如何在域控制器上分配 IIS 7.5 文件系统访问权限?
Posted
技术标签:
【中文标题】如何在域控制器上分配 IIS 7.5 文件系统访问权限?【英文标题】:How to assign IIS 7.5 file system access permissions on a Domain Controller? 【发布时间】:2013-10-14 22:56:31 【问题描述】:我的情况有点不寻常。
我正在处理安装在 Windows Server 2008 R2 域控制器机器上的 IIS 7.5。
我正在尝试编写一个在该 IIS 上安装我的 Web 应用程序的 C# 程序。一切正常,除了我需要将应用程序池的访问权限分配给安装 Web 应用程序的文件夹的那一刻。
在做了一些研究后,我发现我需要为以下用户帐户分配访问权限:
IIS 应用程序池\[应用程序池名称]
所以我想出了这个代码:
setFolderPermissions(@"C:\inetpub\www_test1",
@"IIS AppPool\" + strAppPoolName,
System.Security.AccessControl.FileSystemRights.Read | System.Security.AccessControl.FileSystemRights.ListDirectory,
System.Security.AccessControl.AccessControlType.Allow);
public static string setFolderPermissions(string strFolderPath, string sUserName, FileSystemRights rights, AccessControlType access)
DirectoryInfo info = new DirectoryInfo(strFolderPath);
DirectorySecurity ds = info.GetAccessControl();
ds.AddAccessRule(new FileSystemAccessRule(sUserName,
rights,
InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit,
PropagationFlags.None,
access));
info.SetAccessControl(ds);
上述方法有效,但在域控制器上使用时除外。它抛出这个异常:
部分或全部身份参考无法翻译。
我分配这些所需权限的唯一方法是从命令行手动执行此操作:
C:\Users\Administrator>icacls "C:\inetpub\www_test1" /grant "IIS AppPool\MyAppsoolName":(CI)(OI)(M)
知道如何用 C# 来处理 icacls 的事情吗?
【问题讨论】:
【参考方案1】:更好的是,创建您自己的应用程序池,使用给定的凭据运行。并为 Web 应用程序安装文件夹上的给定凭据(用户名)分配权限。
【讨论】:
我试过了,但是我需要为它在内部使用的 ASP.NET 文件夹设置权限。这似乎更复杂,你不觉得吗? 为什么需要为 ASP.NET 文件夹设置权限,因为根文件夹分配了应用程序池用户权限? 不,我说的是临时文件夹等文件夹以及工作进程可能正在访问的任何其他文件夹...【参考方案2】:您不应该按照我的 Microsoft 的建议在域控制器上运行 IIS,因为这可能会导致安全和权限问题。
如果你真的想这样做,你应该使用域帐户来运行应用程序池,而不是集成的 IIS Apppool。这不起作用,因为域控制器没有本地帐户,而 IIS APPool 帐户是本地的。
查看更多详情
http://blogs.technet.com/b/abizerh/archive/2009/07/16/should-iis-be-installed-on-domain-controller.aspx
【讨论】:
【参考方案3】:我想我是使用非托管方法获得的。结果在 C# 中有点难看,但概念如下:
uint nOSErr;
if(!(nOSErr = setFolderPermissions(@"C:\inetpub\www_test1", @"IIS AppPool\" + strAppPoolName, OSFileAccess.FILE_GENERIC_READ)))
throw new Exception("Failed to change permissions, error code=" + nOSErr);
public static uint setFolderPermissions(string strFolderPath, string strUserName, OSFileAccess access)
//Set folder permissions
//RETURN:
// = 0 if success
// = Otherwise error code -- check GetLastError
uint dwRes = 0;
try
IntPtr pZero = IntPtr.Zero;
IntPtr pSecDesc = pZero;
IntPtr pDacl = pZero;
if ((dwRes = GetNamedSecurityInfo(strFolderPath, SE_OBJECT_TYPE.SE_FILE_OBJECT, SECURITY_INFORMATION.DACL_SECURITY_INFORMATION,
out pZero, out pZero, out pDacl, out pZero, out pSecDesc)) == ERROR_SUCCESS)
try
EXPLICIT_ACCESS ea = new EXPLICIT_ACCESS();
ea.grfAccessPermissions = access;
ea.grfAccessMode = AccessMode.GRANT_ACCESS;
ea.grfInheritance = AceFlags.CONTAINER_INHERIT_ACE | AceFlags.OBJECT_INHERIT_ACE;
ea.Trustee.MultipleTrusteeOperation = UIntPtr.Zero;
ea.Trustee.pMultipleTrustee = UIntPtr.Zero;
ea.Trustee.TrusteeForm = (UIntPtr)(TrusteeForm.TRUSTEE_IS_NAME);
ea.Trustee.ptstrName = strUserName;
IntPtr pNewDacl = pZero;
if((dwRes = SetEntriesInAcl(1, ref ea, pDacl, out pNewDacl)) == ERROR_SUCCESS)
try
if ((dwRes = SetNamedSecurityInfo(strFolderPath, SE_OBJECT_TYPE.SE_FILE_OBJECT, SECURITY_INFORMATION.DACL_SECURITY_INFORMATION,
IntPtr.Zero, IntPtr.Zero, pNewDacl, IntPtr.Zero)) == ERROR_SUCCESS)
//Done
finally
//Free mem
if (pNewDacl != IntPtr.Zero)
LocalFree(pNewDacl);
pNewDacl = IntPtr.Zero;
finally
//Free mem
if (pSecDesc != IntPtr.Zero)
LocalFree(pSecDesc);
pSecDesc = IntPtr.Zero;
catch
dwRes = ERROR_INVALID_DATA;
return dwRes;
enum SE_OBJECT_TYPE
SE_UNKNOWN_OBJECT_TYPE = 0,
SE_FILE_OBJECT,
SE_SERVICE,
SE_PRINTER,
SE_REGISTRY_KEY,
SE_LMSHARE,
SE_KERNEL_OBJECT,
SE_WINDOW_OBJECT,
SE_DS_OBJECT,
SE_DS_OBJECT_ALL,
SE_PROVIDER_DEFINED_OBJECT,
SE_WMIGUID_OBJECT,
SE_REGISTRY_WOW64_32KEY
[Flags]
enum SECURITY_INFORMATION : uint
OWNER_SECURITY_INFORMATION = 0x00000001,
GROUP_SECURITY_INFORMATION = 0x00000002,
DACL_SECURITY_INFORMATION = 0x00000004,
SACL_SECURITY_INFORMATION = 0x00000008,
UNPROTECTED_SACL_SECURITY_INFORMATION = 0x10000000,
UNPROTECTED_DACL_SECURITY_INFORMATION = 0x20000000,
PROTECTED_SACL_SECURITY_INFORMATION = 0x40000000,
PROTECTED_DACL_SECURITY_INFORMATION = 0x80000000
[DllImport("advapi32.dll", CharSet = CharSet.Auto)]
static extern uint GetNamedSecurityInfo(
string pObjectName,
SE_OBJECT_TYPE ObjectType,
SECURITY_INFORMATION SecurityInfo,
out IntPtr pSidOwner,
out IntPtr pSidGroup,
out IntPtr pDacl,
out IntPtr pSacl,
out IntPtr pSecurityDescriptor);
[DllImport("kernel32.dll", SetLastError = true)]
static extern IntPtr LocalFree(IntPtr hMem);
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto, Pack = 0)] //Platform independent (32 & 64 bit) - use Pack = 0 for both platforms. IntPtr works as well.
internal struct TRUSTEE
internal UIntPtr pMultipleTrustee; // must be null
internal UIntPtr MultipleTrusteeOperation;
internal UIntPtr TrusteeForm;
internal UIntPtr TrusteeType;
//[MarshalAs(UnmanagedType.LPStr)]
internal string ptstrName;
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)]
internal struct EXPLICIT_ACCESS
internal OSFileAccess grfAccessPermissions;
internal AccessMode grfAccessMode;
internal AceFlags grfInheritance;
internal TRUSTEE Trustee;
private const uint ERROR_SUCCESS = 0;
[Flags]
public enum OSFileAccess : uint
AccessSystemSecurity = 0x1000000, // AccessSystemAcl access type
MaximumAllowed = 0x2000000, // MaximumAllowed access type
Delete = 0x10000,
ReadControl = 0x20000,
WriteDAC = 0x40000,
WriteOwner = 0x80000,
Synchronize = 0x100000,
StandardRightsRequired = 0xF0000,
StandardRightsRead = ReadControl,
StandardRightsWrite = ReadControl,
StandardRightsExecute = ReadControl,
StandardRightsAll = 0x1F0000,
SpecificRightsAll = 0xFFFF,
FILE_READ_DATA = 0x0001, // file & pipe
FILE_LIST_DIRECTORY = 0x0001, // directory
FILE_WRITE_DATA = 0x0002, // file & pipe
FILE_ADD_FILE = 0x0002, // directory
FILE_APPEND_DATA = 0x0004, // file
FILE_ADD_SUBDIRECTORY = 0x0004, // directory
FILE_CREATE_PIPE_INSTANCE = 0x0004, // named pipe
FILE_READ_EA = 0x0008, // file & directory
FILE_WRITE_EA = 0x0010, // file & directory
FILE_EXECUTE = 0x0020, // file
FILE_TRAVERSE = 0x0020, // directory
FILE_DELETE_CHILD = 0x0040, // directory
FILE_READ_ATTRIBUTES = 0x0080, // all
FILE_WRITE_ATTRIBUTES = 0x0100, // all
GENERIC_READ = 0x80000000,
GENERIC_WRITE = 0x40000000,
GENERIC_EXECUTE = 0x20000000,
GENERIC_ALL = 0x10000000,
SPECIFIC_RIGHTS_ALL = 0x00FFFF,
FILE_ALL_ACCESS = StandardRightsRequired | Synchronize | 0x1FF,
FILE_GENERIC_READ = StandardRightsRead | FILE_READ_DATA | FILE_READ_ATTRIBUTES | FILE_READ_EA | Synchronize,
FILE_GENERIC_WRITE = StandardRightsWrite | FILE_WRITE_DATA | FILE_WRITE_ATTRIBUTES | FILE_WRITE_EA | FILE_APPEND_DATA | Synchronize,
FILE_GENERIC_EXECUTE = StandardRightsExecute | FILE_READ_ATTRIBUTES | FILE_EXECUTE | Synchronize
internal enum AccessMode
NOT_USED_ACCESS = 0,
GRANT_ACCESS,
SET_ACCESS,
DENY_ACCESS,
REVOKE_ACCESS,
SET_AUDIT_SUCCESS,
SET_AUDIT_FAILURE
[Flags]
internal enum AceFlags
OBJECT_INHERIT_ACE = 0x1,
CONTAINER_INHERIT_ACE = 0x2,
NO_PROPAGATE_INHERIT_ACE = 0x4,
INHERIT_ONLY_ACE = 0x8,
INHERITED_ACE = 0x10,
SUCCESSFUL_ACCESS_ACE_FLAG = 0x40,
FAILED_ACCESS_ACE_FLAG = 0x80
enum TrusteeForm
TRUSTEE_IS_SID,
TRUSTEE_IS_NAME,
TRUSTEE_BAD_FORM,
TRUSTEE_IS_OBJECTS_AND_SID,
TRUSTEE_IS_OBJECTS_AND_NAME
[DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Auto)]
static extern uint SetEntriesInAcl(
int cCountOfExplicitEntries,
ref EXPLICIT_ACCESS pListOfExplicitEntries,
IntPtr OldAcl,
out IntPtr NewAcl);
[DllImport("advapi32.dll", CharSet = CharSet.Auto)]
static extern uint SetNamedSecurityInfo(
string pObjectName,
SE_OBJECT_TYPE ObjectType,
SECURITY_INFORMATION SecurityInfo,
IntPtr psidOwner,
IntPtr psidGroup,
IntPtr pDacl,
IntPtr pSacl);
【讨论】:
以上是关于如何在域控制器上分配 IIS 7.5 文件系统访问权限?的主要内容,如果未能解决你的问题,请参考以下文章