Most virtual hosts now have disabled the standard component of ASP: FileSystemObject, because this component provides ASP with powerful file system access capabilities and can read, write, copy, delete, rename, etc. any file on the server hard disk. operation (of course, this is only possible under Windows NT/2000 using default settings). However, after disabling this component, the consequence is that all ASPs that use this component will be unable to run and cannot meet customer needs.
How to allow the FileSystemObject component without affecting the security of the server (that is, different virtual host users cannot use this component to read and write other people's files)? Here I introduce a method I obtained in the experiment. The following uses Windows 2000 Server as an example to illustrate.
Open the resource manager on the server, right-click the drive letter of each hard disk partition or volume, select "Properties" in the pop-up menu, select the "Security" tab, and then you can see which accounts can access this partition. (Volume) and access rights. After the default installation, "Everyone" appears with full control permissions. Click "Add", add "Administrators", "Backup Operators", "Power Users", "Users" and other groups, and give "Full Control" or corresponding permissions. Be careful not to give "Guests" group, The accounts "IUSR_machine name" have any permissions. Then delete the "Everyone" group from the list, so that only authorized groups and users can access this hard disk partition. When ASP is executed, it accesses the hard disk as "IUSR_machine name". This is not given here. User account permissions, ASP will not be able to read and write files on the hard disk.
All that needs to be done is to set up a separate user account for each virtual host user, and then assign each account a directory that allows it full control.
As shown in the figure below, open "Computer Management" → "Local Users and Groups" → "Users", right-click the mouse in the right column, and select "New User" in the pop-up menu:
In the pop-up "New User" dialog box, enter "User Name", "Full Name", "Description", "Password", and "Confirm Password" according to actual needs, and add "User must change password the next time he logs in" before "User must change password the next time he logs in". Remove the checkmarks and select "User cannot change password" and "Password never expires". This example is to create a built-in account "IUSR_VHOST1" for the user of the first virtual host to anonymously access Internet information services. That is, when all clients access this virtual host using http://xxx.xxx.xxxx/ , they will use this account. accessed by identity. After completing the input, click "Create". You can create multiple users according to actual needs, and click "Close" after creation:
Now that the newly created user has appeared in the account list, double-click the account in the list for further settings:
In the pop-up "IUSR_VHOST1" (that is, the new account just created) properties dialog box, click the "Belongs to" tab:
The newly created account belongs to the "Users" group by default. Select the group and click "Delete":
What appears now is as shown in the picture below. At this time, click "Add":
Find "Guests" in the pop-up "Select Group" dialog box, click "Add", this group will appear in the text box below, and then click "OK": [www.knowsky.com]
What appears is as shown in the figure below. Click "OK" to close this dialog box:
Open "Internet Information Services" and start setting up the virtual host. In this example, we take the setting of "First Virtual Host" as an example. Right-click the host name and select "Properties" in the pop-up menu:
A "First Virtual Host Properties" dialog box pops up. From the dialog box, you can see that the virtual host user uses the "F:VHOST1" folder:
Ignore the "First Virtual Host Properties" dialog box just now, switch to "Explorer", find the folder "F:VHOST1", right-click, select "Properties" → "Security" tab, at this time You can see that the default security setting of the folder is "Everyone" full control (the content displayed is not exactly the same depending on the situation). First, change the "Allow inheritable permissions from the parent to be propagated to the object" at the bottom. Remove the check mark:
At this time, a "security" warning as shown below will pop up, click "Delete":
At this time, all groups and users in the Security tab will be cleared (if not cleared, please use "Delete" to clear them), and then click the "Add" button.
Add the "Administrator" as shown in the picture and the new account "IUSR_VHOST1" created earlier, which will give full control permissions. You can also add other groups or users according to actual needs, but be sure not to add the "Guests" group , "IUSR_machine name" and these anonymous access accounts are added!
Then switch to the "First Virtual Host Properties" dialog box that was opened earlier, open the "Directory Security" tab, and click "Edit" of Anonymous Access and Authentication Control:
In the pop-up "Verification Method" box (as shown below), click "Edit":
The "Anonymous User Account" pops up, the default is "IUSR_Machine Name", click "Browse":
In the "Select User" dialog box, find the new account "IUSR_VHOST1" created earlier and double-click:
At this time, the anonymous username has been changed. In the password box, enter the password set for the account when you created it earlier:
Confirm your password again:
OK, done, click OK to close these dialog boxes.
After this setting, users of the "first virtual host" who use ASP's FileSystemObject component can only access the content under their own directory: F:VHOST1. When trying to access other content, an error message such as "No permission" will appear. "Hard disk is not ready", "500 Server Internal Error" and other error messages are displayed.
Another: If the user needs to read the partition capacity of the hard disk and the serial number of the hard disk, such a setting will make it impossible to read. If you want to allow it to read the contents related to the entire partition, please right-click the partition (volume) of the hard disk, select "Properties" → "Security", add this user's account to the list, and give at least "Read" "Permissions. Since the subdirectories under this volume have all been set to "Prohibit the propagation of inheritable permissions from the parent to this object", the permission settings of the following subdirectories will not be affected.