昨天把程序IIS6迁移到IIS7,出现异常

解决办法:文件夹选项权限增加IIS_IUSER

资料来源:

http://www.iis.net/learn/get-started/planning-for-security/understanding-built-in-user-and-group-accounts-in-iis

Introduction

In earlier versions of IIS, a local account called IUSR_MachineName is created during installation. IIS used the IUSR_MachineName account by default whenever anonymous authentication was enabled. This was used by both the FTP and HTTP services.

There was also a group called IIS_WPG, which was used as a container for all the application pool identities. During IIS setup, all the appropriate resources on the system were granted the correct user rights for the IIS_WPG group so that an administrator only needed to add their identity to that group when they created a new application pool account.

This model worked well, but had its drawbacks: the IUSR_MachineName account and the IIS_WPG group were both local to the system that they were created on. Every account and group within Windows is given a unique number called a security identifier (SID) that distinguishes it from other accounts. When an ACL is created only the SID is used. As part of the design in earlier versions of IIS, IUSR_MachineName was included in the metabase.xml file so that if you tried to copy the metabase.xml from one computer to another, it would not work. The account on the other computer would have a different name.

In addition, you could not 'xcopy /o' ACLs from one computer to another since the SIDs were different from computer to computer. One workaround was to use domain accounts, but that required adding an active directory to the infrastructure. The IIS_WPG group had similar issues with user rights. If you set ACLs on one computer's file system for IIS_WPG and tried to 'xcopy /o' those over to another computer, it would fail. This experience has been improved in IIS 7 and above by using a built-in account and group.

A built-in account and group are guaranteed by the operating system to always have a unique SID. IIS 7 and above have taken this further and ensured that the actual names that are used by the new account and group will never be localized. For example, regardless of the language of Windows that you install, the IIS account name will always be IUSR and the group name will be IIS_IUSRS.

In summary, IIS 7 and above offer the following:

  • The IUSR built-in account replaces the IUSR_MachineName account.
  • The IIS_IUSRS built-in group replaces the IIS_WPG group.

The IUSR account no longer needs a password because it is a built-in account. Logically, you can think of it as being the same as the NETWORKSERVICE or LOCALSERVICE accounts. Both the new IUSR account and the IIS_IUSRS group are discussed in greater depth in the sections below.

Understanding the New IUSR Account

The IUSR account replaces the IUSR_MachineName account in IIS 7 and above. The IUSR_MachineName account will still be created and used if you install the FTP 6 compatible server that is included in Windows Server 2008. If you do not install the FTP server that is included with Windows Server 2008, then this account will not be created.

This built-in account does not need a password and will be the default identity that is used when anonymous authentication is enabled. If you look in the applicationHost.config file you will see the following definition:

<anonymousAuthentication enabled="true" userName="IUSR" defaultLogonDomain="" />

This tells IIS to use the new built-in account for all anonymous authentication requests. The biggest advantages are that you can:

  • Set file system permissions for the IUSR account by using Windows Explorer or any of the many command line tools.
  • No longer need to worry about passwords expiring for this account.
  • Use xcopy /o to copy files along with their ownership and ACL information to different computers seamlessly.

Note: The IUSR account is similar to LOCALSERVICE in the manner in which it acts anonymously on the network. The NETWORKSERVICE and LOCALSYSTEM accounts can act as the machine identity, but the IUSR account cannot because it would require an elevation of user rights. If you need the anonymous account to have rights on the network, you must create a new user account and set the user name and password manually, as you did in the past for anonymous authentication.

To grant an anonymous account rights on the network by using IIS Manager:

  1. Click Start, type INetMgr.exe, and then click Enter. If prompted, click Continue to elevate your permissions.
  2. In the Connections section, click the + button next to the name of your computer.
  3. In IIS Manager, double-click the site that you want to administer.
  4. In the Features View, double-click Authentication.
  5. Select Anonymous Authentication, and then click Edit in the Actions pane.
  6. In the Edit Anonymous Authentication Credentials dialog box, click the Specific user option, and then click Set.
  7. In the Set Credentials dialog box, input the user name and password desired, and then click OK.

Understanding the New IIS_IUSRS Group

The IIS_IUSRS group replaces the IIS_WPG group. This built-in group has access to all the necessary file and system resources so that an account, when added to this group, can seamlessly act as an application pool identity.

As with the built-in account, this built-in group solves several xcopy deployment obstacles. If you set permissions on your files for the IIS_WPG group (that was available on IIS 6.0 systems) and tried to copy those files to another Windows computer, the group's SID would be different across the computers and your site's configurations would be broken.

Since the group SID in IIS 7 and above is the same on all systems that are running Windows Server 2008, you can use 'xcopy /o' to preserve the ACL's and ownership information as you move files from computer to computer. This makes xcopy deployments easy.

IIS 7 and above also makes the process of configuring an application pool identity and making all necessary changes easier. When IIS starts a worker process, it needs to create a token that the process will use. When this token is created, IIS automatically adds the IIS_IUSRS membership to the worker processes token at runtime. The accounts that run as 'application pool identities' no longer need to be an explicit part of the IIS_IUSRS group. This change helps you to set up your systems with fewer obstacles and makes your overall experience more favorable.

If you want to disable this feature and manually add accounts to the IIS_IUSRS group, disable this new feature by setting themanualGroupMembership value to 'true'. The following example shows how this can be done to the defaultAppPool:

<applicationPools>
    <add name="DefaultAppPool">
        <processModel manualGroupMembership="true" />
    </add>
</applicationPools >

[Asp.Net]Understanding Built-In User and Group Accounts in IIS的更多相关文章

  1. Understanding Built-In User and Group Accounts in IIS 7

    Understanding Built-In User and Group Accounts in IIS 7 By lzb October 19, 2018 Introduction In earl ...

  2. IIS安全工具UrlScan介绍 ASP.NET 两种超强SQL 注入免费解决方案( 基于IIS,使用免费工具) 批改或隐藏IIS7.5的Server头信息 移除X-Powered-By,MVC,ASP.NET_SessionId 的 HTTP头或者cookie名称

    微软给了我们一个很好的工具用来使IIS安全的运行-------UrlScan,下面是它的配置文件介绍 [options]UseAllowVerbs=1                ; 若为1,则使用 ...

  3. asp.net core 系列 9 三种运行环境和IIS发布

    一.在asp.net core中使用多个环境 ASP.NET Core 配置是基于运行时环境, 使用环境变量.ASP.NET Core 在应用启动时读取环境变量ASPNETCORE_ENVIRONME ...

  4. ASP.NET全局错误处理和异常日志记录以及IIS配置自定义错误页面

    应用场景和使用目的 很多时候,我们在访问页面的时候,由于程序异常.系统崩溃会导致出现黄页.在通常的情况下,黄页对于我们来说,帮助是极大的,因为它可以帮助我们知道问题根源,甚至是哪一行代码出现了错误.但 ...

  5. 当你的IIS需要运行ASP网站时,需要这样配置下你的IIS

    1.进入Windows 7的 控制面板->程序和功能->选择左上角的 打开或关闭Windows功能 2.现在出现了安装Windows功能的选项菜单,注意选择的项目,红色箭头所示的地方都要选 ...

  6. asp.net使用SpeechSynthesizer类生成语音文件部署到iis遇到的几个坑

    首先需要引入命名空间System.Speech.Synthesis,代码如下: using (var speechSyn = new SpeechSynthesizer()) { speechSyn. ...

  7. ASP.NET Core Web 应用程序开发期间部署到IIS自定义主机域名并附加到进程调试

    想必大家之前在进行ASP.NET Web 应用程序开发期间都有用到过将我们的网站部署到IIS自定义主机域名并附加到进程进行调试. 那我们的ASP.NET Core Web 应用程序又是如何部署到我们的 ...

  8. ASP.NET MVC - 发布web应用程序、部署到IIS

    发布项目 右击项目 - 发布 选择IIS - 点击发布 发布方法 - 文件系统,目标位置 - 选择与项目所在目录不同的目录(也即,指定一个发布生成文件的目录),文件发布选项 - 不选 - 点击发布 安 ...

  9. Asp.Net mvc4 项目 在vs中调试正常 在IIS发布后连接oracle数据库时提示数据库连接关闭

    解决办法: 1.打开iis,找到发布的程序 2.右键单击“TAKANAPP” 从右键菜单选择“管理应用程序”--“高级设置....” 在打开的高级设置  面板 查看对应的应用程序池 名称 3.设置应用 ...

随机推荐

  1. scan函数用法详解

    scan函数: scan(s,n,"char")表示从字串string中以char为分隔符提取第n个字串 功能(function):从字符表达式s中搜取给定的n个单词语法(synt ...

  2. 用CSS让DIV上下左右居中的方法

    转载自喜欢JS的无名小站 例如 一个父div(w:100%;h:400px)中有一个子div(w:100px;100px;).让其上下左右居中. 方法一(varticle-align) 理念 利用表格 ...

  3. 解决使用BottomSheetDialog时状态栏变黑的问题

    问题描述 当使用support里的design 库里的BottomSheetDialog时,在6.0的机器上当对话框弹出时系统状态栏会变黑,如下图所示: 一开始以为是我用的姿势不对,试过对style配 ...

  4. 一个未排序整数数组,有正负数,重新排列使负数排在正数前面,并且要求不改变原来的正负数之间相对顺序,比如: input: 1,7,-5,9,-12,15 ans: -5,-12,1,7,9,15 要求时

    #include <iostream> using namespace std; void txsort(int* arr, int len) { if (!arr || len == 1 ...

  5. 20160215.CCPP体系详解(0025天)

    程序片段(01):01.Malloc.c 内容概要:Malloc拓展 #include <stdio.h> #include <stdlib.h> //01.内存伸缩函数: / ...

  6. 传Lua对象到Cpp

    传Lua对象到Cpp (金庆的专栏) 摘自:http://raycast.net/lua-intf 以下代码演示了Lua函数和表传入Cpp进行处理: std::string acceptStuff(L ...

  7. 转:LINUX/UNIX下的回车换行与WINDOWS下的区别

      今天,我总算搞清楚“回车”(carriage return)和“换行”(line feed)这两个概念的来历和区别了.在计算机还没有出现之前,有一种叫做电传打字机(Teletype Model 3 ...

  8. 漏洞挖局利器-Fuzz技术介绍

    模糊测试的定义 模糊测试定义为"通过向应用提供非预期的输入并监控输出中的异常来发现软件中的故障(faults)的方法". 典型而言,模糊测试利用自动化或是半自动化的方法重复地向应用 ...

  9. Gazebo機器人仿真學習探索筆記(一)安裝與使用

    Gazebo提供了多平臺的安裝和使用支持,大部分主流的linux,Mac以及Windows,這裏結合ROS以Ubuntu爲例進行介紹. 首先是參考資料:http://gazebosim.org/tut ...

  10. Android系统剪切板

    Android系统剪贴板 复制字符串到系统剪切板 /** * 复制文本到剪切板 * * @param text * @return */ @SuppressWarnings("depreca ...