IIS/ASP.NET 的所有用户帐户是什么以及它们有何不同?
在安装了 ASP.NET 4.0 的 Windows Server 2008 下,有一大堆相关的用户帐户,我无法理解哪个是哪个,它们有何不同,以及哪个是我的应用程序运行的真正帐户。以下是一个列表:
- IIS_IUSRS
- IUSR
- DefaultAppPool
- ASP.NET v4.0
- NETWORK_SERVICE
- 本地服务。
什么是什么?
Under Windows Server 2008 with ASP.NET 4.0 installed there is a whole slew of related user accounts, and I can't understand which one is which, how to they differ, and which one is REALLY the one that my app runs under. Here's a list:
- IIS_IUSRS
- IUSR
- DefaultAppPool
- ASP.NET v4.0
- NETWORK_SERVICE
- LOCAL SERVICE.
What is what?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
这是一个非常好的问题,遗憾的是许多开发人员在作为 Web 开发人员和设置 IIS 时没有提出足够多的有关 IIS/ASP.NET 安全性的问题。所以这里....
覆盖列出的身份:
IIS_IUSRS:这类似于旧的 IIS6
IIS_WPG组。它是一个内置组,其安全性配置使得该组的任何成员都可以充当应用程序池身份。IUSR:此帐户类似于旧的
IUSR_本地帐户,它是 IIS5 和 IIS6 网站的默认匿名用户(即通过站点属性的目录安全选项卡进行配置)。有关
IIS_IUSRS和IUSR的详细信息,请参阅:DefaultAppPool:如果应用程序池配置为使用应用程序池标识功能运行,则名为
IIS AppPool\<池名称>的“综合”帐户将动态创建以用作池标识。在这种情况下,将在池的生命周期内创建一个名为IIS AppPool\DefaultAppPool的综合帐户。如果您删除池,则该帐户将不再存在。将权限应用于文件和文件夹时,必须使用IIS AppPool\<池名称>添加这些权限。您也不会在计算机的用户管理器中看到这些池帐户。请参阅以下内容了解更多信息:ASP. NET v4.0:-这将是 ASP.NET v4.0 应用程序池的应用程序池标识。请参阅上面的
DefaultAppPool。NETWORK SERVICE:-NETWORK SERVICE帐户是 Windows 2003 上引入的内置身份。NETWORK SERVICE是一个低特权帐户,您可以在该帐户下运行应用程序池和网站。在 Windows 2003 池中运行的网站仍然可以模拟该网站的匿名帐户(IUSR_ 或您配置为匿名身份的任何帐户)。在 Windows 2008 之前的 ASP.NET 中,您可以让 ASP.NET 在应用程序池帐户(通常是
NETWORK SERVICE)下执行请求。或者,您可以通过本地web.config文件中的machine.config文件中完成)。设置
在 IIS7.x/ASP.NET 中,模拟控制现在通过站点的身份验证配置功能进行配置。因此,您可以配置为以池身份、
IUSR或特定的自定义匿名帐户运行。LOCAL SERVICE:LOCAL SERVICE帐户是服务控制管理器使用的内置帐户。它在本地计算机上具有最低限度的权限集。它的使用范围相当有限:< code>LOCAL SYSTEM:
您没有询问这一问题,但为了完整性我添加了这一内容。这是本地内置帐户。它拥有相当广泛的特权和信任。您永远不应该将网站或应用程序池配置为在此身份下运行。
在实践:
在实践中,保护网站的首选方法(如果网站拥有自己的应用程序池 - 这是 IIS7 的 MMC 中新网站的默认设置)是在应用程序池下运行身份。这意味着将其应用程序池的高级设置中的站点身份设置为
应用程序池身份:在网站中,您应该配置身份验证功能:
右键单击并编辑匿名身份验证条目:
<图片src="https://i.sstatic.net/K3MEK.png" alt="在此处输入图像描述">
确保选择“应用程序池标识”:
当您应用文件和文件夹权限时,您将授予应用程序池身份所需的任何权限。例如,如果您要授予
ASP.NET v4.0池权限的应用程序池标识,那么您可以通过资源管理器执行此操作:单击“检查名称”按钮:
或者您可以使用
ICACLS.EXE实用程序:...或者...如果您网站的应用程序池名为
BobsCatPicBlog,则:更新:
我刚刚遇到 <一个href="https://stackoverflow.com/questions/510170/the-difference- Between-the-local-system-account-and-the-network-service-acco/510225#510225">2009 年的这个优秀答案包含一堆有用的信息,非常值得一读:
This is a very good question and sadly many developers don't ask enough questions about IIS/ASP.NET security in the context of being a web developer and setting up IIS. So here goes....
To cover the identities listed:
IIS_IUSRS:This is analogous to the old IIS6
IIS_WPGgroup. It's a built-in group with its security configured such that any member of this group can act as an application pool identity.IUSR:This account is analogous to the old
IUSR_<MACHINE_NAME>local account that was the default anonymous user for IIS5 and IIS6 websites (i.e. the one configured via the Directory Security tab of a site's properties).For more information about
IIS_IUSRSandIUSRsee:DefaultAppPool:If an application pool is configured to run using the Application Pool Identity feature then a "synthesised" account called
IIS AppPool\<pool name>will be created on the fly to used as the pool identity. In this case there will be a synthesised account calledIIS AppPool\DefaultAppPoolcreated for the life time of the pool. If you delete the pool then this account will no longer exist. When applying permissions to files and folders these must be added usingIIS AppPool\<pool name>. You also won't see these pool accounts in your computers User Manager. See the following for more information:ASP.NET v4.0:-This will be the Application Pool Identity for the ASP.NET v4.0 Application Pool. See
DefaultAppPoolabove.NETWORK SERVICE:-The
NETWORK SERVICEaccount is a built-in identity introduced on Windows 2003.NETWORK SERVICEis a low privileged account under which you can run your application pools and websites. A website running in a Windows 2003 pool can still impersonate the site's anonymous account (IUSR_ or whatever you configured as the anonymous identity).In ASP.NET prior to Windows 2008 you could have ASP.NET execute requests under the Application Pool account (usually
NETWORK SERVICE). Alternatively you could configure ASP.NET to impersonate the site's anonymous account via the<identity impersonate="true" />setting inweb.configfile locally (if that setting is locked then it would need to be done by an admin in themachine.configfile).Setting
<identity impersonate="true">is common in shared hosting environments where shared application pools are used (in conjunction with partial trust settings to prevent unwinding of the impersonated account).In IIS7.x/ASP.NET impersonation control is now configured via the Authentication configuration feature of a site. So you can configure to run as the pool identity,
IUSRor a specific custom anonymous account.LOCAL SERVICE:The
LOCAL SERVICEaccount is a built-in account used by the service control manager. It has a minimum set of privileges on the local computer. It has a fairly limited scope of use:LOCAL SYSTEM:You didn't ask about this one but I'm adding for completeness. This is a local built-in account. It has fairly extensive privileges and trust. You should never configure a website or application pool to run under this identity.
In Practice:
In practice the preferred approach to securing a website (if the site gets its own application pool - which is the default for a new site in IIS7's MMC) is to run under
Application Pool Identity. This means setting the site's Identity in its Application Pool's Advanced Settings toApplication Pool Identity:In the website you should then configure the Authentication feature:
Right click and edit the Anonymous Authentication entry:
Ensure that "Application pool identity" is selected:
When you come to apply file and folder permissions you grant the Application Pool identity whatever rights are required. For example if you are granting the application pool identity for the
ASP.NET v4.0pool permissions then you can either do this via Explorer:Click the "Check Names" button:
Or you can do this using the
ICACLS.EXEutility:...or...if you site's application pool is called
BobsCatPicBlogthen:Update:
I just bumped into this excellent answer from 2009 which contains a bunch of useful information, well worth a read: