如何隔离在 FullTrust 中运行的 .Net 网站
在 IIS 服务器运行多个网站的情况下,当前保护每个网站免受彼此攻击的最佳实践是什么?
目标是网站 A 不应访问网站 B 的任何资源
In a scenario where an IIS server is running multiple websites, what is the current best practices to protect each website from each other?
The objective is that website A should not have access to any resources from website B
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
通常,这是通过使用一个能够运行页面的通用计算机帐户和每个站点一个只能读取关联站点资源的用户帐户来完成的。
因此,每个站点都有一个可以运行它的通用计算机帐户,并且它连接到池,是计算机管理和运行的帐户。
每个站点都有一个不同的个人帐户。当用户连接到站点时,iis 会分配此隔离帐户,但当计算机运行时,它会使用普通计算机帐户。
Usually this is done by using one common computer account that is the one that be able to run the pages, and one user account per site that be able to read the resource only for the associate site.
So each site have the common computer account that can be able to run it and its connected to the pool, is the one that computer manage and runs.
And one personal account different for each site. When a user connected to the site, the iis is assign this isolate account, but when the computer runs it is use the common computer account.
在我的脑海中,我会使用不同的进程帐户运行它们,并使用 acl 来限制对彼此文件的访问,包括系统文件等。这将被认为是相当标准的做法。
显然这需要单独的应用程序池。
Off the top of my head, I would run them with different process accounts and use acls to restrict access to each other files, including system files etc. this would be considered fairly standard practice.
Obviously this requires separate application pools.