If we create a user for each site and set this user to only have the permission to access the site, the access permission can be controlled in the folder of each site, and the bypass problem is solved.
I. What are the benefits of such configuration?
Have you heard of this? I would like to give A simple explanation: Some people want to hack Site A, but they have not found any vulnerabilities that can be exploited. Accidentally, they found that there is another site B on the same server as site, the vulnerability that can be exploited is found on site B, so he uploads the Trojan horse from Site B to the server. If the server permission is improperly configured, now he can hack all the sites on the server! If we create a user for each site and set the user to only have the permission to access the site, the access permission can be controlled in the folder of each site, and the bypass problem is solved.
2. Preparations
1. Running environment: Win2K server version + IIS 5.0
2. File system: each partition file system is NTFS
3. Site folder: create two folders web001 and web002 under the edisk.
4. Create a site. In IIS, create two sites web001 and web002. The site folders are E: \ web001 and E: \ web002 respectively. Both of them specify the IP address 192.168.0.146, the ports are 101 and 102 respectively.
OK. In IE, enter http: // 192.168.0.146: 101 and http: // 192.168.0.146: 102 to test whether the two sites are successfully established.
III. Configuration process
1. Create user groups and users
Create a user group webs, and all future site users will belong to this group for permission allocation.
To create a user web01, check and select "the password will never expire" (otherwise, "HTTP 401.1-Unauthorized: logon failed" will appear), and set it to belong only to the webs user group. A user web02 is also created.
2. NTFS permission settings for each partition
Open the Security tab of each partition and grant the administrator and system full control permissions to each partition, and set the webs group full deny permission.
3. Website folder NTFS permission settings
Open the E: \ web01 folder properties window, select the Security tab, and first remove the hook before "allow the inherited permissions from the parent class to be propagated to this object, in the displayed dialog box, select Delete inherited permission.
Finally, make sure that administrator, system, and web01 have full control permissions on the folder.
The E: \ web02 folder is also set.
4. Set anonymous users for each site
Open the web01 site attribute in IIS, select Directory Security & rarr; anonymous access and verification control & rarr; edit, and remove the hooks before "integrated Windows verification, edit the account used for anonymous access and set the anonymous access account to web01 (The same is true for web02 sites ).
IV. Test
Put the webmaster assistant written by veterans in the web02 site for testing. After testing, except the site files can be viewed, other partitions cannot be accessed.
