FSO Security Hidden Trouble Solution _ Web surfing

FSO Security solution Body content:

1, this article sets the method and the environment: is practical in the Microsoft winnt/2000 server/advanced Server IIS5.0

2. Ensure that IIS and each of the virtual host Web sites are functioning correctly, and that the mappings for unsafe application extensions such as. Printer.dav are removed from IIS (other topics are not covered in this article), and if you need to know more, see my other Microsoft Win 2000 IIS Web Server Overall security solution detailed "

3, turn on-----> Start------> Procedures-----> Management Tools------> Computer Management-----> Local Users and Groups, and then create a new user (assuming: iusr_0001 to IUSR_ 0050, there are 50 virtual hosts on your Web server, if you can add more users. The purpose is to use different anonymous user access mechanism to ensure that your server can use the ASP's FSO component function, and will not be threatened by such as ASP Trojan. Here you can decide whether to set the password according to your own appropriate security level and the actual requirement, in fact, it is nothing serious.

4, will just create a good iusr_0001 to iusr_0050 to remove the user group permissions, unified to add them to the Guests group. (because Microsoft Windows default new users are automatically in the Users group, you must be careful not to forget to drive the iusr_xxxx out of the Users group, ^_^). For better security, add another iis_users group and add all iusr_xxxx to the group so that it's easy to use when making other system security settings.

5, set iis| in turn open-----> Start------> Program-----> Management Tools------>internet Service Manager-----> Open the IIS Admin interface, and then open your first virtual host site properties, In the Out of the IIS dialog interface, click "Directory Security" to click "Edit" in the "Authentication and access Control" section, and then click "Edit" in the "Anonymous Access" section of the "Authentication methods" interface that appears, and you will be presented with an anonymous user account interface, when you choose "Browse" Then select the first guests guest user in step 3, that is, select "iusr_0001", if you create a new user is blank password is blank, not for the blank input this user's password. Then select "Allow IIS to control password" below, then click OK.

[Also note: In order to facilitate the management and the following set of directory permissions, the best description of the site and iusr_xxxx to check, for example, you above the operation of the site described as fineacer.com site, then you can change the description of the site: fineacer.com (iusr_0001). Such a glance, more convenient management.

6, Disk permissions: To ensure that the C, D, E, F, such as the disk ACLs permissions. (All "Full Control" rights on all disks must be removed, this is very dangerous, just give it the necessary) set the appropriate permissions for your Web site's virtual directory, that is, the ACLs access rights in NTFS. Select the total directory of the virtual hosts where you are located, and remove everyone, access rights. Add only Administrators-Full control, system-Full Control. (System is the permission required for FTP upload downloads such as serv-u, because serv-u starts the service as System). Then choose your iusr_0001. Suppose this is the root of the fineacer.com (iusr_0001) site. Then right----> Properties------> Security, add our iusr_0001, and give Read permission, if it is a single HTML only to read permission, if it is asp+acess database similar, also need to add "write" permission. If the website's ASP program needs to use FSO to carry on the website content on-line modification, deletes and so on the operation, then generally we will "complete control" the right to iusr_xxxx.

7, OK, the first virtual host set up finally ^_^, we put a Webshell in the site directory, and then browse http://www.fineacer.com/webshell.asp Hey, try, and then use FSO Feature access to other site directories is not access to, let alone edit and delete other virtual host user's Web files: The remaining work is to repeat steps 3, 4, 5, 6, all the sites are set. I know that some of the virtual host management system is to use this principle, to carry out! It's just that these steps are written to the hypervisor in the virtual host system.

The author of this article: Lee Paolin/leebolin Senior System engineer, professional network security advisor. has successfully for many large and medium-sized enterprises, ISP service providers provide a complete network security solutions. Especially good at the overall network security program design, large-scale network engineering planning, as well as providing a complete range of server series security overall solutions.