The!!!!!!!!!! of the virtual host blocking the Webshell right _ Server

1. In order to create a secure virtual host, in the ASP+SQL environment, we have to do is to ban the ASP Webshell. The threat of serv-u and SQL injection

2. The default installation of the win host on the Webshell function is very powerful, we want to ban the webshell of what function is not let Webshell view system service information, execute CMD command and browse file directory, we want to implement the function is that each user can only access their own directory, And you can use the FSO and other ASP components, here I take the Sea Trojan and win200 as an example for everyone to demonstrate. A lot of information is collected online, thank you in this.

3. Now we set up win Directory access permissions to set all partitions for the administrator system, the two systems users have ownership, delete Erveryone
Specific * Way: Select the system disk we are here for c-> right-click Select Properties-Security Add an administrator and system all permissions, delete erveryone user
I have already set up, will not repeat, the time to set permissions is very slow, the specific look at my following instructions

4. Choose to reset permissions on all child objects and allow propagation of inheritable permissions
Specific * Way: Follow the 3rd step-> Select the Advanced-> Select Reset permissions on all child objects and allow propagation of inheritable permissions tick select By Application-> prompts whether to continue to select ' Yes ' to continue
If you find a problem, press the Continue button to continue.

5. Set the directory that everyone can read (so that Perl ASP JMail can be executed)
[Set up ASP can use] specific * do: Enter C:\promgram files directory to Common Files directory, set Everyone can read, run, column directory
C:\Program Files\Common files are some system files, if you install some other components, such as maill,php, and so on the same set
Just that directory, the system has gone wrong, the time to set permissions is very slow

6. Set to cancel inheritance, function: In order to enable users can not exceed the authority to delete and the normal use of ASP
Specific * Way: Enter winnt\system32\ Select all directories, in addition to Inetsrv certsrv two directories do not select (Note: These two are ASP to use the DLL)
Select Properties-> Security-> Advanced-> permissions-> to allow inheritance from parent to cancel hook-> by copy
　　　　　　　
Enter Winnt directory-> Select all directories except Web, temp, tasks, system32, Offine Web pages,
IIS Temporay compressed file, Help,download Promgram ditto cancel inheritance-> by replication

Select Winnt-> Set security, add Everyone read run list file directory read

Enter Winnt-> Select Temp property to set security, everyone fully control, then point advanced, Edit, remove the running permissions
The animation's broken, it's weird.
Such 2000 directory permissions basic settings complete, 2003 directory settings can see the bottom, I was so set up, no problem, there are problems to find me, it seems not yet set up, finally good, tired ah
I can't see the D plate.

7. Just broke the animation, a new user leilei, set the password, to set the password never expires, add him to the Guest user group, and then set up his virtual site in IIS, I use the default site, set up a virtual directory e:\ Web Resources \bbsxp 5.12 official version]\bbsxp , and then point Properties-Directory Security-edit. Anonymous access tick, then set the username and password, and then to the E:\ Web site Resources \bbsxp 5.12 Official version]\bbsxp set permissions, give Leilei access rights. OK, now it's a paragraph, leilei. The user can only access his or her own directory and delete the unused script mappings. *.htr This is a more powerful document, delete the good. Otherwise, anyone can use your web for illegal *, or even format your hard drive. *.hta Erase it. *.IDC so erase him. *.printer This is the printer file. Get rid of him. *.HTW, *.ida *.idq These are index files that can be removed. In fact, as long as useful reservations, such as asp,asa,php,cgi, to keep, all the other deleted on the line!!!
Let's take a look at the website
How, the FSO normal use bar
8. There are times when ASP cannot be accessed, prompting the requested resource is and the remote procedure call failed and did not execute.
I met, looking for online posts, and some say royal load rising 2005, and then sync IWAM account number, synchronous IWAM account please see Http://www.gamepa.com/Announce/A ... id=8000&id=361. Some say asp.net do not have permission to execute, and some say under 2003, add IIS_WPG group, and restart the computer. Founder I synchronized the IWAM account number, and then still did not fix, and blind tinker for a long time, ready to start from the beginning of the machine, and then found, well ~, if you met this problem, and did not fix, you can send a post to my forum to say, I and you study together, anyway, I am a bum, The computer has been in front for half a year. At any time, urgent on the end of the message I have a sound hint.


9. Now we look at the last Webshell, first look at the directory we just set the effect of permissions, the effect is good, now we plug Webshell cmd, there are two kinds of Cmdshell Wscript.Shell and Shell.Application, The basics of these two components can look at this article
Http://www.gamepa.com/Announce/A ... did=8000&id=395
Here are two ways to set permissions to set the C:\winnt\system32\cmd.exe permissions, (sorry I put Mdshell Wscript.Shell and shell.application have been deleted, now registered), Permissions that can only be accessed by the administrator and system users, this time cmd is not used, but we usually upload a cmd in use, look at the demo, now again can use it, I am in other people's host also often met this phenomenon, but we still have ways. E:\ Web resources \ Bbsxp 5.12 Official version of the]\bbsxp run permissions removed, Access denied. Lack of objects, do not affect the Web site use FSO Bar, there are one by one kinds is completely deleted Wscript.Shell and shell.application, command is regsvr32/u wshom.ocx and regsvr32/u Wshext.dll, We first restore the permissions. Or the lack of objects, two are OK, is the experiment through, I prefer the second, anyway, does not affect my use. Try the website again, no problem

10. Ban Webshell View system process functions, right key to my computer-management-Service Application-service-workstation, double-click the point stop, disable. This service is the second in the penultimate.
Workstation "--svchost.exe--is used to manage networks, support networking and print/file sharing, disabled also nothing, reference articles
Http://www.gamepa.com/Announce/A ... did=8000&id=400
Http://www.gamepa.com/Announce/A ... did=8000&id=402
Http://www.gamepa.com/Announce/A ... did=8000&id=403
Error: Error Source: This seems to be the reason for deleting Wshom.ocx and Wshext.dll, regardless of him, we continue, now can see the system process and landing users, now we disable the service to, from the beginning, the process will not, forget, I do not from the beginning, anyway, there will be no problem, I can't see anything anymore.

11. Block Serv-u and SQL, this is also copied, because Serv-u and SQL are system permissions, that is, systems users, our goal is to turn them into user users, so that they do not have the right to add Administrator account number, here I use Serv-u demo , the FTP "NET user Leilei3 Leilei3/add" successfully added LEILEI2 account number, Input method problem, estimated that we also know that serv-u local right to raise loopholes, the solution, first add a user permissions, I'm going to use leilei3 this user, then right click on My Computer-admin-Service Application-service-serv-u FTP Server-Login-This account, the default to get rid of, now it's OK, let's try again serv-u can use. Unable to start, faint, or permissions of the problem, Someone has done this animation, no problem.
Animation Download Http://www.gamepa.com/Announce/A ... did=7890&id=355
Permissions to set the OK, SQL is also such a setting, but permissions to set up, because the SQL to access a lot of directories, no * Permissions can not be used, we recommend to change the user permissions to run SQL when you do not use the directory permissions I said above the method of allocation, But according to the bottom of the Win2003 directory permission settings to do the reference, 1.1 points to change the directory permissions to win, or to user users more permissions, this I do not use, also did not study, also that sentence, if there is a friend needs, we study together

12. After this setup is basically safe, if the master can provide a point of view, point out the unsafe place, appreciate