1. Safety settings for the forum: Turn off the flash tag, set the forum script filter extension
An attacker can use the flash tag to publish a special post, let all the forum users who browse to them or the forum users will automatically turn to their specified pages containing malicious code. Specifically in the advanced settings of each layout.
If your forum opens HTML parsing, "Forum Script Filter Extension Setting" in the Basic Settings in Background Filter iframe | Object | Script | Label, if it is not filtered, the attacker can use HTML's tag to implement page automatic transfer. .
2. Setting in IIS:
For directories that do not have an execution license, such as Data directory, Images, UploadFile, UploadFace, etc. do not have an ASP file at all, do not need to set up the ASP. The default is that the entire station has the Running power of the ASP, so the "Permission License" of the above directory needs to be set to "None" in the IIS Manager, select Properties, set in the property interface. ).
The ASP execution permits that prohibits these directorys, especially UPLOADFILE and UPLOADFACE, enabled even if someone uses the upload vulnerability of the mobile network to pass the Trojan file in these directories, but these ASP Trojans cannot run.
3.NTFS settings:
NTFS permission settings should be the basic premise of a security setting. Set the method, right-click a directory or file, then select "Security" to see the permissions of the corresponding user group.
The key points are:
(1) Delete the default Everyone's permissions to the web directory.
(2) Under normal circumstances, Administrator and System have full permissions to the web directory.
(3) Setting IUSR_SERVERNAME for the Place of BBS (This account is the system default account used by the web accesser, the system is expressed as the Internet access user): only four directory need to have "modification" permissions, Skins, Data, UploadFile, and UploadFace, other directories and forum root root directory set "read-only" permissions. The purpose of this setting is that even if the ASP Trojan is uploaded, if the administrator privilege is not obtained, he cannot modify the ASP file of the forum, so that even if it is attacked, it can also reduce the loss surface to the least (such as you). The plugin and the code written by yours will not be deleted). When setting, you can set the IUSR_SERVERNAME permissions of the BBS to "read only" first, and then add "modify" permissions on four directories that need to be written.
Alternally, try not to install the plugin unless you confirm that this plugin is safe. At present, SQL INJECTION attack is very popular, and many programs exist such a vulnerability. If the scope is large, it may affect the safety of the entire forum. If the plugboard uses the upload function, set the execution permission of the directory to which you uploaded.
4. Pay attention to the official update of the network, promptly hit the latest security patches.
The above security settings are the refinement settings for the mobile network in the case where the server is located in the forum. If the overall server is not safe, it can be easily obtained by people, then under the nest, there is a finish.
