Although Apache may have a better reputation than IIS, I'm sure there are a lot of people who do Web servers with IIS. To tell the truth, I think IIS is good, especially for Windows 2003 IIS 6 (immediately Longhorn Server IIS 7 is coming, I believe it will be better), performance and stability are quite good. But I find that many people who use IIS are less likely to set up Web server permissions, so it's not surprising that a vulnerability could be hacked. But we should not blame IIS for the insecurity. If the correct permissions are given to each directory of the site, the chance of the vulnerability being hacked is still small (except for problems with the WEB application itself and other ways of invading the hacked server). Here are some of the experiences I have summarized during the configuration process, and I hope to be of some help to you. There are two settings for the permissions of the IIS Web server, one for the NTFS file system itself, and the other for the home directory, properties----the site----under IIS, under the Web site (or the properties---directory, under Site directory). These two places are closely related. Below I will explain how to set permissions as an instance.
Under IIS, Sites---Properties--Home directory (or properties---directory under Site Directory) is available on the panel:
- Script Resource access
- Read
- Write
- Browse
- Record access
- Index Resource
6 of options. Of these 6 options, "Record Access" and "Index resource" are not related to security, and are generally set. However, if the previous four permissions are not set, neither of these permissions is necessary. When setting permissions, remember this rule, and the settings for these two permissions are no longer specifically described in the following example.
Also in the Execute Permissions drop-down list below these 6 options are:
- No
- Pure Script
- Pure scripts and executable programs
3 of options. And if the site directory in the NTFS partition (recommended this), you also need to set the appropriate permissions on the NTFS partition on this directory, many places to set the permissions of everyone, in fact, this is not good, in fact, as long as the Internet Guest account set up (IUSR_ XXXXXXX) or IIS_WPG group account privileges. If you are setting directory permissions for ASP and PHP programs, set the permissions for the Internet Guest account, and for an ASP. NET program, you need to set the account permissions for the IIS_WPG group. When you refer to NTFS permission settings later, it is clear that what is not explicitly stated is to set permissions on the IIS properties panel.
Example 1--asp, PHP, and the permissions settings for the directory where the ASP.
If these programs are to be executed, you need to set the Read permission and set the Execute permission to "script only". Do not set write and script resource access, and do not set execute permissions to "scripts and executable programs only". Do not set write and modify permissions for the IIS_WPG user group and the Internet Guest account in NTFS permissions. If you have some special configuration files (and the profile itself is an ASP, PHP program), you need to configure the Write permissions for the Internet Guest account in NTFS permissions for these specific files (the ASP. IIS_WPG group), instead of configuring the "write" in the IIS properties panel Permissions.
The Write permission in the IIS panel is actually the processing of the HTTP PUT directive, which is normally not opened for normal web sites.
Script resource access in the IIS panel is not a permission to execute a script, but a permission to access the source code, which is very dangerous if you turn on Write permission at the same time.
Execute permissions in the "Scripts and executables" permission can execute any program, including EXE executable program, if the directory has "write" permission, then it is easy to be uploaded and executed Trojan program.
For the directory of the ASP, many people like to set up a Web share in the file system, in fact, this is not necessary. You only need to ensure that the directory is an application in IIS. If the directory you are in is not an application directory in IIS, simply create it in the Application Settings section of its properties----the catalog panel. Web sharing gives it more permissions and can cause insecurity.
In other words, do not open-home directory-(write), (script resource access) These two and do not select (Pure script and executable program), select (Pure script) on it. Applications that require ASP. If the application directory is more than just an application, a program can be on the Application folder (properties)- Directory-point creation is ready. Do not have Web sharing on the folder.
Example 2--permission settings for uploading a directory:
The user's website may set up one or several directories to allow uploading files, the way of uploading is generally done through ASP, PHP, ASP. At this point, it is important to note that the upload directory execution permission is set to "none", so that even if the upload of ASP, PHP and other scripts or EXE programs, will not be triggered in the user browser execution.
Similarly, if you do not need the user to upload with put instructions, do not open the "write" permission for that upload directory. Instead, you should set the Write permission for the Internet Guest account in NTFS permissions (the upload directory for the ASP. IIS_WPG group).
If the download is through the program to read the contents of the file and then forwarded to the user, then even the "read" permission is not set. This ensures that the files uploaded by the user can only be downloaded by authorized users in the program. Instead of the user who knows where the file is stored, the directory is downloaded. Do not open the Browse permission, unless you want the user to be able to browse your upload directory and choose what you want to download.
Some of the general asp.php and other programs have an upload directory. For example, the forum. They inherit the above attributes to run the script. We should set these directories from the new property. Change (Pure script) to (none).
Example 3--access the permission settings for the directory where the database resides:
Many IIS users often use a method to rename an Access database (either ASP or aspx suffix, etc.) or put it outside of the publishing directory to avoid users from downloading their Access databases. In fact, this is not necessary. You just need to remove the "read", "write" permissions from the directory where Access is located (or the file) to prevent people from being downloaded or tampered with. You don't have to worry that your program will not be able to read and write to your Access database. Your program needs the privileges of an Internet Guest account or IIS_WPG group account on NTFS, so you can make sure that your program works correctly by setting these users ' permissions to readable and writable.
The privileges of the Internet Guest account or the IIS_WPG group account are readable and writable. The "read" and "write" Permissions of the directory in which access is located (or the file) are removed to prevent people from being downloaded or tampered with
Example 4--permission settings for other directories:
Your site may also have a plain picture directory, a plain HTML template directory, a pure client JS file directory or style sheet directory, etc., these directories only need to set the "read" permission, the execution of the permissions set to "None". Other permissions do not need to be set.
Well, I think some of the above examples already contain the permission settings for most of the cases, depending on these examples, I think you can probably think of how to set it up.
Upload Directory permission setting problem in IIS