How to improve FSO security under Windows 2003

ASP provides a powerful access to the file system, you can read, write, copy, delete, rename and so on any file on the server hard disk, which poses a great threat to the safety of the school website. Now many campus hosts have been subjected to the FSO Trojan intrusion. But after disabling the FSO component, the result is that all ASP programs that utilize this component will not be able to run and meet the needs of the customer. How can you allow both the FileSystemObject component and the security of the server (that is, you cannot use this component to read and write to other people's files)? The following is the experience of the author for many years:

The first step is different from the Windows 2000 settings key: Right-click C disk, click "Sharing and Security", in the dialog box, select the "Security" tab, the Everyone, Users group Delete, delete if your site even ASP program can not run, please add Iis_ WPG Group (Figure 1) and restart the computer.

After this design, FSO Trojan can no longer run. If you are setting up a more secure level, set up each partition separately, and set different anonymous access users for each site. Here is an example to introduce (suppose your host on e disk ABC folder under the ABC.com site):

1. Open "Computer Management → Local Users and groups → users", create an ABC user, set a password, and remove the check mark before "User must change password at next logon", select "User Cannot Change password" and "Password Never Expires", and set the user to belong to guests group.

2. Right-click E:\ABC, select the properties → security tab, and you can see that the default security setting for this folder is everyone's Full control (depending on what is displayed differently), remove everyone's full control (if you can't delete it, click the Advanced button, and then " Allow inheritable permissions on the parent to propagate "the front check is removed and all is removed, adding administrators and ABC users all security permissions to the directory on this site."

3. Open IIS Manager, right-click abc.com host name, in the pop-up menu, select the "Properties → directory Security" tab, click on authentication and access control [edit], pop-up Figure 2 dialog box, anonymous access to the user is the default "IUSR_ machine name", click [Browse], in the "Select Users" In the dialog box, locate the ABC account you created earlier, and then repeat the password after you confirm it.

This setting allows users visiting the site to access the E:\ABC folder's site anonymously as an ABC account, because the ABC account only has security permissions on the folder, so he can only use the FSO under this folder.