ).

6. Give the root directory of the drive letter for installing WINWEBMAIL, such as the drive E, administrator, and mail_vistor (or IUSR_XXX) read-only permission.

7. read and write permissions to the IIS_WPG group, mail_vistor, and Administrator of the WINWEBMAIL directory.

Add network service AND aspnet
The permission is set to deny access.

The user group that runs other ASP websites is denied. All other ASP websites here are verified by the user permissions in the hostgroup user group, I directly added the entire group with the following permissions: Access denied. (I simply did this by using other ASP methods to prevent cross-site permission design .)

The permissions of users in the winwebmail directory are as follows:

The web directory permission under winwebmail is:

8. Restart IIS and WINWEBMAIL.

In this way, asp and asp.net program attacks are blocked. At present, I have tested all aspects normally. The detailed settings for preventing WEB directory programs from attacking WINWEBMAIL are as follows.

End: if you are not familiar with permission settings, you can install WINWEBMAIL in a directory that is not easy to guess, for example, E: XX73C3DA.
Directory of this name. Back up the WEMINSTALL. LOG file in the c: windows directory and delete it. (I am afraid that this log file will be used to upgrade winwebmail in the future. Whether or not the test is required. I found the specific installation location of the test server through this file .), However, to avoid exposing the installation location in other places, we recommend that you set it according to my tutorial.