IIS AppPoolIdentity和文件系统的写访问权限 [英] IIS AppPoolIdentity and file system write access permissions
问题描述
下面是与IIS 7.5和ASP.NET,我一直在研究和毫无进展的问题。任何帮助将大大AP preciated。
Here's an issue with IIS 7.5 and ASP.NET that I've been researching and getting nowhere with. Any help would be greatly appreciated.
我的问题是:在IIS 7.5中使用ASP.NET,如何IIS和/或操作系统允许Web应用程序写入像文件夹C:\\转储?它怎么说,我没有明确添加应用程序池的用户的写权限(在这种情况下, ApplicationPoolIdentity )?
My question is: using ASP.NET in IIS 7.5, how does IIS and/or the operating system allow the web application to write to a folder like C:\dump when running under full trust? How is it that I don't have to explicitly add write access for the application pool user (in this case ApplicationPoolIdentity)?
这一点我知道:
- 在IIS 7.5中,为应用程序池的默认身份为
ApplicationPoolIdentity。 -
ApplicationPoolIdentity重新presents称为IIS APPPOOL \\ AppPoolNameWindows用户帐户,在创建应用程序池时创建的,其中AppPoolName是名应用程序池。 - 在IIS APPPOOL \\ AppPoolName用户默认情况下是
IIS_IUSRS组的成员。 - 如果您使用的是完全信任运行Web应用程序可以写入到文件系统的许多地区(不包括像
Ç文件夹:\\用户,C:\\ WINDOWS等)。例如,你的应用将有机会写一些文件夹,比如,C:\\转储 - 默认情况下,
IIS_IUSRS组没有给读取或写入访问C:\\转储(至少不能访问通过Windows Explorer中的安全选项卡)可见。 - 如果您拒绝
IIS_IUSRS写访问,你会得到尝试写入该文件夹(如预期)当一个SecurityException。
- In IIS 7.5, the default Identity for an Application Pool is
ApplicationPoolIdentity. ApplicationPoolIdentityrepresents a Windows user account called "IIS APPPOOL\AppPoolName", which is created when the Application Pool is created, where AppPoolName is the name of the Application Pool.- The "IIS APPPOOL\AppPoolName" user is by default a member of the
IIS_IUSRSgroup. - If you are running under Full Trust, your web application can write to many areas of the file system (excluding folders like
C:\Users,C:\Windows, etc). For example, your application will have access to write to some folders, like,C:\dump. - By default, the
IIS_IUSRSgroup is not given read or write access toC:\dump(at least not access that is visible through the "Security" tab in Windows Explorer). - If you deny write access to
IIS_IUSRS, you will get a SecurityException when trying to write to the folder (as expected).
所以,采取所有这些考虑,怎么写授予IIS APPPOOL \\ AppPoolName用户访问? W3wp.exe进程运行作为该用户,那么什么让这个用户写入的文件夹它似乎并不具有明确的访问?
So, taking all of that into account, how is write access granted to the "IIS APPPOOL\AppPoolName" user? The w3wp.exe process runs as this user, so what allows this user to write to a folder it doesn't seem to have explicit access to?
请注意,我理解这可能是做了方便起见,因为它是授予它需要写如果你是在完全信任运行的每个文件夹的用户访问一个痛。如果你想限制这种访问,你总是可以运行在中等信任的应用程序。我感兴趣的是找出有关的方式,操作系统和/或IIS允许这些写操作发生,即使有似乎没有明确的文件系统访问授权。
Please note that I understand this was probably done for the sake of convenience, since it would be a pain to grant a user access to every folder it needs to write to if you are running under Full Trust. If you want to limit this access, you can always run the application under Medium Trust. I am interested in finding out about the way the operating system and/or IIS allows these writes to take place, even though there appears to be no explicit file system access granted.
推荐答案
的 ApplicationPoolIdentity 被赋予用户的会员组还有 IIS_IUSRS 组。乍一看,这可能看起来有点令人担忧,但是用户组都有一定的限制NTFS权限。
The ApplicationPoolIdentity is assigned membership of the Users group as well as the IIS_IUSRS group. On first glance this may look somewhat worrying, however the Users group has somewhat limited NTFS rights.
例如,如果你尝试创建在℃的文件夹:\\ Windows下文件夹,那么你会发现,你不能。在 ApplicationPoolIdentity 仍然需要能够从Windows系统文件夹(不然怎么回事就工作进程能够动态地加载必要的DLL文件)。
For example, if you try and create a folder in the C:\Windows folder then you'll find that you can't. The ApplicationPoolIdentity still needs to be able to read files from the windows system folders (otherwise how else would the worker process be able to dynamically load essential DLL's).
对于您的意见对能够写信给你的 C:\\转储文件夹中。如果你看一看在高级安全设置的权限,您将看到以下内容:
With regard to your observations about being able to write to your c:\dump folder. If you take a look at the permissions in the Advanced Security Settings, you'll see the following:
请参阅从被继承的特殊权限C:\\ :
这就是原因,你的网站的 ApplicationPoolIdentity 可以读取和写的该文件夹。这一权利正在从 C派生:\\ 驱动器
That's the reason your site's ApplicationPoolIdentity can read and write to that folder. That right is being inherited from the c:\ drive.
在一个共享的环境中,你可能有数百个站点,每个都有自己的应用程序池和应用程序池标识,你会存储发生了用户文件夹或卷组中删除和权限设置,使得只有管理员和系统帐户拥有的访问(继承)。
In a shared environment where you possibly have several hundred sites, each with their own application pool and Application Pool Identity, you would store the site folders in a folder or volume that has had the Users group removed and the permissions set such that only Administrators and the SYSTEM account have access (with inheritance).
您会再单独分配必要的权限,每个 IIS程序池\\ [名] 要求在它的站点根文件夹中。
You would then individually assign the requisite permissions each IIS AppPool\[name] requires on it's site root folder.
您还应该确保创建您存储潜在的敏感文件或数据的任何文件夹有用户组中删除。你还应该确保你安装任何应用程序不敏感数据存储在他们的 C:\\ Program Files文件\\ [应用程序名称] 文件夹和他们所使用的用户配置文件文件夹代替。
You should also ensure that any folders you create where you store potentially sensitive files or data have the Users group removed. You should also make sure that any applications that you install don't store sensitive data in their c:\program files\[app name] folders and that they use the user profile folders instead.
所以,是的,乍一看它看起来像 ApplicationPoolIdentity 有比它应该,但它实际上已经没有更多的权利比它的组成员身份使然更多的权利。
So yes, on first glance it looks like the ApplicationPoolIdentity has more rights than it should, but it actually has no more rights than it's group membership dictates.
这是 ApplicationPoolIdentity 的组成员的 Process Explorer的工具。查找与该应用程序池标识您感兴趣的运行工作进程(你必须添加用户名列显示的列的列表:
An ApplicationPoolIdentity's group membership can be examined using the SysInternals Process Explorer tool. Find the worker process that is running with the Application Pool Identity you're interested in (you will have to add the User Name column to the list of columns to display:
例如,我这里有一个游泳池名为 900300 其中有一个应用程序池标识 IIS APPPOOL \\ 900300 。右键单击该进程的属性,然后选择安全选项卡,我们看到:
For example, I have a pool here named 900300 which has an Application Pool Identity of IIS APPPOOL\900300. Right clicking on properties for the process and selecting the Security tab we see:
我们可以看到 IIS APPPOOL \\ 900300 是用户中的一员组。
这篇关于IIS AppPoolIdentity和文件系统的写访问权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
