Windows IIS Permissions Classic Setup Tutorial _win server

Objective
According to the latest hacker attack method, it is easy to be hacked if you open Write permission on the site properties of IIS. and generally when we use, ask everyone to open the site folder "write" permission, many users think it is in IIS open, this is wrong, the result is to let hackers use write permission to upload arbitrary files. Write permissions in IIS must be turned off! Such settings already ensure that the database is updatable, can generate HTML, and can refresh all normal operations such as JS files.

Let's get down to business.
Although Apache's reputation may be better than IIS, I believe that there must be a lot of people using IIS as a WEB server. To be honest, I think IIS is pretty good, especially with Windows 2003 IIS 6, which is pretty good in performance and stability. But I find that many people who use IIS are less likely to set the Web server's permissions, so it's no surprise that a vulnerability is hacked out. But we should not attribute this to the insecurity of IIS. If you have the right permissions for each directory on your site, the chances of a vulnerability being hacked are small (except for WEB applications that have problems and otherwise invade hacked servers).
The following is a summary of some of the experience in the configuration process, I hope to help.
(originally wanted to add picture description, busy one night, not added, this is very important, careful to do the boat!) ）
The permissions settings for the IIS Web Server are two places, one is the permission settings for the NTFS file system itself, and the other is the site-> site-> Properties-> the home directory (or the site below directory-> Properties-> directory) panel under IIS. These two places are closely related. Below I'll explain how to set permissions as an example.

The site-> site-> Properties-> the home directory (or the following directory-> properties-> directory) panel under IIS are:
Scripting resource access
Read
Write
Browse
Record access
Index Resources
6 options. Of these 6 options, "Record Access" and "Index resources" are not related to security, and are generally set. However, if none of the previous four permissions are set, these two permissions are not required. When you set permissions, remember this rule, and the following example no longer specifically describes the settings for these two permissions.
In addition, below the 6 options, the Execute permission Drop-down list also has the following:
No
Pure Script
Pure scripts and executable programs
3 options.
and the Site directory if in the NTFS partition (recommended this), you also need to set the appropriate permissions on the NTFS partition of this directory, many places are introduced to set everyone's permissions, in fact, this is not good, in fact, as long as the Internet Guest account set up (IUSR_ XXXXXXX) or the IIS_WPG group's account permissions are OK. If you set the ASP, PHP program directory permissions, then set the Internet Guest account permissions, and for the ASP.net program, you need to set the IIS_WPG group account permissions. When you refer to NTFS permission settings, it is stated explicitly that the permissions on the IIS properties panel are not explicitly stated.

The following example is very exciting! You can respond to such a good thing!

The following items need to be answered to see
Example 1--asp, PHP, asp.net program directory permissions settings:
If these programs are to be executed, you need to set the Read permission and set execution permissions to "pure script." Do not set write and script resource access, and do not set execute permissions to "scripts and executable programs." Do not set write and modify permissions for IIS_WPG user groups and Internet Guest accounts in NTFS permissions. If you have a special profile (and the configuration file itself is an ASP, PHP program), you need to configure the Write permissions for the Internet Guest account in NTFS permissions for these specific files (the ASP.net program is the IIS_WPG group) instead of configuring write in the IIS properties panel Permissions.
The "write" permission in the IIS panel is actually the processing of the HTTP put instruction, which is not normally open for ordinary Web sites.
Script resource access in the IIS panel is not a permission to execute a script, but a permission to access the source code, which is very dangerous if you open the Write permission at the same time.
The "Script and executable" permission in the Execute permission can execute any program, including EXE executable program, if the directory also has "write" permission, then it is very easy to upload and execute Trojan horse program.
For a directory of ASP.net programs, many people like to set up Web sharing in the file system, which is actually not necessary. You only need to ensure that the directory is an application in IIS. If your directory is not an application directory in IIS, you can simply create the application Settings section point in its Properties-> directory panel. Web sharing gives it more permissions and can cause insecurity.
Warm tip: That is, generally do not open-home directory-(write), (script resource access) These two and do not select (Pure script and executable program), select (Pure script) on it. Applications that need to be asp.net if the application directory is more than one program can be created on the Application Folder (properties)-Directory-point creation. Do not make Web sharing a folder.
Example 2--permission settings for uploading directories:
The user's website may set up one or several directories to allow uploading files, the way to upload is generally through ASP, PHP, asp.net and other programs to complete. At this point, we must be aware that the upload directory to the implementation of permissions set to "None", so even upload the ASP, PHP and other script programs or EXE program, also will not trigger the implementation in the user's browser.
Also, do not open the Write permission for the upload directory if the user is not required to upload with the put command. Instead, set the Write permissions for the Internet Guest account in NTFS permissions (the asp.net program's upload directory is the IIS_WPG group).
If you download the contents of the file and then forward it to the user through the program, you do not even have to set the Read permission. This ensures that the files uploaded by the user can only be downloaded by the authorized user in the program. Rather than a user who knows where the file resides is downloaded. Do not open the "browse" right, unless you want users to be able to browse your upload directory and choose what they want to download.
Warm tip: General some asp.php and other programs have an upload directory. For example, the forum, they inherit the above attributes can run the script, we should have these directories from a new set of properties, (pure script) to (none).
Example 3--access the permissions settings for the directory where the database resides:
Many IIS users often use a method of renaming an Access database (either an ASP or an ASPX suffix, etc.) or outside the publishing directory to prevent viewers from downloading their access databases. In fact, this is not necessary. In fact, you just need to remove the "read" and "write" permissions from the directory in which access is located (or the file) to prevent people from downloading or tampering with it. You don't have to worry that your program will not be able to read and write to your Access database. Your program needs the permissions of the Internet Guest account or IIS_WPG group account on NTFS, and you can make sure your program runs correctly by simply setting the user's permissions to readable and writable.
Warm tip: Internet Guest Account or IIS_WPG group account permissions can be read and write. Then access to the directory (or the file) of the "read" and "write" permissions are removed to prevent people from downloading or tampering.
Example 4--permission settings for other directories:
Your site may also have a pure picture directory, pure HTML template directory, pure client JS file directory or style table directory, and so on, these directories only need to set the "read" permission, the executive authority set to "none" can be. No other permissions need to be set.