ASP provides powerful file system access capabilities, which can read, write, copy, delete, rename any file on the server hard disk, which poses a huge threat to the security of school websites. Nowadays, many campus hosts have been invaded by FSO Trojans. However, after disabling the FSO component, the consequence is that all ASP programs that utilize this component will not be able to run and cannot meet the needs of customers. How to allow the FileSystemObject component without affecting the security of the server (that is, different virtual host users cannot use this component to read and write other people's files)? The following is the experience I have explored over the years:
The first step is the key to differentiating it from Windows 2000 settings: right-click the C drive, click "Share and Security", select the "Security" tab in the dialog box, delete the Everyone and Users groups. After deletion, if your website cannot even run the ASP program, please add the IIS_WPG group (Figure 1) and restart the computer.
Figure 1
After this design, the FSO Trojan can no longer run. If you want to make more security settings, please set each disk partition as above and set different anonymous access users for each site. The following is an example (suppose that the Abc folder of the E disk on your host is located in the Abc.com site):
1. Open "Computer Management → Local Users and Groups → Users", create an Abc user, and set a password, and remove the checkmark before "User must change passwords next time you log in", select "User cannot change passwords" and "Password never expires", and set the user to belong to the Guests group.
2. Right-click E:Abc and select the "Properties → Security" tab. You can see that the default security setting of this folder is "Everyone" full control (the content displayed is not exactly the same depending on the situation), delete the full control of Everyone (if it cannot be deleted, please click the [Advanced] button to remove the checkmark in front of "Allow the inheritance permission propagation of parents" and delete all), add all security permissions of Administrators and Abc users to this website directory.
3. Open IIS Manager, right-click the Abc.com host name, select the "Properties → Directory Security" tab in the pop-up menu, click [Edit] of authentication and access control, and the dialog box shown in Figure 2 pops up. The default for anonymous access user is "IUSR_Machine Name". Click [Browse], find the Abc account created earlier in the "Select User" dialog box, and enter the password repeatedly after confirmation.
Figure 2
After this setting, the user who visits the website will access the site of the E:Abc folder anonymously as an Abc account. Because the Abc account only has security permissions for this folder, he can only use FSO in this folder.
How to lift the limit of FSO upload program less than 200k?First, close the IIS admin service service in the service and find the Metabase under the Windows \System32 \Inesrv directory. xml and open, find ASPMaxRequestEntityAllowed, and modify it to the required value. The default is 204800, that is, 200K, modify it to 51200000 (50M), and then restart the IIS admin service.
ASP provides powerful file system access capabilities, which can read, write, copy, delete, rename any file on the server hard disk, which poses a huge threat to the security of school websites. Nowadays, many campus hosts have been invaded by FSO Trojans. However, after disabling the FSO component, the consequence is that all ASP programs that utilize this component will not be able to run and cannot meet the needs of customers. How to allow the FileSystemObject component without affecting the security of the server (that is, different virtual host users cannot use this component to read and write other people's files)? The following is the experience I have explored over the years:
The first step is the key to differentiating from Windows 2000 settings: right-click the C drive, click "Share and Security" veryone, Users group delete. After deletion, if your website cannot even run the ASP program, please add the IIS_WPG group (Figure 1) and restart the computer.
After this design, the FSO Trojan can no longer run. If you want to make more security settings, please set each disk partition as above and set different anonymous access users for each site. The following is an example (suppose that the Abc folder of the E disk on your host is located in the Abc.com site):
1. Open "Computer Management → Local Users and Groups → Users", create an Abc user, and set a password, and remove the checkmark before "User must change passwords next time you log in", select "User cannot change passwords" and "Password never expires", and set the user to belong to the Guests group.
2. Right-click E:Abc and select the "Properties → Security" tab. You can see that the default security setting of this folder is "Everyone" full control (the content displayed is not exactly the same depending on the situation), delete the full control of Everyone (if it cannot be deleted, please click the [Advanced] button to remove the checkmark in front of "Allow the inheritance permission propagation of parents" and delete all), add all security permissions of Administrators and Abc users to this website directory.
3. Open IIS Manager, right-click the Abc.com host name, select the "Properties → Directory Security" tab in the pop-up menu, click [Edit] of authentication and access control, and the dialog box shown in Figure 2 pops up. The default for anonymous access user is "IUSR_Machine Name". Click [Browse], find the Abc account created earlier in the "Select User" dialog box, and enter the password repeatedly after confirmation.
After this setting, the user who visits the website will access the site of the E:Abc folder anonymously as an Abc account. Because the Abc account only has security permissions for this folder, he can only use FSO in this folder.
FAQ:
How to lift the limit of FSO upload program less than 200k?
First, close the IIS admin service service in the service and find the Metabase under the Windows \System32 \Inesrv directory. xml and open, find ASPMaxRequestEntityAllowed, and modify it to the required value. The default is 204800, that is, 200K, modify it to 51200000 (50M), and then restart the IIS admin service.