Description: The environment required in this article is 2003 Server IIS6.0 MS SQL2000
I have seen an article on the "ASP.NET virtual host" on the Internet, I didn't care, I didn't care, friends who did the ASP virtual host may know that set a separate independent for each user. The server users and individual directory operation permissions can basically solve the FSO problem of the ASP.
Inadvertently discovered an Asp.Net-Webshell called WebAdmin, when I tested my server, I was shocked, and I actually had read permissions to the C drive of my server. And the modification of the entire hard disk is deleted. In this case, then the security of my server ...
In order to further confirm, I have made tests on some famous virtual host providers in China, and they have the same problem as me.
It is necessary to introduce the cause of the vulnerability first.
Standard components commonly used in ASP: FILESYSTEMOBJECT, this component provides powerful file system access capabilities for ASP, read and write, delete, renamed any permissions on the server hard disk. The FSO object comes from the Script Runtuance Scrrun.dll provided by Microsoft.
In ASP.NET we found this problem, it is more difficult to solve. This is because .NET's functionality about the system IO operation becomes more powerful, which makes this problem more seriously a new feature of ASP.NET, which requires the components that must be used as Regsvr32 like ASP. Register, you can use it directly to use the DLL class library file to the bin directory. This feature does have a great convenience to developing ASP.NET, but let us lose this DLL to delete or change the solution in ASP, and prevent this issue more complicated. Friends who need further understanding can see the significant hidden dangers of the ASP.NET virtual host>, this article is no longer repeated. Only for this issue leads to the security settings of the virtual host.
Online proposing this problem with Microsoft .NET Framework Configration Set the permissions read for the directory. After we have no success, it may be .NET Framework1.1 mechanism reform?
Do not talk nonsense. Let me talk about the solution: In IIS 6, the WEB application's working process is set to run the "NetWork Service" with the process. In IIS 5, the process outside the Web application is set to run with the IWAM_
Network Service is a built-in account in Windows Server 2003. It is important to learn about the difference between the local user account (IUSR and IWAM) on IIS 5 with this built-in account. All accounts in the Windows operating system are assigned a SID (security ID, Security ID). The server identifies all accounts on the server according to the SID instead of the SID-related name, and when we interact with the user interface, the name is interacting with the name. Most of the accounts created on the server are local accounts, all with a unique SID for identifying this account to members of the server user database. Since SID is only unique relative to the server, it is invalid on any other system. So, if you assign NTFS permissions for a file or folder for a local account, then copy the file and its permissions to another computer, the target computer does not have a user account for this migration SID, even if This is also true of one with an account. This makes a problem with content replication of NTFS privileges.
Built-in accounts are created by operating systems, a particularly special account or group, such as a System account, Network Service, and Everyone group. One of these objects is that they have an identical, well-known SID on all systems. The permissions are valid between servers when copying files assigned to NTFS permissions, because the SID of the built-in account is the same on all servers. The Network Service account in the Windows Server 2003 service is specifically designed, dedicated to providing a sufficient permissions for accessing the network for the application, and in IIS 6, you can run the web application without lifting permissions. This is a big message for IIS security, because there is no buffer, and malicious applications cannot decipher the process identity, or the application's attack cannot enter the System user environment. More importantly, the "backdoors" for the System account can no longer form "backdoors", and no longer use the INPROCESSISAPIAPS metadata library item to be loaded into the INetInfo application. The NetWork Service account is created not only considering the application in IIS 6. It also has the process identifies most (not all) permissions for W3WP.exe. As ASPNET users need access to certain locations on IIS 5 servers, the process identifies W3WP.exe also requires access to similar locations, and it also needs to be assigned to the built-in group by default. permission.
For the convenience of management, the IIS_WPG group (also known as IIS working process group, IIS worker process group) is created when installing IIS 6, and its members include Local System, Local Service, NetWork Service (Network Service) and IWAM Account. Members of IIS_WPG have appropriate NTFS permissions and necessary user permissions, which can act as a process identity of the working process in IIS 6.
Therefore, the NetWork Service account provides permissions access to the above location, with adequate permissions that act as the process identity of the IIS 6 working process, and access to the network.
MSDN said: In Windows Server 2003, the user context is called Network Service. These user accounts are created during the .NET Framework installation process, which has a unique password that is not easy to crack, and is only a limited permissions. The ASPNET or Network Service users can only access the specific folders required to run the web application, such as the Web application stores the / bin directory of the compiled file.
To set the process identity to a specific username, replace the ASPNET or Network Service user ID, you provide the username and password must be stored in the Machine.config file.
However, based on the actual situation, ASP.NET's System.IO may not restrict access to the unfielder path. I don't know if this is not a major vulnerability of MS. And it does not allow the IIS to perform the ASP.NET program with users of Machine.config. J
How to solve it? The answer is - the application pool.
IIS 6.0 runs in two different operating modes called application isolation mode (quarantine modes), which are: working process isolation mode and IIS 5.0 isolation mode. Both modes depend on http.sys as a hypercraft transfer protocol (HTTP) listener; however, their internal work is very different. The working process isolation mode utilizes the redesigned architecture of IIS 6.0 and uses the core components of the working process. IIS 5.0 Isolation mode is used to rely on specific functions and behaviors of IIS 5.0. This isolation mode is configured by IIS5iSolationModeEnabled to configure the database properties.
The IIS application isolation mode of IIS applications affects performance, reliability, security, and functionality. The working process isolation mode is the recommended mode of IIS 6.0 operation because it provides a more reliable platform for applications. The working process isolation mode also provides a higher level of security because the default identifier of the application running in the working process is NetworkService.
The default identity of the application running in IIS 5.0 isolation mode is Localsystem, which allows access and has the ability to change almost all resources on your computer.
IIS function IIS 5.0 Isolation mode host / component work process isolation mode host / component work process management N / asvchost.exe / www service work process N / A w3wp.exe / work process running internal ISAPI extension inetinfo.exew3wp.exe running process Foreign ISAPI Extension DLLHOST.EXEN / A (all ISAPI extensions are running within processes) Run ISAPI Filters inetinfo.exew3wp.exehttp.sys Configuring SVCHOST.EXE / WWW Services SVCHOST.EXE / WWW Service HTTP protocol supports Windows kernel / http. Syswindows kernel / http.sysiis configuration database inetinfo.exeinetinfo.exeftpinetinfo.exe inetinfo.exenfo.exesmtpinetinfo.exeinetinfo.exeinfo.exeinetinfo.exe
This shows that we can only use the working process isolation mode to solve the security problem of .NET.
By default, IIS 6.0 is running in the working process isolation mode, as shown in Figure 5. In this mode, for each web application, IIS 6.0 runs it with an independent W3WP.exe instance. W3WP.exe is also known as a working process, or W3core.
Reliability and security. Reliability is increased because the failure of a web application does not affect other web applications, nor does it affect http.sys, and each web application monitors its health by W3SVC. The improvement of security is because the application is not running with the System account in the process of IIS 5.0 and IIS 4.0. By default, all instances of W3WP.exe are run under a "network service" account with limited permissions. As shown in Figure 6, it is necessary to configure the working process to run with other user accounts.
Yes, here, here is the core of our solution. We allocate every website with a separate application pool and give different permissions. Can you solve this problem? Specifically, I will do a demonstration for the establishment of a website: First, we create two users for the website (one is app_test_user, the password is appuser, one is IIS_TEST_USER, password is IISUser) 1. Open Computer Manager 2 . Click User → Computer Management → System Tools → Local User and Group → User 3. Click on "New User" to enter the user name on the "New User" on the "Operation" menu. App_test_user, password is AppUser 4. Type appropriate information in the dialog box. 5. Check the box: Users cannot change the password password Never expired 6. Click Create, and then click Close. Follow this method to create an IIS_TEST_USER account then add app_test_user to the IIS_WPG group, add IIS_TEST_USER to the guests group. Delete other groups.
Then, establish a corresponding application pool. Open Internet Information Services → Local Computers → Application Pool → New → Application Pool New An Name Test application pool
Edit the properties of the Test Application Pool → Name → Configuration → User Name → Browse → Change the username to our app_test_user and enter the corresponding password
Secondly establish a corresponding website. Open Internet Information Services → Local Computers → Site → New → Test's website, directory is D: / Test → Edit Test Site Properties → Home Directory → Applied Pool → App_Test_User → Directory Security → Authentication and Access Control → Editing , Choose the IIS_TEST_USER we have just established, and enter the corresponding password IISUSER → save and exit.
Finally set the security of the server. C: Only the right to fully control from Administrators and System, delete all other permissions, do not replace the subdirectory
C: / Documents and settings inherit the parent and replace the subdirectory. C: / program files inherit the parent, replace the subdirectory, and delete the C: / Program Files / Common files / Microsoft Shared attribute, and copy the existing properties, add the read permissions of the user and replace the sessage directory (so In order to allow ASP, ASP.NET to use Access and other databases). C: / Windows deletes inheritance, and copy existing properties, only gives Administrators, SYSTEM fully controlled the permissions read by users and replaces the subdirectory.
All of the other discs are only given complete control permissions for Administrators and System users, delete all other users and replace the subdirectory. D: / TEST (User Site Directory) Inherits the existing attribute and increases the full control of app_test_user and iis_test_user and replaces the subdirectory. Each additional website will be pushed. However, to this, System.IO is still read on C: / Windows, (Doubt Network Servers users are the User Group, but many services should be performed using the user group, so I can't remove the C: / Windwos to the USERS group Read permission), but must know the system path, there are two solutions to solve. 1. Use the unattended installation when installing the system, replace the C: / Windows default installation path, such as Change to C: / TestTest (to comply with DOS naming rules, no more than 8 characters). This is the necessary 2. The following location has the right to assign IIS_WPG:% windir% / help / Iishelp / common - Read% WINDIR% / IIS Temporary Compressed Files - Listed, read, write% windir% / system32 / INETSRV / ASP Compiled Template - Reads IIS_WPG also has the following user privilege: IIS_WPG has the following user rights: SECHANGENOTIFYPRIVILEGE) Access this computer from the network (SEBATCHLOGONRIGHT) SenetworklogonRight) Of course, two methods are combined as the safest solution. Generally, the first program is already very safe. After all, it is necessary to use a WebShell to guess 8 characters or take time. It is easy to use the firewall to be observed and control it. The second may also increase the read permissions of the directory according to the installed software, and the details should be determined according to the software. If the host user is more, this will be a considerable labor amount, recommend the programs to solve the problem, below the online uncommon code, code for IIS application pool, and operation code for IIS virtual directories. Operation IIS application pool
using System; using System.DirectoryServices; using System.Reflection; namespace ADSI1 {/// /// Small class containing methods to configure IIS /// class ConfigIIS {/// /// The main entry point for the application.. /// [stathread] // Main program entrance, which can be selected, I have written it for convenience and all the features. static void Main (string [] args) {string AppPoolName = "MyAppPool"; string newvdir1 = "MyVDir"; DirectoryEntry newvdir = CreateVDir (newvdir1); CreateAppPool (AppPoolName); AssignAppPool (newvdir, AppPoolName); ConfigAppPool ( "Stop", AppPoolName);} // Create a virtual directory static DirectoryEntry CreateVDir (string vdirname) {DirectoryEntry newvdir; DirectoryEntry root = new DirectoryEntry ( "IIS: // localhost / W3SVC / 1 / Root"); newvdir = root.Children.Add (vdirname "Iiswebvirtualdir"); newvdir.properties ["path"] [0] = "c: // inetpub // wwwroot"; newvdir.properties ["accessscript"] [0] = true; newvdir.commitchanges (); return Newvdir;} // Create a new application pool.
static void CreateAppPool (string AppPoolName) {DirectoryEntry newpool; DirectoryEntry apppools = new DirectoryEntry ( "IIS: // localhost / W3SVC / AppPools"); newpool = apppools.Children.Add (AppPoolName, "IIsApplicationPool"); newpool.CommitChanges () ;} static void AssignAppPool (DirectoryEntry newvdir, string AppPoolName) {object [] param = {0, AppPoolName, true}; newvdir.Invoke ( "AppCreate3", param);} // method is a method for managing application pool, three species Start, Stop, Recycle, and the name is the application pool AppPoolName static void ConfigAppPool (string method, string AppPoolName) {DirectoryEntry appPool = new DirectoryEntry ( "IIS: // localhost / W3SVC / AppPools"); DirectoryEntry findPool = appPool.Children .Find (AppPoolName, IIsApplicationPool "); findPool.Invoke (method, null); appPool.CommitChanges (); appPool.Close ();} // list application pool static void AppPoolList () {DirectoryEntry appPool = new DirectoryEntry ( "IIS: // localhost / w3svc / apppools"); Foreach (DirectoryEntry a in AppPool.children) {Console.writeline (a.name);}}} Ivate void vdirtoAppoc () {directroryentry vd = new DirectoryEntry ("IIS: // localhost / w3svc / 1 / root / ccc"); console.writeline (vd.properties ["apppoolid"]. Value.toString ());} }} Example of IIS6 operation
using System; using System.DirectoryServices; using System.Collections; using System.Text.RegularExpressions; using System.Text; namespace Wuhy.ToolBox {/// public class IISAdminLib {#region UserName, Password, HostName definition public static string HostName {get {return hostName;} set {hostName = value;}} public static string UserName {get {return userName;} set {userName = value;}} public static string password {get {return password;} set {IF (username.length <= 1) {throw new argumentException ("Already specified a good user name. Please specify the username");} password = value;}} public static void Remoteconfig (String Hostname, String UserName, String password) {HostName = hostName; UserName = userName; password = password;} private static string hostName = "localhost"; private static string userName; private static string password; # endregion # region Entry path construction method according to the ///
Configuration according to the information passed /// /// Store information for new sites public static void CreateNewwebsite (NewWebsiteInfo SiteInfo) {if (! EnSureNewsiteENAVAIBLE) SiteInfo.BindString) {throw new duplicatedWebsiteException ("There is already such a website." Environment.newline SiteInfo.Bindstring);} String Entpath = String.Format ("IIS: // {0} / w3svc", HostName); DirectoryEntry rootEntry = GetDirectoryEntry (entPath); string newSiteNum = GetNewWebSiteID (); DirectoryEntry newSiteEntry = rootEntry.Children.Add (newSiteNum, "IIsWebServer"); newSiteEntry.CommitChanges (); newSiteEntry.Properties [ "ServerBindings"] Value. = siteInfo.BindString; newSiteEntry.Properties [ "ServerComment"] Value = siteInfo.CommentOfWebSite;. newSiteEntry.CommitChanges (); DirectoryEntry vdEntry = newSiteEntry.Children.Add ( "root", "IIsWebVirtualDir"); vdEntry.CommitChanges (); Vdentry.properties ["path"]. value = siteinfo.webpath; vdenTry.commitchanges ();} ///
/// /// Website name public static void deleteWebsitebyName (string siteenum = getWebsitenum (Sitename); string siteentpath = String.Format ("IIS : // {0} / w3svc / {1} ", Hostname, SiteNum); DirectoryEntry Sitentry = getDirectoryEntry (SiteentPath); string rootpath = string.format (" IIS: // {0} / w3svc ", hostname); DirectoryEntry rootEntry = GetDirectoryEntry (rootPath); rootEntry.Children.Remove (siteEntry); rootEntry.CommitChanges ();} # method public endregion # region Start and Stop site static void StartWebSite (string siteName) {string siteNum = GetWebSiteNum (siteName); String SitentPath = String.Format ("IIS: // {0} / w3svc / {1}", hostname, sitenum); DirectoryEntry Sitentry = getDirectoryEntry (SiteentPath); SiteEntry.Invoke ("start", new object []} );} public static void StopWebSite (string siteName) {string siteNum = GetWebSiteNum (siteName); string siteEntPath = String.Format ( "IIS: // {0} / w3svc / {1}", HostName, siteNum); DirectoryEntry siteEntry = GetDirectoryentry (SiteEntP ATH); SiteEntry.Invoke ("stop", new object [] {});} # endregion # region confirms whether the website is the same ///
/// This prevents illegal data from being stored in the IIS /// /// Website Bond Information ///
Determine the website number /// /// ///
