昨天把程序IIS6迁移到IIS7,出现异常

解决办法:文件夹选项权限增加IIS_IUSER

资料来源:

http://www.iis.net/learn/get-started/planning-for-security/understanding-built-in-user-and-group-accounts-in-iis

Introduction

In earlier versions of IIS, a local account called IUSR_MachineName is created during installation. IIS used the IUSR_MachineName account by default whenever anonymous authentication was enabled. This was used by both the FTP and HTTP services.

There was also a group called IIS_WPG, which was used as a container for all the application pool identities. During IIS setup, all the appropriate resources on the system were granted the correct user rights for the IIS_WPG group so that an administrator only needed to add their identity to that group when they created a new application pool account.

This model worked well, but had its drawbacks: the IUSR_MachineName account and the IIS_WPG group were both local to the system that they were created on. Every account and group within Windows is given a unique number called a security identifier (SID) that distinguishes it from other accounts. When an ACL is created only the SID is used. As part of the design in earlier versions of IIS, IUSR_MachineName was included in the metabase.xml file so that if you tried to copy the metabase.xml from one computer to another, it would not work. The account on the other computer would have a different name.

In addition, you could not 'xcopy /o' ACLs from one computer to another since the SIDs were different from computer to computer. One workaround was to use domain accounts, but that required adding an active directory to the infrastructure. The IIS_WPG group had similar issues with user rights. If you set ACLs on one computer's file system for IIS_WPG and tried to 'xcopy /o' those over to another computer, it would fail. This experience has been improved in IIS 7 and above by using a built-in account and group.

A built-in account and group are guaranteed by the operating system to always have a unique SID. IIS 7 and above have taken this further and ensured that the actual names that are used by the new account and group will never be localized. For example, regardless of the language of Windows that you install, the IIS account name will always be IUSR and the group name will be IIS_IUSRS.

In summary, IIS 7 and above offer the following:

  • The IUSR built-in account replaces the IUSR_MachineName account.
  • The IIS_IUSRS built-in group replaces the IIS_WPG group.

The IUSR account no longer needs a password because it is a built-in account. Logically, you can think of it as being the same as the NETWORKSERVICE or LOCALSERVICE accounts. Both the new IUSR account and the IIS_IUSRS group are discussed in greater depth in the sections below.

Understanding the New IUSR Account

The IUSR account replaces the IUSR_MachineName account in IIS 7 and above. The IUSR_MachineName account will still be created and used if you install the FTP 6 compatible server that is included in Windows Server 2008. If you do not install the FTP server that is included with Windows Server 2008, then this account will not be created.

This built-in account does not need a password and will be the default identity that is used when anonymous authentication is enabled. If you look in the applicationHost.config file you will see the following definition:

<anonymousAuthentication enabled="true" userName="IUSR" defaultLogonDomain="" />

This tells IIS to use the new built-in account for all anonymous authentication requests. The biggest advantages are that you can:

  • Set file system permissions for the IUSR account by using Windows Explorer or any of the many command line tools.
  • No longer need to worry about passwords expiring for this account.
  • Use xcopy /o to copy files along with their ownership and ACL information to different computers seamlessly.

Note: The IUSR account is similar to LOCALSERVICE in the manner in which it acts anonymously on the network. The NETWORKSERVICE and LOCALSYSTEM accounts can act as the machine identity, but the IUSR account cannot because it would require an elevation of user rights. If you need the anonymous account to have rights on the network, you must create a new user account and set the user name and password manually, as you did in the past for anonymous authentication.

To grant an anonymous account rights on the network by using IIS Manager:

  1. Click Start, type INetMgr.exe, and then click Enter. If prompted, click Continue to elevate your permissions.
  2. In the Connections section, click the + button next to the name of your computer.
  3. In IIS Manager, double-click the site that you want to administer.
  4. In the Features View, double-click Authentication.
  5. Select Anonymous Authentication, and then click Edit in the Actions pane.
  6. In the Edit Anonymous Authentication Credentials dialog box, click the Specific user option, and then click Set.
  7. In the Set Credentials dialog box, input the user name and password desired, and then click OK.

Understanding the New IIS_IUSRS Group

The IIS_IUSRS group replaces the IIS_WPG group. This built-in group has access to all the necessary file and system resources so that an account, when added to this group, can seamlessly act as an application pool identity.

As with the built-in account, this built-in group solves several xcopy deployment obstacles. If you set permissions on your files for the IIS_WPG group (that was available on IIS 6.0 systems) and tried to copy those files to another Windows computer, the group's SID would be different across the computers and your site's configurations would be broken.

Since the group SID in IIS 7 and above is the same on all systems that are running Windows Server 2008, you can use 'xcopy /o' to preserve the ACL's and ownership information as you move files from computer to computer. This makes xcopy deployments easy.

IIS 7 and above also makes the process of configuring an application pool identity and making all necessary changes easier. When IIS starts a worker process, it needs to create a token that the process will use. When this token is created, IIS automatically adds the IIS_IUSRS membership to the worker processes token at runtime. The accounts that run as 'application pool identities' no longer need to be an explicit part of the IIS_IUSRS group. This change helps you to set up your systems with fewer obstacles and makes your overall experience more favorable.

If you want to disable this feature and manually add accounts to the IIS_IUSRS group, disable this new feature by setting themanualGroupMembership value to 'true'. The following example shows how this can be done to the defaultAppPool:

<applicationPools>
    <add name="DefaultAppPool">
        <processModel manualGroupMembership="true" />
    </add>
</applicationPools >

[Asp.Net]Understanding Built-In User and Group Accounts in IIS的更多相关文章

  1. Understanding Built-In User and Group Accounts in IIS 7

    Understanding Built-In User and Group Accounts in IIS 7 By lzb October 19, 2018 Introduction In earl ...

  2. IIS安全工具UrlScan介绍 ASP.NET 两种超强SQL 注入免费解决方案( 基于IIS,使用免费工具) 批改或隐藏IIS7.5的Server头信息 移除X-Powered-By,MVC,ASP.NET_SessionId 的 HTTP头或者cookie名称

    微软给了我们一个很好的工具用来使IIS安全的运行-------UrlScan,下面是它的配置文件介绍 [options]UseAllowVerbs=1                ; 若为1,则使用 ...

  3. asp.net core 系列 9 三种运行环境和IIS发布

    一.在asp.net core中使用多个环境 ASP.NET Core 配置是基于运行时环境, 使用环境变量.ASP.NET Core 在应用启动时读取环境变量ASPNETCORE_ENVIRONME ...

  4. ASP.NET全局错误处理和异常日志记录以及IIS配置自定义错误页面

    应用场景和使用目的 很多时候,我们在访问页面的时候,由于程序异常.系统崩溃会导致出现黄页.在通常的情况下,黄页对于我们来说,帮助是极大的,因为它可以帮助我们知道问题根源,甚至是哪一行代码出现了错误.但 ...

  5. 当你的IIS需要运行ASP网站时,需要这样配置下你的IIS

    1.进入Windows 7的 控制面板->程序和功能->选择左上角的 打开或关闭Windows功能 2.现在出现了安装Windows功能的选项菜单,注意选择的项目,红色箭头所示的地方都要选 ...

  6. asp.net使用SpeechSynthesizer类生成语音文件部署到iis遇到的几个坑

    首先需要引入命名空间System.Speech.Synthesis,代码如下: using (var speechSyn = new SpeechSynthesizer()) { speechSyn. ...

  7. ASP.NET Core Web 应用程序开发期间部署到IIS自定义主机域名并附加到进程调试

    想必大家之前在进行ASP.NET Web 应用程序开发期间都有用到过将我们的网站部署到IIS自定义主机域名并附加到进程进行调试. 那我们的ASP.NET Core Web 应用程序又是如何部署到我们的 ...

  8. ASP.NET MVC - 发布web应用程序、部署到IIS

    发布项目 右击项目 - 发布 选择IIS - 点击发布 发布方法 - 文件系统,目标位置 - 选择与项目所在目录不同的目录(也即,指定一个发布生成文件的目录),文件发布选项 - 不选 - 点击发布 安 ...

  9. Asp.Net mvc4 项目 在vs中调试正常 在IIS发布后连接oracle数据库时提示数据库连接关闭

    解决办法: 1.打开iis,找到发布的程序 2.右键单击“TAKANAPP” 从右键菜单选择“管理应用程序”--“高级设置....” 在打开的高级设置  面板 查看对应的应用程序池 名称 3.设置应用 ...

随机推荐

  1. centos6.8下weblogic12c静默安装

    环境: centos6.8 无桌面环境 jdk1.7.0_25 关闭iptables.selinux 安装前准备: 1.新建weblogic用户,设置weblogic密码 useradd weblog ...

  2. Docker的名字空间

    名字空间是 Linux 内核一个强大的特性.每个容器都有自己单独的名字空间,运行在其中的应用都像是在独立的操作系统中运行一样.名字空间保证了容器之间彼此互不影响. pid 名字空间 不同用户的进程就是 ...

  3. 使用Java可以做得一些事

    安卓 Web JSP使用Echarts的最简单的例子 微信 wechat4j weixin-java-tools weixin4j 网络服务器

  4. Bootstrap3 排版-缩略语

    当鼠标悬停在缩写和缩写词上时就会显示完整内容,Bootstrap 实现了对 HTML 的 <abbr> 元素的增强样式.缩略语元素带有 title 属性,外观表现为带有较浅的虚线框,鼠标移 ...

  5. ToolBar控件详解

    ToolBar控件详解 在Activity中添加ToolBar 1.添加库 dependencies { ... compile "com.android.support:appcompat ...

  6. SublimeText3解决中文乱码

    1)安装Sublime Package Control.     在Sublime Text 3上用Ctrl+-打开控制台并在里面输入以下代码,Sublime Text 2就会自动安装Package ...

  7. BASH如何获得某个目录下的某类文件的文件名

    假设某个目录下有一堆以jpeg为后缀的文件名,我们需要在另一个目录中获得他们的文件名,并输出. 可以联合使用ls,awk,sed等命令来完成. 方法一: 使用ls列出目录下以.jpeg为结尾的文件,然 ...

  8. shape图形的使用

    shape图形的使用 在项目中如果用到有规律的常规的图形,在能够掌握的前提下建议使用shape图形,shape图形相对与图片来说,占用资源更小,并且使用起来不会失真. 效果图 shape图形1 < ...

  9. 深入浅出seesion和cookie

    session在计算机中,尤其是在网络应用中,称为"会话控制".session 对象存储特定用户会话所需的属性及配置信息.session跟踪是Web程序中常用的技术,用来跟踪用户的 ...

  10. cenos安装jdk

    安装方式:手动安装 软件:jdk-7u79-linux-x64.tar.gz 官网下载地址:进行下载. 下载完成之后上传到我们的服务器,我使用的是cenos6.5阿里云系统.securecrt工具上传 ...