Improve FSO security under Win2003

ASP provides powerful file system access capability, which can read, write, copy, delete, rename, etc. any file on the server hard disk, which brings security to the school website. A huge threat. Many campus hosts are now suffering from FSO Trojans. But after disabling the FSO component, the consequence is that all ASP programs that use this component will not run and will not be able to meet the customer's needs. How to allow the FileSystemObject component without affecting the security of the server (ie: can not use this component to read and write other people's files between different virtual host users)? The following are the experiences I have explored over the years:

The first step is the key to setting up Windows 2000: right click on the C drive, click on "Share & Security", and select "Security" in the dialog box that appears. "The tab, delete the Everyone, Users group, if your website can not run even after the deletion of the ASP program, please add the IIS_WPG group (Figure 1), and restart the computer.

After this design, FSO Trojans had not run. If you want to set a more secure level, please set each disk partition separately as above, and set different anonymous access users for each site. The following is an example (assuming that your host has an Abc.com site under the Abc folder on the E drive):

1. Open Computer Management → Local Users and Groups → Users to create an Abc user, and Set the password and remove the checkmark before "User must change password when logging in next time", select "User cannot change password" and "Password never expires", and set the user to belong to the Guests group.

2. Right-click E:Abc and select the “Properties→Security” tab. At this point, you can see that the default security setting for this folder is “Everyone” full control (depending on the situation) The content is not exactly the same), delete the complete control of Everyone (if you can't delete, please click the [Advanced] button, remove the checkmark in front of "Allow parent's inheritance permission to propagate" and delete all), add Administrators and Abc users to this All security permissions for the site directory.

3. Open IIS Manager, right click on the Abc.com host name, select the "Properties → Directory Security" tab in the pop-up menu, click [Edit] and access control [Edit], pop-up 2 The dialog box shown, the default access user is "IUSR_machine name", click [Browse], find the Abc account created in the "Select User" dialog box, and then enter the password repeatedly.

After this setting, users access the site on access to anonymous accounts Abc E: folders sites Abc, Abc account only because the folder security permissions for this, so he can only at this folder Use FSO.

Frequently Asked Questions:

How to remove the FSO uploader from the 200k limit?

First turn off the IIS admin service in the service and find Metabase under the Windows\\System32\\Inesrv directory. Xml and open, find ASPMaxRequestEntityAllowed, modify it to the required value. The default is 204800, which is 200K, change it to 51200000 (50M), and then restart the IIS admin service.

ASP provides a powerful file system access capability, which can read, write, copy, delete, rename, and other files on the server's hard disk, which poses a huge threat to the security of the school website. Many campus hosts are now suffering from FSO Trojans. But after disabling the FSO component, the consequence is that all ASP programs that use this component will not run and will not be able to meet the customer's needs. How to allow the FileSystemObject component without affecting the security of the server (ie: can not use this component to read and write other people's files between different virtual host users)? The following are the experiences I have explored over the years:

The first step is the key to setting up Windows 2000: right click on the C drive, click on "Share & Security", and select "Security" in the dialog box that appears. "The tab, delete the Everyone, Users group, if your website can not run even after the deletion of the ASP program, please add the IIS_WPG group (Figure 1), and restart the computer.

After this design, the FSO Trojan is no longer operational. If you want to set a more secure level, please set each disk partition separately as above, and set different anonymous access users for each site. The following is an example (assuming that your host has an Abc.com site under the Abc folder on the E drive):

1. Open Computer Management → Local Users and Groups → Users to create an Abc user, and Set the password and remove the checkmark before "User must change password when logging in next time", select "User cannot change password" and "Password never expires", and set the user to belong to the Guests group.

2. Right-click E:Abc and select the “Properties→Security” tab. At this point, you can see that the default security setting of this folder is “Everyone” full control (the content displayed in different situations is not complete). Same), remove the complete control of Everyone (if you can't delete, please click the [Advanced] button, remove the checkmark in front of "Allow parent's inheritance permission to propagate" and delete all), add Administrators and Abc users to the directory of this website. All security permissions.

3. Open IIS Manager, right click on the Abc.com host name, select the "Properties → Directory Security" tab in the pop-up menu, click [Edit] and access control [Edit], pop-up 2 The dialog box shown, the default access user is "IUSR_machine name", click [Browse], find the Abc account created in the "Select User" dialog box, and then enter the password repeatedly.

After this setting, the user who visits the website accesses the site of the E:Abc folder anonymously as the Abc account, because the ABC account only has security rights to this folder, so he can only be in this folder. Use FSO.

Frequently Asked Questions:

How to remove the FSO uploader from the 200k limit?

First turn off the IIS admin service in the service and find Metabase under the Windows\\System32\\Inesrv directory. Xml and open, find ASPMaxRequestEntityAllowed, modify it to the required value. The default is 204800, which is 200K, change it to 51200000 (50M), and then restart the IIS admin service.