Improve the security of the FSO under Windows Server 2003

FSO (http://www.aliyun.com/zixun/aggregation/19352.html ">filesystemobject") is a Microsoft ASP's control on file manipulation, which can read to the server, create a new , modify, delete directories, and file operations. is a very useful control in ASP programming. However, because of the issue of permissions control, many virtual host Server FSO has become a public backdoor of this server, because customers can be in their own ASP Web page directly to the control program, thus controlling the server or even delete files on the server. So many of the industry's virtual hosting providers simply shut down the control, giving customers a lot less flexibility.

ASP provides a powerful access to the file system, you can read, write, copy, delete, rename and so on any file on the server hard disk, which poses a great threat to the safety of the school website. Now many campus hosts have been subjected to the FSO Trojan intrusion. But after disabling the FSO component, the result is that all ASP programs that utilize this component will not be able to run and meet the needs of the customer. How can you allow both the FileSystemObject component and the security of the server (that is, you cannot use this component to read and write to other people's files)?

How to remove the FSO upload program is less than 200k limit?

First turn off the IIS Admin service in the service and find the metabase in the Windows\system32\inesrv directory. XML and opens, finds the aspmaxrequestentityallowed, and modifies it to the desired value. The default is 204800, 200K, modify it to 51200000 (50M), and then restart the IIS Admin service.

ASP provides a powerful access to the file system, you can read, write, copy, delete, rename and so on any file on the server hard disk, which poses a great threat to the safety of the school website. Now many campus hosts have been subjected to the FSO Trojan intrusion. But after disabling the FSO component, the result is that all ASP programs that utilize this component will not be able to run and meet the needs of the customer. How can you allow both the FileSystemObject component and the security of the server (that is, you cannot use this component to read and write to other people's files)? The following is the experience of the author for many years:

The first step is different from the Windows 2000 settings key: Right-click C disk, click "Sharing and Security", in the dialog box, select the "Security" tab, the Everyone, Users group Delete, delete if your site even ASP program can not run, please add Iis_ WPG Group (Figure 1) and restart the computer.

After this design, FSO Trojan can no longer run. If you are setting up a more secure level, set up each partition separately and set different anonymous access users for each site. Here is an example to introduce (suppose your host on e disk ABC folder under the Abccom site):

1 Open "Computer Management → Local Users and groups → users", create an ABC user, set a password, and remove the check mark before "User must change password at next logon", select "User Cannot Change password" and "Password Never Expires", and set the user to belong to guests group.

2 Right-click E:ABC, select the "Properties → security" tab, you can see that the default security settings for this folder is "Everyone" Full Control (depending on the content displayed in different circumstances is not exactly the same), remove Everyone's Full control (if not deleted, click the [Advanced] button, the " Allow inheritable permissions on the parent to propagate "the front check is removed and all is removed, adding administrators and ABC users all security permissions to the directory on this site."

3 Open IIS Manager, right-click abccom host name, in the pop-up menu, select the "Properties → directory Security" tab, click on authentication and access control [edit], pop-up Figure 2 dialog box, anonymous Access user default is "IUSR_ Machine name", click [Browse], in the "Select User" In the dialog box, locate the ABC account you created earlier, and then repeat the password after you confirm it.

This setting allows users visiting the site to access the E:abc folder's site anonymously as an ABC account, because the ABC account only has security permissions on the folder, so he can only use the FSO under this folder.