One, the benefits of this configuration?
I wonder if you have heard the side note? Let me explain briefly: there is a person who wants to black out a site, but look for to find no exploitable loophole, inadvertently he found with a server There is also a B site, and found on the B site to exploit the loophole, so he will Trojan from B station upload to the server, if the server permissions improperly configured, So now he can hack all the sites on the server! If we set up a user for each site and set the user to have access to this site, then the access rights can be controlled in each site folder, and the side note problem is resolved.
Ii. preparatory work
1, operating Environment: Win2K Server version + IIS 5.0
2. File system: Each partition file system is NTFS
3, site folder: E disk under the establishment of two folders web001 and web002
4, new site: IIS new two sites web001 and web002, the site folder for E:\web001 and E:\web002, are designated IP 192.168 0.146, the port is 101 and 102 respectively.
OK, in IE, respectively, enter http://192.168.0.146:101 and http://192.168.0.146:102 test two site is established successfully.
Third, the configuration process
1, the establishment of user groups and users
Create a new user group webs and all site users will be subordinate to the group for permission assignment.
Set up user web01, note to check "Password never Expires" (otherwise, "HTTP 401.1-Unauthorized: Logon Failed"), and set it to only belong to the Webs user group. Also under construction a user web02.
2. NTFS permissions settings for each partition
Open the Security tab for each partition, in turn, assign the administrator and system Full Control permissions to each partition, and set the Webs group to deny permissions completely.
3, site folder NTFS permissions settings
Open the E:\web01 folder Properties window, select the Security tab, and first remove the hook before "Allow inheritable permissions from parent to propagate to this object," and select Remove inherited permissions from the pop-up dialog box.
Ultimately, make sure that the administrator, System, and WEB01 have full control over the folder.
The E:\WEB02 folder is set as well.
4, set the site anonymous access users
In IIS, open the WEB01 site properties, select Directory security → Anonymous access and authentication control → edit, remove the hook before "Integrated Windows Authentication", edit anonymous access to use the account, set up anonymous access account for WEB01 (WEB02 site also set).
Four, test
The veteran wrote webmaster Assistant to the WEB02 site for testing, after testing in addition to site files can be browsed, other partitions are inaccessible.