ASP Website folder permission settings

Use the win2003 operating system and the NTFS file system as the hard disk. Website permission settings include the access permissions for website folders and files, and the access permissions for Internet anonymous users in IIS.

I. Website folder and file access permission settings

Assume that the ASP Website is in the following folders: Web and BBs. We call it the root folder of the website.

1. Same settings

(1) local users generally need to maintain folders and files on the site, therefore, all folders and files must be granted full control permissions to the local super user (do not forget to set a strong password for the Super User ).

(2) We know that most of the files on the website are ASP programs, and these files must have the "read and run" permission. Therefore, you need to add Internet guests to the web and BBS root folders, set the read and run permissions, and grant all subfolders and files under them the permission. (Please note: do not cancel the sub-Folder inheritance right first. In particular, after all, it is "minority". We will deal with them individually later)

(3) All Folders are retained only for administrator and Internet visitors, and other users are deleted. [Note: if there is a. NET environment, you still need the users user!]

Operation Method for editing permissions: folder permissions are inherited by default, and inherited permissions cannot be edited directly. The procedure is as follows. Take web as an example. Open the Properties dialog box for this folder, click the "Security" tab, and click the "advanced" button, remove the hooks in the checkbox "allow the inherited permissions from the parent to be propagated to this object". Then, a dialog box is displayed, and click "reset, this folder is copied to the default permissions (not inherited) and can be edited.

2. Web Settings

As mentioned above, Internet users of all files on the website now have the "read and run" permission. On this basis, special settings are required (Unless otherwise stated, all refer to Internet visitor users ):

Database and count: add the "modify" permission.

Upload files and JS folders in each channel (such as article): add the "modify" permission.

3. BBS:Data, uploadfiles, uploadfaces, and dv_forumnews folders add the "modify" permission.

4. Emphasize again:Only modified files or folders, such as database files and database folders, are required to write/modify permissions. asp files used for data database operations do not need to be set to modify/write permissions, they only need to be set to read and run in a unified manner!

2. Set Internet anonymous user access permissions in IIS

Generally, in IIS, a large majority of folders and files on ASP websites must be "read" and "Pure script" execution permits for anonymous Internet users. Remember not to select "write ", others are set by default.

However, when setting folder permissions, you must reset the "execute permission" permission for Internet client users in IIS: if the folder does not contain ASP and JS files (such as data and uploadfiles), select "read" and set the execution permission to "NONE", that is, no script is allowed to run. In this way, even if the folder is written into a malicious program, it cannot run.

3. Uninstall the most insecure Components
The simplest way is to directly Unmount and delete the corresponding program file. Save the following code as a. BAT file (the following uses Win2000 as an example. If 2003 is used, the system folder should be c: \ windows \)
Regsvr32/U c: \ windows \ system32 \ wshom. ocx
Del c: \ windows \ system32 \ wshom. ocx
Regsvr32/U c: \ windows \ system32 \ shell32.dll
Del c: \ winnt \ windows \ shell32.dll

Many people now use the Apache platform on their servers. Although Apache has a better reputation than IIS, there must be many people who use IIS as web servers, because many webmasters are coming from ASP, and then coming to PhP, JSP ......
Haitian launched a CMS website over the past few days, but he did not know what core to use. After looking for it online, it seems that jtbc's program has a high scalability, so he decided to use it, however, you cannot always upload files to the server for testing. Therefore, you have installed and set up IIS In the XP environment for testing.

The simple setting of IIS is also used by Haitian, but I have never had a deep understanding of what each option is for. This is the case that the folder has a permission issue after this setup, I found a good article on the Internet and learned a lot about security-related settings. For example, the "write" permission to open the folder where the website is located is different from the "write" permission to open the control panel in IIS. The latter can be directly exploited by hackers, it can be seen that permission settings are very important.

The permission settings of the IIS web server are divided into two parts: one is the permission settings of the NTFS file system, the other is the website under IIS-> site-> properties-> Home Directory (or site directory-> properties-> directory) on the panel.

On the website under the IIS web server-> site-> properties-> main directory (or directory under the site-> properties-> directory) panel, there are: six options are script resource access, read, write, browse, record access, and index resource. Among the six options, "record access" and "index resource" have little to do with security and can be set. However, if none of the first four permissions are set, the two permissions are not required. Remember this rule when you set the permission. the settings of these two permissions are not described in the following example.
In addition, the execution permission drop-down list under the six options contains three options: None, pure script, pure script, and executable program.
[View the source image in the original text]

Currently, most of the website directories are in the NTFS partition. In this way, you need to set the corresponding permissions for the folder in the NTFS partition. In many cases, we have introduced how to use the everyone permission to control access permissions, in fact, this is not good. In fact, you only need to set the account permissions for the Internet Guest Account (iusr_xxxxxxx) or iis_wpg group. If you want to set the directory permissions for ASP and PHP programs, you only need to set the permissions for the Internet Guest account. For ASP. NET programs, you need to set the account permissions for the iis_wpg group.
[View the original image in the original text]
Some people may find that there is no "security" setting option in the XP system. You just need to open my computer-tools-Folder option-view, and "use simple file sharing (recommendation) "This option can be removed.

Permission settings for the directory where ASP, PHP, and ASP. NET programs are located:
If the program is to be executed, you need to set the "read" permission and the following execution permission to "Pure script ". Do not set "write" or "script Resource Access" for others, or set the following execution permissions to "Pure scripts and executable programs ".
In the folder, do not set write and modify permissions for iis_wpg user groups and Internet guest accounts. If some special configuration files (and the configuration files are also ASP and PHP programs) need to be deleted, configure the Internet Guest Account (Asp. net program is iis_wpg group) write permission,Do not configure the "write" permission in the IIS property panel.
The "write" permission in the IIS settings panel is actually the processing of the http put command. For common websites, this permission is generally not opened.
In the IIS panel, "script Resource Access" is not the permission to execute scripts, but the permission to access source code. If the "write" permission is enabled at the same time, it is very dangerous, you can directly modify or delete the source code of the website.
In the execution permission, the "Pure script and executable program" permission means that any program can be executed, including the EXE executable program. If the directory has the "write" permission at the same time, therefore, hackers can easily upload and execute Trojans.
For the directories of ASP. NET programs, many people prefer to set them to Web Sharing in the file system. In fact, this is not necessary. Make sure that the directory is an application in IIS. If the directory is not an application directory in IIS, you only need to create part of the application settings in its properties-> directory panel. Web Sharing gives more permissions, which may lead to insecure factors.
Summary:That is to say, do not open the main directory (write), (script Resource Access) under the IIS control panel, and do not select (pure scripts and executable programs ), select (pure script. For applications that require Asp.net, if the application directory contains more than one application, you can create it in the application folder (attribute)-directory-point. Do not select Web Sharing on folders.

Upload directory permission settings:
One or several directories may be set on the website to allow file upload. the upload mode is generally completed through ASP, PHP, ASP. NET, and other programs. In this case, you must set the execution permission of the upload directory (under the IIS Control Panel) to "NONE", so that even if hackers upload scripts such as ASP and PHP or EXE programs, it cannot be triggered in the user's browser.
Similarly, if you do not need to use the PUT command for upload, do not open the "write" permission for the upload directory on the control panel. Set the write permission for the Internet Guest Account (the upload directory of ASP. Net program is iis_wpg group) in the NTFS permission of the directory.
If the downloaded file is read through a website program and then forwarded to the user, do not set the "read" permission on the IIS control panel. This ensures that files uploaded by users can only be downloaded by authorized users in the website program. Instead of downloading users who know the file storage directory. Do not open the "browse" permission unless you want users to browse your upload directory and select what they want to download.
Summary:Some ASP. php programs have an upload directory. For example, in the forum, they inherit the above attributes and can run scripts. We should set these directories from the new attributes and change the execution permission (pure script) to (none ).

Permission settings for the directory where the ACCESS database is located:
Many IIS users often use the method of renaming the ACCESS database suffix MDB (changed to ASP or aspx) or placing it outside the publishing directory to prevent viewers from downloading the database. In fact, this is not necessary. In fact, you only need to set the "read" and "write" permissions for the directory (or file) where the database is located on the IIS Control Panel to prevent downloading or tampering.
You don't have to worry about this setting. Website programs won't be able to read and write data to your access database. The website program requires the permissions of the Internet Guest account or iis_wpg group account on NTFS. You only need to set the permissions of these users to readable and writable to ensure that the website program runs correctly.
Summary:NTFS sets the permission for an Internet Guest account or iis_wpg group account to be readable and writable. in this case, the "read" and "write" permissions of the directory (or file) where the database is located in the IIS control panel are removed to prevent downloading or tampering.

Permission settings for other directories:
Your website may contain pure image directories, pure HTML template directories, pure client JS file directories, and style sheet directories. You only need to set the "read" permission on the ISS control panel, set the execution permission to "NONE. You do not need to set other permissions.

In fact, Haitian understands that the IIS Control Panel sets the visitor's permission to browse in the IE browser, while the NTFS folder sets the permission required for website program execution.
There are other settings that require attention. If you know this, let more people pay more attention to website security.
By the way, who else knows jtbc better? Please contact us if you have any questions after Haitian.