Set permissions in IIS for security

Source: Internet
Author: User

Although Apache may have a better reputation than IIS, I believe that there will certainly be many people who use IIS for Web servers. To be honest, I think IIS is still good, especially for IIS 6 of Windows 2003 (the IIS 7 of Longhorn server is coming soon, and I believe it will be better). Both performance and stability are quite good. However, I found that many people who use IIS do not set the permissions of the Web server. Therefore, it is not surprising that a vulnerability is hacked. However, we should not blame IIS for its insecurity. If the correct permissions are assigned to each directory of the site, the chances of vulnerabilities being hacked are still very small (except for problems with web applications and hacking into servers through other methods ). The following are some experiences I have summarized during the configuration process and hope to help you.

The permission settings of the IIS web server are divided into two parts: one is the permission settings of the NTFS file system, the other is the website under IIS-> site-> properties-> Home Directory (or site directory-> properties-> directory) panel. These two areas are closely related. In the following example, I will explain how to set permissions.

On the "website under IIS"> "Site"> "properties"> "home" (or "directory under the site"> "properties"> "directory") panel, you can:

  • Script Resource Access
  • Read
  • Write
  • Browse
  • Record access
  • Index Resources

Six options. Among the six options, "record access" and "index resource" have little to do with security and are generally set. However, if none of the preceding four permissions are set, you do not need to set these two permissions. Remember this rule when you set the permission. the settings of these two permissions are not described in the following example.

In addition, the execution permission drop-down lists under the six options are as follows:

  • None
  • Pure script
  • Pure scripts and executable programs

Three options.

If the website directory is in the NTFS partition (this is recommended), you also need to set the corresponding permissions for this directory on the NTFS partition. In many places, we will introduce how to set the everyone permission, in fact, this is not good. In fact, you only need to set the account permissions of the Internet Guest Account (iusr_xxxxxxx) or iis_wpg group. If you want to set the directory permissions for ASP and PHP programs, set the Internet Guest Account permissions. for ASP. NET programs, you need to set the iis_wpg group account permissions. When we mention NTFS permission settings later, we will clearly point out that none of them explicitly refer to setting permissions on the IIS property panel.

Example 1 -- permission settings for the directory where ASP, PHP, and ASP. NET programs are located:

If these programs are to be executed, you need to set the "read" permission and the execution permission to "Pure script ". Do not set "write" or "script Resource Access", or set the execution permission to "Pure script and executable program ". Do not set write and modify permissions for iis_wpg user groups and Internet guest accounts. If there are some special configuration files (and the configuration files are also ASP and PHP programs), you need to configure the Internet Guest Account (Asp.. Net Program is the write permission of the iis_wpg group, instead of configuring the "write" permission in the IIS property panel.

The "write" permission in the IIS panel is actually processing the http put command. For common websites, this permission is generally not opened.

In the IIS panel, "script Resource Access" is not the permission to execute scripts, but the permission to access source code. If you enable the "write" permission at the same time, it is very dangerous.

In the execution permission, the "Pure script and executable program" permission can execute any program, including the EXE executable program. If the directory has the "write" permission at the same time, so it is easy for someone to upload and execute the trojan program.

For the directories of ASP. NET programs, many people prefer to set them to Web Sharing in the file system. In fact, this is not necessary. Make sure that the directory is an application in IIS. If the directory is not an application directory in IIS, you only need to create part of the application settings in its properties-> directory panel. Web Sharing gives more permissions, which may lead to insecure factors.

Example 2 -- upload directory permission settings:

You may set one or several directories on your website to allow file upload. the upload mode is generally completed through ASP, PHP, ASP. NET, and other programs. In this case, you must set the execution permission of the upload directory to "NONE", so that even if you have uploaded scripts such as ASP and PHP or EXE programs, it will not trigger execution in the user's browser.

Similarly, if you do not need to use the PUT command for upload, do not open the "write" permission for the upload directory. Set the write permission for the Internet Guest Account (the upload directory of ASP. Net program is iis_wpg group) in the NTFS permission.

If the program reads the file content and forwards it to the user during download, do not set the "read" permission. This ensures that files uploaded by users can only be downloaded by authorized users in the program. Instead of downloading users who know the file storage directory. Do not open the "Browse" permission unless you just want the user to browse your upload directory and select what you want to download.

Example 3 -- permission settings for the directory where the ACCESS database is located:

Many IIS users often use the method of renaming the ACCESS database (changed to ASP or aspx suffix) or placing it outside the publishing directory to prevent viewers from downloading their access database. In fact, this is not necessary. In fact, you only need to remove the "read" and "write" permissions of the Access Directory (or the file) to prevent downloading or tampering. You do not have to worry that your program will not be able to read and write data to your access database. Your program requires the permissions of the Internet Guest account or iis_wpg group account on NTFS, you only need to set the permissions of these users to be readable and writable, so that your program can run correctly.

Example 4 -- permission settings for other directories:

Your website may contain pure image directories, pure HTML template directories, pure client JS file directories, and style sheet directories. You only need to set the "read" permission for these directories, set the execution permission to "NONE. You do not need to set other permissions.

Well, I think the above examples have already included permission settings in most cases. In other cases, based on these examples, I think you can definitely think of how to set them.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.