我该如何处理Web角色.aspx页面中运行受限用户下？ [英] How do I deal with web role .aspx page running under a restricted user?

问题描述

原来 Web角色.aspx页和Web角色code运行在两个独立的进程与默认完整的IIS模式。对于我对端口的应用程序的问题是，处理的.aspx需要访问本地文件系统，并因为它现在正在计算机名\\\\ NETWORK SERVICE运行占它有没有这样的访问。

据我所知我可以做到以下几点之一。

首先，我可以给予获得必要的子文件夹的用户计算机名\\\\ NETWORK SERVICE ，而在启动任务。这将工作，但看起来不安全 - 任何运行在计算机名\\\\ NETWORK SERVICE 将获得相同的访问，这可以introdude漏洞

。

第二，我可以以某种方式强制IIS在专用用户下运行的专用池中运行中的作用网站，并授予访问权限给该用户。这听起来不错，但我（特别是强制IIS创建一个特定的用户下运行的专用池）自动不知道我能做到这一点 - 无论是角色配置文件中或启动任务中

第三，我可以将所有处理的文件系统到code属于角色和内部 WaIISHost.exe 正在运行。这将需要一些重新设计。

哪个选项的上面是最方便，最密切关注的最佳实践？还有什么其他的选择有哪些？我如何处理这种情况？

解决方案

  

第二，我可以以某种方式强制IIS在专用用户下运行的专用池中运行中的作用网站，并授予访问权限给该用户。这听起来不错，但我（特别是强制IIS创建一个特定的用户下运行的专用池）自动不知道我能做到这一点 - 无论是角色配置文件中或启动任务中

韦德温格的博客是辉煌的这种类型的问题

下面是如何设置一个特定的用户在Web角色：

<一个href=\"http://www.wadewegner.com/2011/01/programmatically-changing-the-apppool-identity-in-a-windows-azure-web-role/\" rel=\"nofollow\">http://www.wadewegner.com/2011/01/programmatically-changing-the-apppool-identity-in-a-windows-azure-web-role/

Turns out the web role .aspx page and web role code run in two separate processes with the default "Full IIS" mode. The problem for the application I'm to port is that .aspx handler needs access to the local filesystem and since it now runs under MachineName\\NETWORK SERVICE account it has no such access.

AFAIK I could do one of the following.

First, I could grant access to necessary subfolders to user MachineName\\NETWORK SERVICE while in an startup task. That will work, but looks insecure - anything running under MachineName\\NETWORK SERVICE will get the same access and this can introdude a vulnerability.

Second, I could somehow force IIS to run the role website in a dedicated pool running under a dedicated user and grant access to that user. That sounds good, but I'm not sure I can do that (specifically force IIS to create a dedicated pool running under a specific user) automatically - either within a role configuration file or within a startup task.

Third, I could move all dealing with the filesystem onto the code that belongs to the role and is running inside WaIISHost.exe. That will require some redesign.

Which option of the above is most convenient and follows best practices most closely? What other options are there? How do I address the situation?

解决方案

Second, I could somehow force IIS to run the role website in a dedicated pool running under a dedicated user and grant access to that user. That sounds good, but I'm not sure I can do that (specifically force IIS to create a dedicated pool running under a specific user) automatically - either within a role configuration file or within a startup task.

Wade Wenger's blog is brilliant for this type of question

Here's how to setup the web role under a specific user:

http://www.wadewegner.com/2011/01/programmatically-changing-the-apppool-identity-in-a-windows-azure-web-role/

这篇关于我该如何处理Web角色.aspx页面中运行受限用户下？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！