Under the Home Directory tab of the IIS site properties, there is a setting that performs permissions. How should the site or directory execution permissions be set?
Execute permissions in IIS
The following three kinds of execution permissions are available in IIS:
1, no permissions
No permission means that a dynamic script cannot be executed. To be more clear is like ASP, PHP, ASP.net, JSP, etc. can not be executed, only HTML such as the page through IIS to access.
2, Pure Script
Server-side scripts like ASP, PHP, and JSP need to open script-only permissions.
3. Pure Scripts and applications
Executable files can be executed in addition to executing scripts. Have you ever encountered a page suffix that is a. dll? Often see Microsoft do so. This is the executable file that has an EXE or DLL.
Web site and directory settings Execute permissions
Understand that IIS three execution permissions can be set according to different circumstances, most of the Web sites are ASP (ASPX), PHP, JSP, and so written, and generally to open script execution permissions, but do not open the application permissions.
The above said the site's executive permission settings, below also have to say the directory execution permissions. A single directory can also set execution permissions that are not the same as the Web site. For example, we write a good site with PHP, I give the entire site "pure script" permissions. But the site below a upload directory, this directory is not a PHP program, so you can give a "none" permission.
In IIS, right-click the upload directory in the list on the left, select Properties, and set the "Execute Permissions" item to "None" in the Contents tab.
Setting the meaning of execution permissions
The
has important security implications for setting execution permissions. For the entire site, we give the executive authority is not too high (not for the convenience of all the site to set up a pure script and application), too high there will be security issues. Imagine a pure HTML site, you give it "no" permission, it inside any script, Trojan can not execute, security greatly improved.
and for some directories that do not have a program file (such as the upload mentioned earlier), it is absolutely impossible to give him scripts to run permissions, otherwise hackers can use the site's vulnerabilities to pass the Trojan into these directories, and can be executed, thereby implementing the destruction.
Maybe everyone should ask, he passed to upload inside can't run, then he can upload other directory ah, hacker is not stupid! Yes, to solve this problem, you need to know about NTFS permissions. Assuming that our entire site only upload directory is uploaded, you can write new files, other directories are program directory, once uploaded, will not change. Then we can set other directories as read-only, so that hackers cannot upload files to other directories. The result is that the upload can only be uploaded to upload, and uploaded to the upload can not be executed, so the site is secure
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
