Security Settings for IIS permission settings

Many people now use the Apache platform on their servers. Although Apache has a better reputation than IIS, there must be many people who use IIS as web servers, because many webmasters are coming from ASP, and then coming to PhP, JSP ......
Haitian launched a CMS website over the past few days, but he did not know what core to use. After looking for it online, it seems that jtbc's program has a high scalability, so he decided to use it, however, you cannot always upload files to the server for testing. Therefore, you have installed and set up IIS In the XP environment for testing.

The simple setting of IIS is also used by Haitian, but I have never had a deep understanding of what each option is for. This is the case that the folder has a permission issue after this setup, I found a good article on the Internet and learned a lot about security-related settings. For example, the "write" permission to open the folder where the website is located is different from the "write" permission to open the control panel in IIS. The latter can be directly exploited by hackers, it can be seen that permission settings are very important.

The permission settings of the IIS web server are divided into two parts: one is the permission settings of the NTFS file system, the other is the website under IIS-> site-> properties-> Home Directory (or site directory-> properties-> directory) on the panel.

On the website under the IIS web server-> site-> properties-> main directory (or directory under the site-> properties-> directory) panel, there are: six options are script resource access, read, write, browse, record access, and index resource. Among the six options, "record access" and "index resource" have little to do with security and can be set. However, if none of the first four permissions are set, the two permissions are not required. Remember this rule when you set the permission. the settings of these two permissions are not described in the following example.
In addition, the execution permission drop-down list under the six options contains three options: None, pure script, pure script, and executable program.

Currently, most of the website directories are in the NTFS partition. In this way, you need to set the corresponding permissions for the folder in the NTFS partition. In many cases, we have introduced how to use the everyone permission to control access permissions, in fact, this is not good. In fact, you only need to set the account permissions for the Internet Guest Account (iusr_xxxxxxx) or iis_wpg group. If you want to set the directory permissions for ASP and PHP programs, you only need to set the permissions for the Internet Guest account. For ASP. NET programs, you need to set the account permissions for the iis_wpg group.

Some people may find that there is no "security" setting option in the Windows XP system. You just need to open my computer-tools-Folder option-view and "use simple file sharing" (recommended) "This option can be removed.

Permission settings for the directory where ASP, PHP, and ASP. NET programs are located:
If the program is to be executed, you need to set the "read" permission and the following execution permission to "Pure script ". Do not set "write" or "script Resource Access" for others, or set the following execution permissions to "Pure scripts and executable programs ".
In the folder, do not set write and modify permissions for iis_wpg user groups and Internet guest accounts. If some special configuration files (and the configuration files are also ASP and PHP programs) need to be deleted, configure the Internet Guest Account (Asp. net program is iis_wpg group) write permission,Do not configure the "write" permission in the IIS property panel. 
The "write" permission in the IIS settings panel is actually the processing of the http put command. For common websites, this permission is generally not opened.
In the IIS panel, "script Resource Access" is not the permission to execute scripts, but the permission to access source code. If the "write" permission is enabled at the same time, it is very dangerous, you can directly modify or delete the source code of a website.
In the execution permission, the "Pure script and executable program" permission means that any program can be executed, including the EXE executable program. If the directory has the "write" permission at the same time, therefore, hackers can easily upload and execute Trojans.
For the directories of ASP. NET programs, many people prefer to set them to Web Sharing in the file system. In fact, this is not necessary. Make sure that the directory is an application in IIS. If the directory is not an application directory in IIS, you only need to create part of the application settings in its properties-> directory panel. Web Sharing gives more permissions, which may lead to insecure factors.
Summary:In other words, do not open the main directory under the IIS Control Panel (write), (script resource access), and do not select (pure script and executable program), select (pure script) you can. For applications that require Asp.net, if the application directory contains more than one application, you can create it in the application folder (attribute)-directory-point. Do not select Web Sharing on folders.

Upload directory permission settings: 
One or several directories may be set on the website to allow file upload. the upload mode is generally completed through ASP, PHP, ASP. NET, and other programs. In this case, you must set the execution permission of the upload directory (under the IIS Control Panel) to "NONE", so that even if hackers upload scripts such as ASP and PHP or EXE programs, it cannot be triggered in the user's browser.
Similarly, if you do not need to use the PUT command for upload, do not open the "write" permission of the upload directory on the control panel. Set the write permission for the Internet Guest Account (the upload directory of ASP. Net program is iis_wpg group) in the NTFS permission of the directory.
If the downloaded file is read through a website program and then forwarded to the user, do not set the "read" permission on the IIS control panel. This ensures that files uploaded by users can only be downloaded by authorized users in the website program. Instead of downloading users who know the file storage directory. Do not open the "Browse" permission unless you just want the user to browse your upload directory and select what you want to download.
Summary:Some ASP. php programs have an upload directory. For example, in the forum, they inherit the above attributes and can run scripts. We should set these directories from the new attributes and change the execution permission (pure script) to (none ).

Permission settings for the directory where the ACCESS database is located: 
Many IIS users often use the method of renaming the ACCESS database suffix MDB (changed to ASP or aspx) or placing it outside the publishing directory to prevent viewers from downloading the database. In fact, this is not necessary. In fact, you only need to set the "read" and "write" permissions for the directory (or file) where the database is located on the IIS Control Panel to prevent downloading or tampering.
You don't have to worry about this setting. Website programs won't be able to read and write data to your access database. The website program requires the permissions of the Internet Guest account or iis_wpg group account on NTFS. You only need to set the permissions of these users to readable and writable to ensure that the website program runs correctly.
Summary:NTFS sets the permission for an Internet Guest account or iis_wpg group account to be readable and writable. in this case, the "read" and "write" permissions of the directory (or file) where the database is located in the IIS control panel are removed to prevent downloading or tampering.

Permission settings for other directories:
Your website may contain pure image directories, pure HTML template directories, pure client JS file directories, and style sheet directories. You only need to set the "read" permission on the ISS control panel, set the execution permission to "NONE. You do not need to set other permissions.

In fact, Haitian understands that the IIS Control Panel sets the visitor's permission to browse in the IE browser, while the NTFS folder is set to the permissions required for website program execution.
There are other settings that you need to pay attention to. If you know, let more people pay more attention to website security.
By the way, who else knows jtbc better? Please contact us if you have any questions after Haitian.