Safety article in Win 2003 to improve FSO Source:
http://soft.yesky.com
The ASP provides powerful file system access capabilities, read, write, copy, delete, renamed any files on the server hard disk, which gives a huge threat to the safety of the school website. Many campus hosts are now affected by FSO Trojans. But after the FSO component is disabled, the consequences caused by all the ASP programs that use this component will not be able to run, and they cannot meet the needs of customers. How to allow both FileSystemObject components, do not affect the security of the server (ie, between different virtual host users can not use this component to read and write someone else's files)? The following is the experience of groping for many years:
The first step is to have a key to Windows 2000 settings: Right-click the C drive, click "Sharing and Security", select the Security tab in the dialog box, delete the everyone, users group, if you Websites cannot run, add an IIS_WPG group (Figure 1), and restart your computer.
After this design, the FSO Troja has no longer run. If you want to make a safer level setting, make the various disk partitions as above, and set different anonymous access users for each site. The following will be described in an example (assuming your host on the E disk ABC folder below the ABC.COM site):
1. Open "Computer Management → Local User and Group → User", create ABC users, and set passwords, and remove the "user next time you log in to change your password", select "Users cannot change password" and " The password will never expire "and set the user to the guests group.
2. Right-click the E: / ABC, select the Properties → Security tab, you can see the default security settings of the folder is "Everyone" full control (depending on the content displayed by different situations), remove Everyone Full control (if you can't delete, click the [Advanced] button to remove the pairs of "Allowed Parents' Inheritance Permissions", and delete all), add administrators and ABC users to all security privileges for this website directory.
3. Open IIS Manager, right-click the ABC.COM hostname, select the "Properties → Directory Security" tab in the pop-up menu, click on authentication and access control [edit], pop up the dialog shown in Figure 2, Anonymous Access User The default is "IUSR_ Machine Name", click [Browse], find the previously created ABC account in the Select User dialog box, determine the password after confirmation.
After setting up this setting, users accessing the website access to the S: / ABC folder at an anonymity, because the ABC account only has security permissions to this folder, so he can only use FSO under this folder.
common problem:
How to unlock the FSO uploader less than 200K limit?
First close the IIS Admin Service service in the service, find Metabase under the Windows \System32 \nesrv directory. XML and open, find AspMaxRequestentityAllowed, modify it to the required value. The default is 204800, that is, 200K, modified it to 51200000 (50M), then restart IIS Admin Service service. The ASP provides powerful file system access capabilities, read, write, copy, delete, renamed any files on the server hard disk, which gives a huge threat to the safety of the school website. Many campus hosts are now affected by FSO Trojans. But after the FSO component is disabled, the consequences caused by all the ASP programs that use this component will not be able to run, and they cannot meet the needs of customers. How to allow both FileSystemObject components, do not affect the security of the server (ie, between different virtual host users can not use this component to read and write someone else's files)? The following is the experience of groping for many years:
The first step is to have a key to Windows 2000 settings: Right-click the C drive, click "Sharing and Security", select the Security tab in the dialog box, delete the everyone, users group, if you Websites cannot run, add an IIS_WPG group (Figure 1), and restart your computer.
After this design, the FSO Troja has no longer run. If you want to make a safer level setting, make the various disk partitions as above, and set different anonymous access users for each site. The following will be described in an example (assuming your host on the E disk ABC folder below the ABC.COM site):
1. Open "Computer Management → Local User and Group → User", create ABC users, and set passwords, and remove the "user next time you log in to change your password", select "Users cannot change password" and " The password will never expire "and set the user to the guests group.
2. Right-click the E: / ABC, select the Properties → Security tab, you can see the default security settings of the folder is "Everyone" full control (depending on the content displayed by different situations), remove Everyone Full control (if you can't delete, click the [Advanced] button to remove the pairs of "Allowed Parents' Inheritance Permissions", and delete all), add administrators and ABC users to all security privileges for this website directory.
3. Open IIS Manager, right-click the ABC.COM hostname, select the "Properties → Directory Security" tab in the pop-up menu, click on authentication and access control [edit], pop up the dialog shown in Figure 2, Anonymous Access User The default is "IUSR_ Machine Name", click [Browse], find the previously created ABC account in the Select User dialog box, determine the password after confirmation.
After setting up this setting, users accessing the website access to the S: / ABC folder at an anonymity, because the ABC account only has security permissions to this folder, so he can only use FSO under this folder.
common problem:
How to unlock the FSO uploader less than 200K limit?
