IIS Permissions setting _win server

We should not attribute this to the insecurity of IIS. If you have the right permissions for each directory on your site, the chances of a vulnerability being hacked are small (except for WEB applications that have problems and otherwise invade hacked servers). Here is a summary of my experience in the configuration process, I hope to help.

The permissions settings for the IIS Web Server are two places, one is the permission settings for the NTFS file system itself, and the other is the site-> site-> Properties-> the home directory (or the site below directory-> Properties-> directory) panel under IIS. These two places are closely related. Here is an example of how to set permissions.

The site-> site-> Properties-> the home directory (or the following directory-> properties-> directory) panel under IIS are:

Scripting resource access
Read
Write
Browse
Record access
Index Resources
6 options. Of these 6 options, "Record Access" and "Index resources" are not related to security, and are generally set. However, if none of the previous four permissions are set, these two permissions are not required. When you set permissions, remember this rule, and the following example no longer specifically describes the settings for these two permissions.

In addition, below the 6 options, the Execute permission Drop-down list also has the following:

No
Pure Script
Pure scripts and executable programs
3 options.

and the Site directory if in the NTFS partition (recommended this), you also need to set the appropriate permissions on the NTFS partition of this directory, many places are introduced to set everyone's permissions, in fact, this is not good, in fact, as long as the Internet Guest account set up (IUSR_ XXXXXXX) or the IIS_WPG group's account permissions are OK. If you set the ASP, PHP program directory permissions, then set the Internet Guest account permissions, and for the ASP.net program, you need to set the IIS_WPG group account permissions. When you refer to NTFS permission settings, it is stated explicitly that the permissions on the IIS properties panel are not explicitly stated.

Example 1--asp, PHP, asp.net program directory permissions settings:
If these programs are to be executed, you need to set the Read permission and set execution permissions to "pure script." Do not set write and script resource access, and do not set execute permissions to "scripts and executable programs." Do not set write and modify permissions for IIS_WPG user groups and Internet Guest accounts in NTFS permissions. If you have a special profile (and the configuration file itself is an ASP, PHP program), you need to configure the Write permissions for the Internet Guest account in NTFS permissions for these specific files (the ASP.net program is the IIS_WPG group) instead of configuring write in the IIS properties panel Permissions.

The "write" permission in the IIS panel is actually the processing of the HTTP put instruction, which is not normally open for ordinary Web sites.

Script resource access in the IIS panel is not a permission to execute a script, but a permission to access the source code, which is very dangerous if you open the Write permission at the same time.

The "Script and executable" permission in the Execute permission can execute any program, including EXE executable program, if the directory also has "write" permission, then it is very easy to upload and execute Trojan horse program.

For a directory of ASP.net programs, many people like to set up Web sharing in the file system, which is actually not necessary. You only need to ensure that the directory is an application in IIS. If your directory is not an application directory in IIS, you can simply create the application Settings section point in its Properties-> directory panel. Web sharing gives it more permissions and can cause insecurity.

Summary: That is to say generally do not open-home directory-(write), (script resource access) and do not select (scripts and executable programs), select (Pure script) on it. Applications that need to be asp.net if the application directory is more than one program can be on the application folder ( Properties)-Directory-point creation on it. Do not make Web shares available in folders.

Example 2--permission settings for uploading directories:
The user's website may set up one or several directories to allow uploading files, the way to upload is generally through ASP, PHP, asp.net and other programs to complete. At this point, we must be aware that the upload directory to the implementation of permissions set to "None", so even upload the ASP, PHP and other script programs or EXE program, also will not trigger the implementation in the user's browser.

Also, do not open the Write permission for the upload directory if the user is not required to upload with the put command. Instead, set the Write permissions for the Internet Guest account in NTFS permissions (the asp.net program's upload directory is the IIS_WPG group).

If you download the contents of the file and then forward it to the user through the program, you do not even have to set the Read permission. This ensures that the files uploaded by the user can only be downloaded by the authorized user in the program. Rather than a user who knows where the file resides is downloaded. Do not open the "browse" right, unless you want users to be able to browse your upload directory and choose what they want to download.

Summary: A general number of asp.php and other programs have an upload directory. For example, a forum. They inherit the above attributes to run the script. We should set these directories to a new property. Change (Pure script) to (none).

Example 3--access the permissions settings for the directory where the database resides:
Many IIS users often use a method of renaming an Access database (either an ASP or an ASPX suffix, etc.) or outside the publishing directory to prevent viewers from downloading their access databases. In fact, this is not necessary. In fact, you just need to remove the "read" and "write" permissions from the directory in which access is located (or the file) to prevent people from downloading or tampering with it. You don't have to worry that your program will not be able to read and write to your Access database. Your program needs the permissions of the Internet Guest account or IIS_WPG group account on NTFS, and you can make sure your program runs correctly by simply setting the user's permissions to readable and writable.

Summary: The permissions of the Internet Guest account or the IIS_WPG group account are readable and writable. Then access to the directory (or the file) where the "read" and "write" permissions are removed can prevent people from downloading or tampering with the

Example 4--permission settings for other directories:
Your site may also have a pure picture directory, pure HTML template directory, pure client JS file directory or style table directory, and so on, these directories only need to set the "read" permission, the executive authority set to "none" can be. No other permissions need to be set.

The above examples already contain most of the cases of permission settings, as long as you have mastered the rationale of the settings, it is easy to complete the other circumstances of the permission settings.