Win2008 R2 WEB Server Security Settings Guide folder permissions setting tips _win Server

Increase the security of your site by controlling folder permissions.

This permission setting includes two aspects, one is the system directory, the disk character permissions, one is the application Upload folder permission settings.

System catalog

Make sure all the drive characters are formatted as NTFS, and if not, you can convert the command convert D:/FS:NTFS to NTFS format.

All disk roots give system and administrators permissions only, and other deletions.

Where the system disk will have a few hints, directly determined on it. Before you do this, your running environment software must be installed before you can do so. This may cause software installation errors, and Remember that all security settings must be completed after the software is installed .

Site Directory

Each Web site corresponds to a directory, plus IUSR and Iis_iusrs permissions for the site directory, only for the "List Folder Contents" and "read" permissions.

For example, I created a wwwroot directory in the D-packing directory and created a blog.postcha.com directory inside the directory where my Web site program is placed. Where wwwroot as long as the right to save D disk, and blog.postcha.com This directory, we need to add two additional permissions, namely IUSR and Iis_iusrs.

Wwwroot Permissions:

Site Directory Permissions:

The general website has uploads the file, the picture function, but the user uploads the file is not credible. So also to the upload directory for separate settings. The upload directory also needs to add "modify", "write" permission to the IIS_IUSRS group.

After the above set under a permission to execute, once the user uploaded a malicious file, our server has fallen, but we can not but to give, so we have to cooperate with IIS to set up again.

This setting is very handy in the IIS7 version. Open IIS Manager, find the site, select the upload directory, in the middle bar IIS Double-click Open "Handler mapping", and then select "Edit Feature Permissions", the "script" before the hook off on it.

OK, let's open the upload folder and see if it's a web.config.

The contents of the web.config are as follows:

<?xml version= "1.0" encoding= "UTF-8"?>
<configuration>
  <system.webServer>
    < Handlers accesspolicy= "Read"/>
  </system.webServer>
</configuration>

This means that all files (including those under all subfolders) in the upload directory will have read-only access. This allows users to upload malicious files, can not play a role.

The

Each Web site program has different features and settings. The least privilege is the maximum security.

Original works, allow reprint, reprint, please be sure to hyperlink form to indicate the original source of the article, author information and this statement. Otherwise, legal liability will be held.

Small series of cloud-dwelling communities supplement:

Prohibit script execution can refer to this article: http://www.jb51.net/article/86201.htm