Http://bbs.dvbbs.net/dispbbs.asp? Boardid = 134 & replyid = 1691297 & id = 1091417 & page = 1 & Skin = 0 & star = 8
ASP provides powerful file system access capabilities to read, write, copy, delete, and rename any files on the server's hard disk, this poses a huge threat to the safety of school websites. At present, many campus hosts have been intruded by FSO Trojans. However, after the FSO component is disabled, all ASP Program It cannot run and meet the customer's needs. How can we allow the FileSystemObject component without affecting the security of the server (that is, users on different virtual hosts cannot use this component to read or write files from other users )? The following are my experiences over the years:
The first step is different from the key of Windows 2000 settings: Right-click drive C, click share and security, select the Security tab in the displayed dialog box, and delete the everyone and users groups, after deletion, if your website cannot even run ASP programs, add the iis_wpg group and restart your computer.
After this design, the FSO Trojan is no longer running. If you want to set the security level, perform the preceding settings for each disk partition and set different Anonymous Access Users for each site. The following example is used to describe the website abc.com In the ABC folder of the elastic drive on your host ):
1. open "Computer Management → local users and groups → users", create an ABC user, set the password, and remove the check mark before "the user must change the password next time, select "user cannot change password" and "Password Never Expires", and set the user to belong to the guests group.
2. right-click E: ABC and select the "Properties> Security" tab, at this point, we can see that the default security settings for this folder are "everyone" with full control (the content displayed varies according to different situations), and the full control of everyone is deleted (if it cannot be deleted, click the [advanced] button to remove the check mark before "allow propagation of inherited permissions of the parent item" and delete all), and add all the security permissions of administrators and ABC users to the directory of this website.
3. open the IIS manager, right-click the abc.com host name, select the "Properties> Directory Security" tab in the pop-up menu, and click [edit] for identity authentication and access control. The dialog box shown in Figure 2 is displayed, by default, the anonymous user accesses "IUSR _ machine name". Click [browse]. In the "Select User" dialog box, find the ABC account created earlier, and enter the password again.
After this setting, the user accessing the website will access the site of the E: ABC folder anonymously as the ABC account, because the ABC account only has the security permission for this folder, so he can only use fso in this folder.
FAQs:
How can I remove the limit that the FSO upload program is less than K?
Disable the IIS Admin Service in the service, locate metabase. XML in the windows \ system32 \ inesrv directory, open it, find aspmaxrequestentityallowed, and change it to the desired value. The default value is 204800, that is, 200 K. Change it to 51200000 (50 m) and restart the IIS Admin Service.
ASP provides powerful file system access capabilities to read, write, copy, delete, and rename any files on the server's hard disk, this poses a huge threat to the safety of school websites. At present, many campus hosts have been intruded by FSO Trojans. However, after the FSO component is disabled, the consequence is that all ASP programs that use this component cannot run and cannot meet the customer's needs. How can we allow the FileSystemObject component without affecting the security of the server (that is, users on different virtual hosts cannot use this component to read or write files from other users )? The following are my experiences over the years:
The first step is different from the key of Windows 2000 settings: Right-click drive C, click share and security, select the Security tab in the displayed dialog box, and delete the everyone and users groups, after deletion, if your website cannot even run ASP programs, add the iis_wpg group and restart your computer.
After this design, the FSO Trojan is no longer running. If you want to set the security level, perform the preceding settings for each disk partition and set different Anonymous Access Users for each site. The following example is used to describe the website abc.com In the ABC folder of the elastic drive on your host ):
1. open "Computer Management → local users and groups → users", create an ABC user, set the password, and remove the check mark before "the user must change the password next time, select "user cannot change password" and "Password Never Expires", and set the user to belong to the guests group.
2. right-click E: ABC and select the "Properties> Security" tab, at this point, we can see that the default security settings for this folder are "everyone" with full control (the content displayed varies according to different situations), and the full control of everyone is deleted (if it cannot be deleted, click the [advanced] button to remove the check mark before "allow propagation of inherited permissions of the parent item" and delete all), and add all the security permissions of administrators and ABC users to the directory of this website.
3. open the IIS manager, right-click the abc.com host name, select the "Properties> Directory Security" tab in the pop-up menu, and click [edit] for identity authentication and access control. The dialog box shown in Figure 2 is displayed, by default, the anonymous user accesses "IUSR _ machine name". Click [browse]. In the "Select User" dialog box, find the ABC account created earlier, and enter the password again.
After this setting, the user accessing the website will access the site of the E: ABC folder anonymously as the ABC account, because the ABC account only has the security permission for this folder, so he can only use fso in this folder.
FAQs:
How can I remove the limit that the FSO upload program is less than K?
disable the IIS Admin Service in the service, locate metabase. XML in the windows \ system32 \ inesrv directory, open metabase. XML, find aspmaxrequestentityallowed, and change it to the required value. The default value is 204800, that is, 200 K. Change it to 51200000 (50 m) and restart the IIS Admin Service.