IIS/ASP.NET 的所有用户帐户是什么以及它们有何不同?

发布于 2024-11-02 05:02:51 字数 256 浏览 4 评论 0原文

在安装了 ASP.NET 4.0 的 Windows Server 2008 下,有一大堆相关的用户帐户,我无法理解哪个是哪个,它们有何不同,以及哪个是我的应用程序运行的真正帐户。以下是一个列表:

  • IIS_IUSRS
  • IUSR
  • DefaultAppPool
  • ASP.NET v4.0
  • NETWORK_SERVICE
  • 本地服务。

什么是什么?

Under Windows Server 2008 with ASP.NET 4.0 installed there is a whole slew of related user accounts, and I can't understand which one is which, how to they differ, and which one is REALLY the one that my app runs under. Here's a list:

  • IIS_IUSRS
  • IUSR
  • DefaultAppPool
  • ASP.NET v4.0
  • NETWORK_SERVICE
  • LOCAL SERVICE.

What is what?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

找个人就嫁了吧 2024-11-09 05:02:51

这是一个非常好的问题,遗憾的是许多开发人员在作为 Web 开发人员和设置 IIS 时没有提出足够多的有关 IIS/ASP.NET 安全性的问题。所以这里....

覆盖列出的身份:

IIS_IUSRS:

这类似于旧的 IIS6 IIS_WPG 组。它是一个内置组,其安全性配置使得该组的任何成员都可以充当应用程序池身份。

IUSR:

此帐户类似于旧的 IUSR_ 本地帐户,它是 IIS5 和 IIS6 网站的默认匿名用户(即通过站点属性的目录安全选项卡进行配置)。

有关 IIS_IUSRSIUSR 的详细信息,请参阅:

了解 IIS 7 中的内置用户和组帐户

DefaultAppPool:

如果应用程序池配置为使用应用程序池标识功能运行,则名为 IIS AppPool\<池名称> 的“综合”帐户将动态创建以用作池标识。在这种情况下,将在池的生命周期内创建一个名为 IIS AppPool\DefaultAppPool 的综合帐户。如果您删除池,则该帐户将不再存在。将权限应用于文件和文件夹时,必须使用 IIS AppPool\<池名称> 添加这些权限。您也不会在计算机的用户管理器中看到这些池帐户。请参阅以下内容了解更多信息:

应用程序池标识

ASP. NET v4.0: -

这将是 ASP.NET v4.0 应用程序池的应用程序池标识。请参阅上面的 DefaultAppPool

NETWORK SERVICE: -

NETWORK SERVICE 帐户是 Windows 2003 上引入的内置身份。NETWORK SERVICE 是一个低特权帐户,您可以在该帐户下运行应用程序池和网站。在 Windows 2003 池中运行的网站仍然可以模拟该网站的匿名帐户(IUSR_ 或您配置为匿名身份的任何帐户)。

在 Windows 2008 之前的 ASP.NET 中,您可以让 ASP.NET 在应用程序池帐户(通常是 NETWORK SERVICE)下执行请求。或者,您可以通过本地 web.config 文件中的 设置将 ASP.NET 配置为模拟网站的匿名帐户(如果是这样的话)设置已锁定,则需要由管理员在 machine.config 文件中完成)。

设置 在使用共享应用程序池的共享托管环境中很常见(与部分信任设置结合使用以防止解除模拟帐户)。

在 IIS7.x/ASP.NET 中,模拟控制现在通过站点的身份验证配置功能进行配置。因此,您可以配置为以池身份、IUSR 或特定的自定义匿名帐户运行。

LOCAL SERVICE:

LOCAL SERVICE 帐户是服务控制管理器使用的内置帐户。它在本地计算机上具有最低限度的权限集。它的使用范围相当有限:

本地服务帐户< /p>

< code>LOCAL SYSTEM:

您没有询问这一问题,但为了完整性我添加了这一内容。这是本地内置帐户。它拥有相当广泛的特权和信任。您永远不应该将网站或应用程序池配置为在此身份下运行。

本地系统帐户< /p>

在实践:

在实践中,保护网站的首选方法(如果网站拥有自己的应用程序池 - 这是 IIS7 的 MMC 中新网站的默认设置)是在应用程序池下运行身份。这意味着将其应用程序池的高级设置中的站点身份设置为应用程序池身份

在此处输入图像描述

在网站中,您应该配置身份验证功能:

在此处输入图像描述

右键单击​​并编辑匿名身份验证条目:

<图片src="https://i.sstatic.net/K3MEK.png" alt="在此处输入图像描述">

确保选择“应用程序池标识”

在此处输入图像描述

当您应用文件和文件夹权限时,您将授予应用程序池身份所需的任何权限。例如,如果您要授予 ASP.NET v4.0 池权限的应用程序池标识,那么您可以通过资源管理器执行此操作:

在此处输入图像描述

单击“检查名称”按钮:

在此处输入图像描述

或者您可以使用ICACLS.EXE 实用程序:

icacls c:\wwwroot\mysite /grant "IIS AppPool\ASP.NET v4.0":(CI)(OI)(M)

...或者...如果您网站的应用程序池名为 BobsCatPicBlog,则:

icacls c:\wwwroot\mysite /grant "IIS AppPool\BobsCatPicBlog":(CI)(OI)(M)

更新:

我刚刚遇到 <一个href="https://stackoverflow.com/questions/510170/the-difference- Between-the-local-system-account-and-the-network-service-acco/510225#510225">2009 年的这个优秀答案包含一堆有用的信息,非常值得一读:

This is a very good question and sadly many developers don't ask enough questions about IIS/ASP.NET security in the context of being a web developer and setting up IIS. So here goes....

To cover the identities listed:

IIS_IUSRS:

This is analogous to the old IIS6 IIS_WPG group. It's a built-in group with its security configured such that any member of this group can act as an application pool identity.

IUSR:

This account is analogous to the old IUSR_<MACHINE_NAME> local account that was the default anonymous user for IIS5 and IIS6 websites (i.e. the one configured via the Directory Security tab of a site's properties).

For more information about IIS_IUSRS and IUSR see:

Understanding Built-In User and Group Accounts in IIS 7

DefaultAppPool:

If an application pool is configured to run using the Application Pool Identity feature then a "synthesised" account called IIS AppPool\<pool name> will be created on the fly to used as the pool identity. In this case there will be a synthesised account called IIS AppPool\DefaultAppPool created for the life time of the pool. If you delete the pool then this account will no longer exist. When applying permissions to files and folders these must be added using IIS AppPool\<pool name>. You also won't see these pool accounts in your computers User Manager. See the following for more information:

Application Pool Identities

ASP.NET v4.0: -

This will be the Application Pool Identity for the ASP.NET v4.0 Application Pool. See DefaultAppPool above.

NETWORK SERVICE: -

The NETWORK SERVICE account is a built-in identity introduced on Windows 2003. NETWORK SERVICE is a low privileged account under which you can run your application pools and websites. A website running in a Windows 2003 pool can still impersonate the site's anonymous account (IUSR_ or whatever you configured as the anonymous identity).

In ASP.NET prior to Windows 2008 you could have ASP.NET execute requests under the Application Pool account (usually NETWORK SERVICE). Alternatively you could configure ASP.NET to impersonate the site's anonymous account via the <identity impersonate="true" /> setting in web.config file locally (if that setting is locked then it would need to be done by an admin in the machine.config file).

Setting <identity impersonate="true"> is common in shared hosting environments where shared application pools are used (in conjunction with partial trust settings to prevent unwinding of the impersonated account).

In IIS7.x/ASP.NET impersonation control is now configured via the Authentication configuration feature of a site. So you can configure to run as the pool identity, IUSR or a specific custom anonymous account.

LOCAL SERVICE:

The LOCAL SERVICE account is a built-in account used by the service control manager. It has a minimum set of privileges on the local computer. It has a fairly limited scope of use:

LocalService Account

LOCAL SYSTEM:

You didn't ask about this one but I'm adding for completeness. This is a local built-in account. It has fairly extensive privileges and trust. You should never configure a website or application pool to run under this identity.

LocalSystem Account

In Practice:

In practice the preferred approach to securing a website (if the site gets its own application pool - which is the default for a new site in IIS7's MMC) is to run under Application Pool Identity. This means setting the site's Identity in its Application Pool's Advanced Settings to Application Pool Identity:

enter image description here

In the website you should then configure the Authentication feature:

enter image description here

Right click and edit the Anonymous Authentication entry:

enter image description here

Ensure that "Application pool identity" is selected:

enter image description here

When you come to apply file and folder permissions you grant the Application Pool identity whatever rights are required. For example if you are granting the application pool identity for the ASP.NET v4.0 pool permissions then you can either do this via Explorer:

enter image description here

Click the "Check Names" button:

enter image description here

Or you can do this using the ICACLS.EXE utility:

icacls c:\wwwroot\mysite /grant "IIS AppPool\ASP.NET v4.0":(CI)(OI)(M)

...or...if you site's application pool is called BobsCatPicBlogthen:

icacls c:\wwwroot\mysite /grant "IIS AppPool\BobsCatPicBlog":(CI)(OI)(M)

Update:

I just bumped into this excellent answer from 2009 which contains a bunch of useful information, well worth a read:

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文