IIS8 中的 IIS_IUSRS 和 IUSR 权限 [英] IIS_IUSRS and IUSR permissions in IIS8

问题描述

我刚刚从 Win2003 上的 IIS6 转移到 Win2012 上的 IIS8 以托管 ASP.NET 应用程序.

在我的应用程序的一个特定文件夹中，我需要创建 &删除文件.将文件复制到新服务器后，我尝试删除文件时一直看到以下错误:

<块引用>

拒绝访问路径D:WebSitesmyapp.co.ukcompanydatafilename.pdf".

当我检查 IIS 时，我看到应用程序在 DefaultAppPool 帐户下运行，但是，我从未在此文件夹上设置 Windows 权限以包含 IIS AppPoolDefaultAppPool

相反，为了停止尖叫客户，我授予了以下文件夹权限:

IUSR

• 阅读&执行
• 列出文件夹内容
• 阅读
• 写

IIS_IUSRS

• 修改
• 阅读&执行
• 列出文件夹内容
• 阅读
• 写

这似乎奏效了，但我担心设置了太多权限.我在网上阅读了关于是否真正需要 IUSR 的相互矛盾的信息.谁能澄清哪些用户/权限足以在此文件夹中创建和删除文档?另外，IUSR 是 IIS_IUSRS 组的一部分吗?

更新&解决方案

请参阅

在Security 选项卡下，您将看到列出了MACHINE_NAMEIIS_IUSRS.这意味着 IIS 自动对目录具有只读权限(例如在站点中运行 ASP.Net).您不需要编辑此条目.

点击编辑按钮，然后添加...

在文本框中，键入 IIS AppPoolMyApplicationPoolName，将 MyApplicationPoolName 替换为您的域名或正在访问您网站的任何应用程序池，例如IIS AppPoolmydomain.com

按检查名称按钮.您输入的文本将发生变化(注意下划线):

按OK添加用户

选择新用户(您的域)后，现在您可以安全地提供任何修改或写入权限

I've just moved away from IIS6 on Win2003 to IIS8 on Win2012 for hosting ASP.NET applications.

Within one particular folder in my application I need to Create & Delete files. After copying the files to the new server, I kept seeing the following errors when I tried to delete files:

Access to the path 'D:WebSitesmyapp.co.ukcompanydatafilename.pdf' is denied.

When I check IIS I see that the application is running under the DefaultAppPool account, however, I never set up Windows permissions on this folder to include IIS AppPoolDefaultAppPool

Instead, to stop screaming customers I granted the following permissions on the folder:

IUSR

• Read & Execute
• List Folder Contents
• Read
• Write

IIS_IUSRS

• Modify
• Read & Execute
• List Folder Contents
• Read
• Write

This seems to have worked, but I am concerned that too many privileges have been set. I've read conflicting information online about whether IUSR is actually needed at all here. Can anyone clarify which users/permissions would suffice to Create and Delete documents on this folder please? Also, is IUSR part of the IIS_IUSRS group?

Update & Solution

Please see my answer below. I've had to do this sadly as some recent suggestions were not well thought out, or even safe (IMO).

解决方案

I hate to post my own answer, but some answers recently have ignored the solution I posted in my own question, suggesting approaches that are nothing short of foolhardy.

In short - you do not need to edit any Windows user account privileges at all. Doing so only introduces risk. The process is entirely managed in IIS using inherited privileges.

Applying Modify/Write Permissions to the Correct User Account

1. Right-click the domain when it appears under the Sites list, and choose Edit Permissions

   Under the Security tab, you will see MACHINE_NAMEIIS_IUSRS is listed. This means that IIS automatically has read-only permission on the directory (e.g. to run ASP.Net in the site). You do not need to edit this entry.

2. Click the Edit button, then Add...

3. In the text box, type IIS AppPoolMyApplicationPoolName, substituting MyApplicationPoolName with your domain name or whatever application pool is accessing your site, e.g. IIS AppPoolmydomain.com

4. Press the Check Names button. The text you typed will transform (notice the underline):

5. Press OK to add the user

6. With the new user (your domain) selected, now you can safely provide any Modify or Write permissions

这篇关于IIS8 中的 IIS_IUSRS 和 IUSR 权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！