IIS AppPoolIdentity and file system write access permissions

前端 未结 4 907
温柔的废话
温柔的废话 2020-11-22 15:51

Here\'s an issue with IIS 7.5 and ASP.NET that I\'ve been researching and getting nowhere with. Any help would be greatly appreciated.

My question is: using ASP.NET

相关标签:
4条回答
  • 2020-11-22 16:05

    I tried this to fix access issues to an IIS website, which manifested as something like the following in the Event Logs → Windows → Application:

    Log Name:      Application
    Source:        ASP.NET 4.0.30319.0
    Date:          1/5/2012 4:12:33 PM
    Event ID:      1314
    Task Category: Web Event
    Level:         Information
    Keywords:      Classic
    User:          N/A
    Computer:      SALTIIS01
    
    Description:
    Event code: 4008 
    Event message: File authorization failed for the request. 
    Event time: 1/5/2012 4:12:33 PM 
    Event time (UTC): 1/6/2012 12:12:33 AM 
    Event ID: 349fcb2ec3c24b16a862f6eb9b23dd6c 
    Event sequence: 7 
    Event occurrence: 3 
    Event detail code: 0 
    
    Application information: 
        Application domain: /LM/W3SVC/2/ROOT/Application/SNCDW-19-129702818025409890 
        Trust level: Full 
        Application Virtual Path: /Application/SNCDW 
        Application Path: D:\Sites\WCF\Application\SNCDW\ 
        Machine name: SALTIIS01 
    
    Process information: 
        Process ID: 1896 
        Process name: w3wp.exe 
        Account name: iisservice 
    
    Request information: 
        Request URL: http://webservicestest/Application/SNCDW/PC.svc 
        Request path: /Application/SNCDW/PC.svc 
        User host address: 10.60.16.79 
        User: js3228 
        Is authenticated: True 
        Authentication Type: Negotiate 
        Thread account name: iisservice 
    

    In the end I had to give the Windows Everyone group read access to that folder to get it to work properly.

    0 讨论(0)
  • 2020-11-22 16:11

    The ApplicationPoolIdentity is assigned membership of the Users group as well as the IIS_IUSRS group. On first glance this may look somewhat worrying, however the Users group has somewhat limited NTFS rights.

    For example, if you try and create a folder in the C:\Windows folder then you'll find that you can't. The ApplicationPoolIdentity still needs to be able to read files from the windows system folders (otherwise how else would the worker process be able to dynamically load essential DLL's).

    With regard to your observations about being able to write to your c:\dump folder. If you take a look at the permissions in the Advanced Security Settings, you'll see the following:

    enter image description here

    See that Special permission being inherited from c:\:

    enter image description here

    That's the reason your site's ApplicationPoolIdentity can read and write to that folder. That right is being inherited from the c:\ drive.

    In a shared environment where you possibly have several hundred sites, each with their own application pool and Application Pool Identity, you would store the site folders in a folder or volume that has had the Users group removed and the permissions set such that only Administrators and the SYSTEM account have access (with inheritance).

    You would then individually assign the requisite permissions each IIS AppPool\[name] requires on it's site root folder.

    You should also ensure that any folders you create where you store potentially sensitive files or data have the Users group removed. You should also make sure that any applications that you install don't store sensitive data in their c:\program files\[app name] folders and that they use the user profile folders instead.

    So yes, on first glance it looks like the ApplicationPoolIdentity has more rights than it should, but it actually has no more rights than it's group membership dictates.

    An ApplicationPoolIdentity's group membership can be examined using the SysInternals Process Explorer tool. Find the worker process that is running with the Application Pool Identity you're interested in (you will have to add the User Name column to the list of columns to display:

    enter image description here

    For example, I have a pool here named 900300 which has an Application Pool Identity of IIS APPPOOL\900300. Right clicking on properties for the process and selecting the Security tab we see:

    enter image description here

    As we can see IIS APPPOOL\900300 is a member of the Users group.

    0 讨论(0)
  • 2020-11-22 16:12
    1. Right click on folder.

    2. Click Properties

    3. Click Security Tab. You will see something like this:

    1. Click "Edit..." button in above screen. You will see something like this:

    1. Click "Add..." button in above screen. You will see something like this:

    1. Click "Locations..." button in above screen. You will see something like this. Now, go to the very of top of this tree structure and select your computer name, then click OK.

    1. Now type "iis apppool\your_apppool_name" and click "Check Names" button. If the apppool exists, you will see your apppool name in the textbox with underline in it. Click OK button.

    1. Check/uncheck whatever access you need to grant to the account

    2. Click Apply button and then OK.

    0 讨论(0)
  • 2020-11-22 16:24

    Each application pool in IIs creates its own secure user folder with FULL read/write permission by default under c:\users. Open up your Users folder and see what application pool folders are there, right click, and check their rights for the application pool virtual account assigned. You should see your application pool account added already with read/write access assigned to its root and subfolders.

    So that type of file storage access is automatically done and you should be able to write whatever you like there in the app pools user account folders without changing anything. That's why virtual user accounts for each application pool were created.

    0 讨论(0)
提交回复
热议问题