ASP provides powerful file system access capabilities and can read, write, copy, delete, rename and other operations on any file on the server hard disk, which poses a huge threat to the security of the school website. Nowadays, many campus hosts have been infested by FSO Trojans. However, after disabling the FSO component, the consequence is that all ASP programs that use this component will not be able to run and cannot meet customer needs. How to allow the FileSystemObject component without affecting the security of the server (that is, users of different virtual hosts cannot use this component to read and write other people's files)? The following is the author's experience gained over the years:
The first step is the key to setting up something different from Windows 2000: right-click the C drive, click "Sharing and Security", select the "Security" tab in the dialog box that appears, delete the Everyone and Users groups, and if your The website cannot even run the ASP program. Please add the IIS_WPG group (Figure 1) and restart the computer.
After this design, the FSO Trojan can no longer run. If you want to set up a higher security level, please set up the above settings for each disk partition separately, and set up different anonymous access users for each site. The following is an example to introduce (assuming that the Abc folder on the E drive of your host computer has the Abc.com site):
1. Open "Computer Management→Local Users and Groups→Users", create user Abc, set a password, remove the check mark before "User must change password when logging in next time", and select "User cannot change password" and " Password never expires" and set the user to belong to the Guests group.
2. Right-click E:Abc and select the "Properties → Security" tab. At this time, you can see that the default security setting of the folder is "Everyone" full control (the content displayed may not be exactly the same depending on the situation). Delete Everyone's Full control (if it cannot be deleted, please click the [Advanced] button, remove the check mark in front of "Allow parent's inherited permissions to propagate", and delete all), add Administrators and Abc users to all security permissions on this website directory.
3. Open IIS Manager, right-click the Abc.com host name, select the "Properties → Directory Security" tab in the pop-up menu, click [Edit] of Authentication and Access Control, and the dialog box shown in Figure 2 will pop up. The default for anonymous access users is "IUSR_machine name". Click [Browse], find the Abc account created earlier in the "Select User" dialog box, and enter the password again after confirmation.
After this setting, the user who visits the website can access the site in the E:Abc folder anonymously as the Abc account. Because the Abc account only has security permissions for this folder, he can only use FSO in this folder.
FAQ:
How to lift the FSO upload program less than 200k limit?
First, close the IIS admin service service in the service, find Metabase.xml in the WindowsSystem32Inesrv directory and open it, find ASPMaxRequestEntityAllowed, and modify it to the required value. The default is 204800, which is 200K. Change it to 51200000 (50M), and then restart the IIS admin service.
ASP provides powerful file system access capabilities and can read, write, copy, delete, rename and other operations on any file on the server hard disk, which poses a huge threat to the security of the school website. Nowadays, many campus hosts have been infested by FSO Trojans. However, after disabling the FSO component, the consequence is that all ASP programs that use this component will not be able to run and cannot meet customer needs. How to allow the FileSystemObject component without affecting the security of the server (that is, users of different virtual hosts cannot use this component to read and write other people's files)? The following is the author's experience gained over the years:
The first step is the key to setting up something different from Windows 2000: right-click the C drive, click "Sharing and Security", select the "Security" tab in the dialog box that appears, delete the Everyone and Users groups, and if your The website cannot even run the ASP program. Please add the IIS_WPG group (Figure 1) and restart the computer.
After this design, the FSO Trojan can no longer run. If you want to set up a higher security level, please set up the above settings for each disk partition separately, and set up different anonymous access users for each site. The following is an example to introduce (assuming that the Abc folder on the E drive of your host computer has the Abc.com site):
1. Open "Computer Management→Local Users and Groups→Users", create user Abc, set a password, remove the check mark before "User must change password when logging in next time", and select "User cannot change password" and " Password never expires" and set the user to belong to the Guests group.
2. Right-click E:Abc and select the "Properties → Security" tab. At this time, you can see that the default security setting of the folder is "Everyone" full control (the content displayed may not be exactly the same depending on the situation). Delete Everyone's Full control (if it cannot be deleted, please click the [Advanced] button, remove the check mark in front of "Allow parent's inherited permissions to propagate", and delete all), add Administrators and Abc users to all security permissions on this website directory.
3. Open IIS Manager, right-click the Abc.com host name, select the "Properties → Directory Security" tab in the pop-up menu, click [Edit] of Authentication and Access Control, and the dialog box shown in Figure 2 will pop up. The default for anonymous access users is "IUSR_machine name". Click [Browse], find the Abc account created earlier in the "Select User" dialog box, and enter the password again after confirmation.
After this setting, the user who visits the website can access the site in the E:Abc folder anonymously as the Abc account. Because the Abc account only has security permissions for this folder, he can only use FSO in this folder.