ASP provides powerful file system access, which can read, write, copy, delete, rename, and other files on the server's hard disk, which poses a huge threat to the security of the school website. Many campus hosts are now suffering from FSO Trojans. But after disabling the FSO component, the consequence is that all ASP programs that use this component will not run and will not be able to meet the customer's needs. How to allow the FileSystemObject component without affecting the security of the server (ie: different virtual host users can not use this component to read and write other people's files)? Here are the experiences I have explored over the years:
The first step is different from the Windows 2000 settings: right click on the C drive, click on "Share & Security", select the “Security" tab in the dialog box, delete the Everyone, Users group, delete If your website does not run even with the ASP program, add the IIS_WPG group (Figure 1) and restart the computer.
After this design, the FSO Trojan is no longer operational. If you want to set a more secure level, please set each disk partition separately as above, and set different anonymous access users for each site. The following is an example (assuming that your host has an Abc.com site under the Abc folder on the E drive):
1. Open “Computer Management & Rarr; Local Users and Groups & Rarr; User & rdquo;, Create Abc user, and set the password, and "user must change the password when logging in next time", the previous checkmark is removed, select "User can not change the password" and "Password never expires" and set the user As part of the Guests group.
2. Right-click E:Abc and select the “Properties →Security” tab. At this point, you can see that the default security setting for this folder is “Everyone”; full control (depending on the situation) The content is not exactly the same), delete the Everyone's full control (if you can't delete, please click the scale advanced) button, will "allow the parent's inheritance permission to propagate", remove the previous checkmark, and delete all), add Administrators and Abc users have all security rights to the directory of this website.
3. Open the IIS Manager, right click on the Abc.com hostname, select the "Attributes → Directory Security" tab in the pop-up menu, click on Authentication and Access Control [edit] The dialog box shown in Figure 2 pops up. The default user access is “ IUSR_machine name”, click [Browse], find the Abc account created in the “Select User” dialog box, and then enter it repeatedly after confirming. password.
After this setting, the user who visits the website accesses the site of the E:Abc folder anonymously as the Abc account, because the ABC account only has security permissions for this folder, so he can only be in this folder. Use FSO.
Frequently Asked Questions:
How to remove the FSO uploader from the 200k limit?
Turn off the IIS admin service in the service first. Service, find Metabase.xml in the Windows\\System32\\Inesrv directory and open it, find ASPMaxRequestEntityAllowed, and modify it to the required value. The default is 204800, which is 200K, change it to 51200000 (50M), and then restart the IIS admin service.
ASP provides powerful file system access, which can read, write, copy, delete, rename, and other files on the server's hard disk, which poses a huge threat to the security of the school website. Many campus hosts are now suffering from FSO Trojans. But after disabling the FSO component, the consequence is that all ASP programs that use this component will not run and will not be able to meet the customer's needs. How to allow the FileSystemObject component without affecting the security of the server (ie: different virtual host users can not use this component to read and write other people's files)? Here are the experiences I have explored over the years:
The first step is different from the Windows 2000 settings: right click on the C drive, click on "Share & Security", select the “Security" tab in the dialog box, delete the Everyone, Users group, delete If your website does not run even with the ASP program, add the IIS_WPG group (Figure 1) and restart the computer.
After this design, the FSO Trojan is no longer operational. If you want to set a more secure level, please set each disk partition separately as above, and set different anonymous access users for each site. The following is an example (assuming that your host has an Abc.com site under the Abc folder on the E drive):
1. Open “Computer Management & Rarr; Local Users and Groups & Rarr; User & rdquo;, Create Abc user, and set the password, and "user must change the password when logging in next time", the previous checkmark is removed, select "User can not change the password" and "Password never expires" and set the user As part of the Guests group.
2. Right-click E:\\Abc and select the <quo;Properties→Security" tab. At this point you can see that the default security setting for this folder is &#quot;Everyone" fully controlled (depending on the situation) The displayed content is not exactly the same), delete the complete control of Everyone (if you can not delete, please click the [Advanced] button, will "allow the parent's inheritance permission to propagate", remove the previous checkmark, and delete all), add Administrators And all security permissions of the Abc users to the directory of this website.
3. Open the IIS Manager, right click on the Abc.com hostname, select the "Attributes → Directory Security" tab in the pop-up menu, click on Authentication and Access Control [edit] The dialog box shown in Figure 2 pops up. The default user access is “ IUSR_machine name”, click [Browse], find the Abc account created in the “Select User” dialog box, and then enter it repeatedly after confirming. password.
After this setting, the user who visits the website accesses the E:\\Abc folder site anonymously as the Abc account, because the Abc account only has security permissions for this folder, so he can only be in this folder. Use FSO below.
Frequently Asked Questions:
How to remove the FSO uploader from the 200k limit?
First turn off the IIS admin service in the service and find the Metabase in the Windows\\System32\\Inesrv directory. Open .xml and find ASPMaxRequestEntityAllowed and modify it to the desired value. The default is 204800, which is 200K, change it to 51200000 (50M), and then restart the IIS admin service.
When deploying a LAN, we will apply to the ISP operator to register a fixed IP or publicIP address,
Everyone must remember the system restore function of Windows XP, but it can only resto
windows2008 system password is forgotten solution: use a magnifying glass vulnerability to reset yo
Recently, students often ask about the startup issues of Win2008 and the startup problems when the e
Windows 2003 operating system acceleration 20 strokes
Detailed Win2000 webpage can not be opened to solve
How to configure and manage Win2003 system services
Detailed explanation: Network service in WinXP/2003
How can I shorten the long waiting time for system shutdown
Three tips to achieve efficient management of Windows servers
Convenient and fast Simplify Win 2003 domain controller password
How to solve the Web server can ping but can not access
Win10 first anniversary cumulative update patch KB3194798 can not be installed how to do?
Win8 application store can not open the solution
How is the win10 taskbar icon transparent?
VPS server tips and precautions (windows version)
How to set up IE blank page in Win7? How to set up IE blank page
How does the Win8.1 system display the taskbar in the Modern application
Use the uninstall driver to reinstall the solution to solve win 8 can not access the Internet
Sharing settings win2003 anti-trojan permission experience
Metal equipment 5 phantom pain petrochemical squad how to play
Where is the Mac itunes backup file? Mac itunes backup file path resolution