应用程序池标识或假冒 [英] Application pool identity or Impersonation
问题描述
(类似静脉的问题已经被问 之前,但无论是问题和接受的答案不提供我正在寻找)细节
(A question of similar vein has been asked before but both the question and the accepted answer do not provide the detail I am looking for)
通过在一个专用的域帐户运行的ASMX Web服务的意图是什么 的使用场景的和/或的利弊 使用一个应用程序池的域帐户与假冒身份?
With the intention of running an asmx web service under a dedicated domain account what are the usage scenarios and/or pros and cons of using an Application Pool with the identity of the domain account versus Impersonation?
我们有一个相对低负荷下运行3小的内部Web服务,我们想给他们切换到下自己的域帐户运行(与SQL Server等集成安全性的目的)。我似乎已经为每个应用程序创建专用应用程序池,或具有对所有应用程序的单一应用程序池,并在每个使用模拟的选择。
We have 3 small internal web services that run under relatively low load and we would like to switch them to running under their own domain accounts (for the purpose of integrated security with SQL Server etc). I appear to have the choice of creating dedicated app pools for each application, or having a single app pool for all the applications and using impersonation in each.
我理解应用程序池提供工作进程隔离并有使用模拟时,出于性能考虑,但是抛开这些还有什么将决定正确的选项?
I understand app pools provide worker process isolation and there are considerations for performance when using impersonation, however those aside what else would dictate the correct option?
推荐答案
通常情况下,你会选择工作进程不同的身份(或做ASP.NET模拟),因为需要访问需要特定权限的本地/网络资源。明显的DIS-好处是,你的应用程序code可在更多的权限运行速度比它可能需要从而增加恶意攻击的脆弱性。
Typically, you will choose different identity for worker process (or do ASP.NET impersonation) because there is need to access local/network resources that needs specific permissions. Obvious dis-advantage is that your application code may run under more permissions than it may need and thereby increasing the vulnerability against malicious attacks.
ASP.NET模拟将有更多的开销,因为用户上下文需要为每个请求切换。我会建议去与单独的应用程序池的做法 - 只与应用程序池的方法的缺点是,你必须过程,他们中的每一个,所以将每个过程(从操作系统的角度来看)的开销。如果您的应用程序体积较小,不具有很强的记忆需求,那么这不应该是一个问题,
ASP.NET impersonation would have more overhead because user context needs be switched for each request. I will suggest to go with separate app pool approach - only disadvantage with app pool approach is that you have process for each one of them and so there will be overhead (from OS perspective) for each process. If your applications are smaller and don't have strong memory demands then this should not be an issue,
这篇关于应用程序池标识或假冒的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
