Graphic tutorial on setting security permissions for IIS users on multiple sites

I. What are the benefits of such configuration?

Have you heard of this? I would like to give a simple explanation: Some people want to hack Site A, but they have not found any vulnerabilities that can be exploited. Accidentally, they found that there is another site B on the same server as site, the vulnerability that can be exploited is found on site B, so he uploads the Trojan Horse from Site B to the server. If the server permission is improperly configured, now he can hack all the sites on the server! If we create a user for each site and set the user to only have the permission to access the site, the access permission can be controlled in the folder of each site, and the bypass problem is solved.

2. Preparations

1. Running Environment: Win2k server version + IIS 5.0
2. File System: Each partition file system is NTFS
3. Site Folder: create two folders web001 and web002 under the edisk.
4. Create a site. In IIS, create two sites web001 and web002. The site folders are E: \ web001 and E: \ web002 respectively. Both of them specify the IP address 192.168.0.146, the ports are 101 and 102 respectively.

OK. In IE, enter http: // 192.168.0.146: 101 and http: // 192.168.0.146: 102 to test whether the two sites are successfully established.

Iii. configuration process

1. create user groups and users

Create a user group webs, and all future site users will belong to this group for permission allocation.

Create a user web01. Check and select "Password Never Expires" (otherwise, "HTTP 401.1-unauthorized: Logon Failed" is displayed), and set it to belong only to the webs user group. A user web02 is also created.

2. NTFS permission settings for each partition

Open the Security tab of each partition and grant the Administrator and system full control permissions to each partition, and set the webs group full deny permission.

3. Website folder NTFS permission settings

Open the E: \ web01 folder Properties window, select the Security tab, and first remove the hook before "allow the inherited permissions from the parent class to be propagated to this object, in the displayed dialog box, select delete inherited permission.

Finally, make sure that administrator, system, and web01 have full control permissions on the folder.

The E: \ web02 folder is also set.

4. Set anonymous users for each site

Open the web01 website attribute in IIS, Select Directory Security → anonymous access and authentication control → edit, remove the hooks before "Integrated Windows Authentication", and then edit the account used for anonymous access, set the anonymous access account to web01 (the same is true for web02 sites ).

Iv. Test

Put the webmaster assistant written by veterans in the web02 site for testing. After testing, except the site files can be viewed, other partitions cannot be accessed.