As we all know, the powerful function and destructive of FileSystemObject components is its frequent homepage
The reasons for providers (those supporting ASP), I have sorted it, I originally found two ways, I was stimulated by someone, hard to think of the third kind of method, huh, huh, I don't know if it is. Such.
The first: uses REGSRV32 / U C: /WINDOWS/SYSTEM/SCRRUN.DLL (WIN98 path) to log out of this component. This method is too vicious, belonging to the same way, everyone is not available, it is
The second: Modify the value of Progid, the way the component is called in the ASP is usually the SET object name = Server.createObject ("progid"), and we can achieve the disabled by modifying the progid value in the registry. method. In the start - run in regedit, then find hkey_classes_root / scripting.filesystemObject, then we can change the value of this ProgID, such as change to scripting.filesystemObject8. This is called in the ASP page:
<% @ Language = VBScript%>
<%
SET FS = Server.createObject ("scripting.filesystemObject8)
%>
(If you don't call the component in front, you can see the effect without restarting, otherwise you will be
Enter the effect. )
At this time, let's look at the results of the original call method:
<% @ Language = VBScript%>
<%
SET FS = Server.createObject ("scripting.filesystemobject")
%>
At this time, the results are:
Server object error 'ASP 0177: 800401F3'
Server.createObject failed
/ASPIMAGE/TestFile2.asp, line 3
800401F3
(OK, achieve our requirements)
This method is due to the later steps, and the result will let others have acknowledge, so greatly stimulate me, knot
There is a third method.
The third type: the careful master will think that since the component can be disabled by modifying the progid value, can the CLSID can also be modified? (OK, you think about me) We know, in addition to the createObject method, you can use a general
The Runat is executed at the server, and the scope represents the life cycle of the component, you can use session, Application, or Page (representing the current page, it is also default)
This kind of writing is useless to us, and there is also a way to write:
We can also disable the component by modifying the value of the CLSID, such as the value of hkey_classes_root / scripting.FilesystemObject / scripting.FilesystemObject / clsid 0D43FE01-F093-11CF-8940-00A0C9054228 is changed to 0D43FE01-F093-11CF-8940-00A0C9054229 (change At the end of the last), this time is:
At this time, I was wrong.
Create a new user: IUSR_DOMAIN
IIS set anonymous user IUSR_DOMAIN for corresponding sites
Cacls: Settings Directory Permissions
This fso is available, but will not affect others
Some netizens talk about the security of FSO, special issues for everyone, thank you
Most of the virtual hosts are now disabled: FileSystemObject, because this component provides powerful file system access capabilities for ASP, read, write, copy, delete, rename, etc. Operation (of course, this means to do it under Windows NT / 2000 using the default setting). But after prohibiting this component, the consequences caused by all ASPs that use this component will not be able to run, and cannot meet the needs of customers.
How to allow both FileSystemObject components, do not affect the security of the server (ie: Different virtual host users can not use the component to read and write the files)? Here is a method that I have obtained in the experiment, which is described below with Windows 2000 Server as an example.
Open the resource manager on the server, right-click the drive letter of each hard disk partition or volume, select "Properties" in the pop-up menu, select the Security tab, you can see which accounts can be accessed to access this partition Volumes and access rights. After the default installation, "Everyone" has full control. Add "Administrators", "Backup Operators", "Power Users", "Users", etc., and give "full control" or corresponding permissions, pay attention, do not give "Guests" group, "IUSR_ machine name" these accounts any permissions. Then, "Everyone" group is then deleted from the list, so that only authorized groups and users can access this hard disk partition, and when the ASP is executed, it is access to the hard disk as "IUSR_ machine name", this is not given here User account permissions, ASP can also read and write files on the hard disk.
The following is to set a separate user account to each virtual host user, and then assign each account to a directory that allows its fully controlled.
As shown in the figure below, open "Computer Management" → "Local User and Group" → "User", click on the right button in the right column, popping up
[IMG: 67911D44A6] http://202.100.116.12/paddy/bbsimages/fsosafe/001.gif [/ iv: 67911d44a6]
In the "New User" dialog box in the pop-up, "User Name", "Full Name", "Description", "Password", "Confirm Password" are entered according to actual needs, and the "user must change the password next time" The right pair is removed, and "the user cannot change the password" and "password never expire". This example is a built-in account "IUSR_VHOST1" that establishes an anonymous access Internet information service for the user of the first virtual host, ie: all clients use http: //xxx.xxx.xxxx/ to access this virtual host, Identity to access. Enter the completion of the "creation". You can create multiple users according to actual needs, and after the creation is complete, "Close":
[IMG: 67911D44A6] http://202.100.116.12/paddy/bbsimages/fsosafe/002.gif [/ iv: 67911d44a6]
Now the newly established user has appeared in the account list, double-click the account in the list to further set:
[IMG: 67911D44A6] http://202.100.116.12/paddy/bbsimages/fsosafe/003.gif [/ iv: 67911d44a6]
In the pop-up "IUSR_VHOST1" (ie, the new account that is just created) Properties dialog box is "belonging to" tab:
[IMG: 67911D44A6] http://202.100.116.12/paddy/bbsimages/fsosafe/004.gif [/ iv: 67911d44a6]
The original account is default that belongs to the "User" group, selecting the group, point "delete":
[IMG: 67911D44A6] http://202.100.116.12/paddy/bbsimages/fsosafe/005.gif [/ iv: 67911d44a6]
Now, as shown in the figure below, then "Add" again:
[IMG: 67911D44A6] http://202.100.116.12/paddy/bbsimages/fsosafe/006.gif [/ iv: 67911d44a6]
Find "Guests" in the "Select Group" dialog box that pops up, click "Add", this group will appear in the text box below, then click "OK":
[IMG: 67911D44A6] http://202.100.116.12/paddy/bbsimages/fsosafe/007.gif [/ iv: 67911d44a6]
The appearance is the content shown below, click "OK" to close this dialog box:
[IMG: 67911D44A6] http://202.100.116.12/paddy/bbsimages/fsosafe/008.gif [/ iv: 67911d44a6]
Open the Internet Information Services, start setting the virtual host, in this case to explain the "first virtual host" setting as an example, right-click the host name, select "Properties" in the pop-up menu:
[IMG: 67911D44A6] http://202.100.116.12/paddy/bbsimages/fsosafe/009.gif [/ iv: 67911d44a6]
A "first virtual host properties" dialog box is popped, and you can see the use of the virtual host user from the dialog box: F: / vhost1 "folder:
[IMG: 67911D44A6] http://202.100.116.12/paddy/bbsimages/fsosafe/010.gif [/ iv: 67911d44a6]
Temporarily, no matter what the "First Virtual Host Properties" dialog, switch to "F: / Vhost1" folder, right click, select the "Properties" → "Security" tab, at this time It can be seen that the default security setting of the folder is "Everyone" full control (depending on the content displayed by different situations), first "allowing the inheritance of the inheritance from the parent to the object" to the object ". Remove the right: [IMG: 67911D44A6] http://202.100.116.12/paddy/bbsimages/fsosafe/011.gif [/ img: 67911d44a6]
At this point, "Security" warning as shown below is popped, click "Delete":
[IMG: 67911D44A6] http://202.100.116.12/paddy/bbsimages/fsosafe/012.gif [/ iv: 67911d44a6]
All groups and users in the Security tab will be empty (if not clear, use "Delete" to empty it), then click the "Add" button.
[IMG: 67911D44A6] http://202.100.116.12/paddy/bbsimages/fsosafe/013.gif [/ iv: 67911d44a6]
Add "administrator" as shown in the figure, add the new account "IUSR_VHOST1" created in the previous, will give full control permissions, but also add other groups or users according to actual needs, but must not put "guests" group , "IUSR_ machine name" these anonymous access to the account added!
[IMG: 67911D44A6] http://202.100.116.12/paddy/bbsimages/fsosafe/014.gif [/ iv: 67911d44a6]
Switch to the previously opened "First Virtual Host Properties" dialog, open the "Directory Security" tab, "edit": "Edit":
[IMG: 67911D44A6] http://202.100.116.12/paddy/bbsimages/fsosafe/015.gif [/ img: 67911d44a6]
In the "Verification Method" other box (shown below), click "Edit":
[IMG: 67911D44A6] http://202.100.116.12/paddy/bbsimages/fsosafe/016.gif [/ iv: 67911d44a6]
The "Anonymous User Account" popped up, the default is "IUSR_Merical Name", click "Browse":
[IMG: 67911D44A6] http://202.100.116.12/paddy/bbsimages/fsosafe/017.gif [/ iv: 67911d44a6]
Find the new account "IUSR_VHOST1" created in the "Select User" dialog box, double click:
[IMG: 67911D44A6] http://202.100.116.12/paddy/bbsimages/fsosafe/018.gif [/ iv: 67911d44a6]
At this point, the anonymous username is changed, and when entering the previous creation in the password box, the password set for the account:
[IMG: 67911D44A6] http://202.100.116.12/paddy/bbsimages/fsosafe/019.gif [/ iv: 67911d44a6]
Determine the password again:
[IMG: 67911D44A6] http://202.100.116.12/paddy/bbsimages/fsosafe/020.gif [/ iv: 67911d44a6]
OK, complete, click OK to close these dialogs.
After this setting, the "first virtual host" user uses the ASP's FileSystemObject component to access its own directory: F: / vhost1, when trying to access other content, there will be, such as "no permissions", "The hard disk is not ready", "500 server internal error" and other errors prompts. Another: If the user needs to read the partition capacity of the hard disk and the serial number of the hard disk, the setting will not be read. If you want to read these and the entire partition related content, right click on the partition (volume) of the hard disk, select "Properties" → "Security", add this user's account to the list, and give at least "read "Permissions. Since the subdirectory under this volume has been set to "Prohibit the transfer of the inheritance rights from the parent to this object", the permission settings of the subdirectory below are not affected.
