FSO security settings to prevent ASP Trojans

FSO security settings to prevent ASP Trojans

Currently, most virtual hosts disable the standard ASP Component FileSystemObject, which provides ASP with powerful file system access capabilities, you can read, write, copy, delete, and rename any files on the server's hard disk (of course, this is done under the default Windows NT/2000 ). However, if this component is disabled, all ASP nodes that use this component cannot run and cannot meet customers' requirements. How can we allow the FileSystemObject component without affecting the security of the server (that is, users on different virtual hosts cannot use this component to read or write files from other users? Here is a method I have obtained in my experiment. The following section uses Windows 2000 Server as an example. Open the resource manager on the server, right-click the drive letter of each hard disk partition or volume, select "properties" in the pop-up menu, and select the "Security" tab, now you can see which accounts can access this partition (volume) and access permissions. After the default installation, "Everyone" has full control permissions. Click "add" to add "Administrators", "Backup Operators", "Power Users", and "Users" groups, and grant "Full Control" or corresponding permissions, note: do not grant the "Guests" group or "IUSR _ machine name" account any permissions. Then, remove the "Everyone" group from the list. In this way, only authorized groups and users can access the hard disk partition. When ASP is executed, access the hard disk as "IUSR _ machine name". ASP cannot read or write files on the hard disk because the user account is not authorized.

Method/step

1: Set a separate user account for each VM user, and assign a directory for each account to allow full control.

As shown in, choose "Computer Management"> "local users and groups"> "users", right-click on the right bar, and select "new user" in the pop-up menu ":



2: In the pop-up "new user" dialog box, enter "User Name", "Full name", "Description", "password", and "Confirm Password" as needed ", remove the check box before "the user must change the password upon next login", and select "the user cannot change the password" and "the password will never expire ". In this example, the user of the first VM is created with the built-in account "IUSR_VHOST1" for anonymous access to Internet information services, that is, all clients use http ://***. ***. * **/This identity is used to access the virtual host. After entering the information, click "CREATE. You can create multiple users as needed. Click "close" after creation ":



3: Now the newly created user has appeared in the account list. Double-click the account in the list for further settings:



4: In the pop-up "IUSR_VHOST1" (that is, the newly created account) attribute dialog box, click the "affiliated" tab:



5: The created account belongs to the "Users" group by default. Select this group and click "delete ":



Article comment: Many administrators may not know how to prevent hackers from intruding into other websites using FSO. In fact, FSO's rational application is only part of windows Server Security.