IIS/ASP.NET 的所有用户帐户是什么?它们有何不同? [英] What are all the user accounts for IIS/ASP.NET and how do they differ?
问题描述
在安装了 ASP.NET 4.0 的 Windows Server 2008 下,有一大堆相关的用户帐户,我无法理解哪个是哪个,它们有什么不同,哪个是我的应用程序运行的真正在下面.这是一个列表:
- IIS_IUSRS
- IUSR
- 默认应用程序池
- ASP.NET v4.0
- NETWORK_SERVICE
- 本地服务.
什么是什么?
这是一个很好的问题,遗憾的是,在作为 Web 开发人员和设置的上下文中,许多开发人员并没有提出足够多的关于 IIS/ASP.NET 安全的问题上 IIS.所以这里是....
要涵盖列出的身份:
IIS_IUSRS:
这类似于旧的 IIS6 IIS_WPG 组.它是一个内置组,其安全性配置为该组的任何成员都可以充当应用程序池标识.
IUSR:
此帐户类似于旧的 IUSR_ 本地帐户,它是 IIS5 和 IIS6 网站的默认匿名用户(即通过站点属性的目录安全选项卡配置的帐户).
有关 IIS_IUSRS 和 IUSR 的更多信息,请参阅:
Under Windows Server 2008 with ASP.NET 4.0 installed there is a whole slew of related user accounts, and I can't understand which one is which, how to they differ, and which one is REALLY the one that my app runs under. Here's a list:
- IIS_IUSRS
- IUSR
- DefaultAppPool
- ASP.NET v4.0
- NETWORK_SERVICE
- LOCAL SERVICE.
What is what?
This is a very good question and sadly many developers don't ask enough questions about IIS/ASP.NET security in the context of being a web developer and setting up IIS. So here goes....
To cover the identities listed:
IIS_IUSRS:
This is analogous to the old IIS6 IIS_WPG group. It's a built-in group with it's security configured such that any member of this group can act as an application pool identity.
IUSR:
This account is analogous to the old IUSR_<MACHINE_NAME> local account that was the default anonymous user for IIS5 and IIS6 websites (i.e. the one configured via the Directory Security tab of a site's properties).
For more information about IIS_IUSRS and IUSR see:
DefaultAppPool:
If an application pool is configured to run using the Application Pool Identity feature then a "synthesised" account called IIS AppPool<pool name> will be created on the fly to used as the pool identity. In this case there will be a synthesised account called IIS AppPoolDefaultAppPool created for the life time of the pool. If you delete the pool then this account will no longer exist. When applying permissions to files and folders these must be added using IIS AppPool<pool name>. You also won't see these pool accounts in your computers User Manager. See the following for more information:
ASP.NET v4.0: -
This will be the Application Pool Identity for the ASP.NET v4.0 Application Pool. See DefaultAppPool above.
NETWORK SERVICE: -
The NETWORK SERVICE account is a built-in identity introduced on Windows 2003. NETWORK SERVICE is a low privileged account under which you can run your application pools and websites. A website running in a Windows 2003 pool can still impersonate the site's anonymous account (IUSR_ or whatever you configured as the anonymous identity).
In ASP.NET prior to Windows 2008 you could have ASP.NET execute requests under the Application Pool account (usually NETWORK SERVICE). Alternatively you could configure ASP.NET to impersonate the site's anonymous account via the <identity impersonate="true" /> setting in web.config file locally (if that setting is locked then it would need to be done by an admin in the machine.config file).
Setting <identity impersonate="true"> is common in shared hosting environments where shared application pools are used (in conjunction with partial trust settings to prevent unwinding of the impersonated account).
In IIS7.x/ASP.NET impersonation control is now configured via the Authentication configuration feature of a site. So you can configure to run as the pool identity, IUSR or a specific custom anonymous account.
LOCAL SERVICE:
The LOCAL SERVICE account is a built-in account used by the service control manager. It has a minimum set of privileges on the local computer. It has a fairly limited scope of use:
LOCAL SYSTEM:
You didn't ask about this one but I'm adding for completeness. This is a local built-in account. It has fairly extensive privileges and trust. You should never configure a website or application pool to run under this identity.
In Practice:
In practice the preferred approach to securing a website (if the site gets its own application pool - which is the default for a new site in IIS7's MMC) is to run under Application Pool Identity. This means setting the site's Identity in its Application Pool's Advanced Settings to Application Pool Identity:
In the website you should then configure the Authentication feature:
Right click and edit the Anonymous Authentication entry:
Ensure that "Application pool identity" is selected:
When you come to apply file and folder permissions you grant the Application Pool identity whatever rights are required. For example if you are granting the application pool identity for the ASP.NET v4.0 pool permissions then you can either do this via Explorer:
Click the "Check Names" button:
Or you can do this using the ICACLS.EXE utility:
icacls c:wwwrootmysite /grant "IIS AppPoolASP.NET v4.0":(CI)(OI)(M)
...or...if you site's application pool is called BobsCatPicBlogthen:
icacls c:wwwrootmysite /grant "IIS AppPoolBobsCatPicBlog":(CI)(OI)(M)
I hope this helps clear things up.
Update:
I just bumped into this excellent answer from 2009 which contains a bunch of useful information, well worth a read:
The difference between the 'Local System' account and the 'Network Service' account?
这篇关于IIS/ASP.NET 的所有用户帐户是什么?它们有何不同?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
