如何在域控制器上分配 IIS 7.5 文件系统访问权限
本文关键字:文件系统 访问 权限 访问权 IIS 分配 域控 控制器 | 更新日期: 2023-09-27 18:34:31
我有一个有点不寻常的情况。
我正在处理安装在Windows Server 2008 R2域控制器机器上的IIS 7.5。
我正在尝试编写一个 C# 程序,该程序在该 IIS 上安装我的 Web 应用程序。一切正常,除了我需要将应用程序池的访问权限分配给安装 Web 应用程序的文件夹的那一刻。
经过一些研究后,我发现我需要为以下用户帐户分配访问权限:
IIS 应用程序池''[应用程序池名称]
所以我想出了这个代码:
setFolderPermissions(@"C:'inetpub'www_test1",
@"IIS AppPool'" + strAppPoolName,
System.Security.AccessControl.FileSystemRights.Read | System.Security.AccessControl.FileSystemRights.ListDirectory,
System.Security.AccessControl.AccessControlType.Allow);
public static string setFolderPermissions(string strFolderPath, string sUserName, FileSystemRights rights, AccessControlType access)
{
DirectoryInfo info = new DirectoryInfo(strFolderPath);
DirectorySecurity ds = info.GetAccessControl();
ds.AddAccessRule(new FileSystemAccessRule(sUserName,
rights,
InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit,
PropagationFlags.None,
access));
info.SetAccessControl(ds);
}
上述方法有效,除非在域控制器上使用。它抛出以下异常:
无法翻译部分或全部身份引用。
我分配这些所需权限的唯一方法是从命令行手动执行此操作:
C:'Users'Administrator>icacls "C:'inetpub'www_test1" /grant "IIS AppPool'MyAppsoolName":(CI)(OI)(M)
知道如何用 C# icacls做到这一点吗?
最好创建自己的应用程序池,该应用程序池使用给定凭据运行。并在 Web 应用程序安装文件夹上为给定凭据(用户名(分配权限。
您不应该按照我的Microsoft建议在域控制器上运行 IIS,因为这可能会导致安全性和权限问题。
如果确实要执行此操作,则应使用域帐户来运行应用程序池,而不是集成的 IIS 应用程序池。这不起作用,因为域控制器没有本地帐户,而 IIS APPool 帐户是本地帐户。
查看此内容以获取更多详细信息
http://blogs.technet.com/b/abizerh/archive/2009/07/16/should-iis-be-installed-on-domain-controller.aspx
我想
我使用非托管方法得到了它。事实证明,在 C# 中有点丑陋,但这是概念:
uint nOSErr;
if(!(nOSErr = setFolderPermissions(@"C:'inetpub'www_test1", @"IIS AppPool'" + strAppPoolName, OSFileAccess.FILE_GENERIC_READ)))
{
throw new Exception("Failed to change permissions, error code=" + nOSErr);
}
public static uint setFolderPermissions(string strFolderPath, string strUserName, OSFileAccess access)
{
//Set folder permissions
//RETURN:
// = 0 if success
// = Otherwise error code -- check GetLastError
uint dwRes = 0;
try
{
IntPtr pZero = IntPtr.Zero;
IntPtr pSecDesc = pZero;
IntPtr pDacl = pZero;
if ((dwRes = GetNamedSecurityInfo(strFolderPath, SE_OBJECT_TYPE.SE_FILE_OBJECT, SECURITY_INFORMATION.DACL_SECURITY_INFORMATION,
out pZero, out pZero, out pDacl, out pZero, out pSecDesc)) == ERROR_SUCCESS)
{
try
{
EXPLICIT_ACCESS ea = new EXPLICIT_ACCESS();
ea.grfAccessPermissions = access;
ea.grfAccessMode = AccessMode.GRANT_ACCESS;
ea.grfInheritance = AceFlags.CONTAINER_INHERIT_ACE | AceFlags.OBJECT_INHERIT_ACE;
ea.Trustee.MultipleTrusteeOperation = UIntPtr.Zero;
ea.Trustee.pMultipleTrustee = UIntPtr.Zero;
ea.Trustee.TrusteeForm = (UIntPtr)(TrusteeForm.TRUSTEE_IS_NAME);
ea.Trustee.ptstrName = strUserName;
IntPtr pNewDacl = pZero;
if((dwRes = SetEntriesInAcl(1, ref ea, pDacl, out pNewDacl)) == ERROR_SUCCESS)
{
try
{
if ((dwRes = SetNamedSecurityInfo(strFolderPath, SE_OBJECT_TYPE.SE_FILE_OBJECT, SECURITY_INFORMATION.DACL_SECURITY_INFORMATION,
IntPtr.Zero, IntPtr.Zero, pNewDacl, IntPtr.Zero)) == ERROR_SUCCESS)
{
//Done
}
}
finally
{
//Free mem
if (pNewDacl != IntPtr.Zero)
{
LocalFree(pNewDacl);
pNewDacl = IntPtr.Zero;
}
}
}
}
finally
{
//Free mem
if (pSecDesc != IntPtr.Zero)
{
LocalFree(pSecDesc);
pSecDesc = IntPtr.Zero;
}
}
}
}
catch
{
dwRes = ERROR_INVALID_DATA;
}
return dwRes;
}
enum SE_OBJECT_TYPE
{
SE_UNKNOWN_OBJECT_TYPE = 0,
SE_FILE_OBJECT,
SE_SERVICE,
SE_PRINTER,
SE_REGISTRY_KEY,
SE_LMSHARE,
SE_KERNEL_OBJECT,
SE_WINDOW_OBJECT,
SE_DS_OBJECT,
SE_DS_OBJECT_ALL,
SE_PROVIDER_DEFINED_OBJECT,
SE_WMIGUID_OBJECT,
SE_REGISTRY_WOW64_32KEY
}
[Flags]
enum SECURITY_INFORMATION : uint
{
OWNER_SECURITY_INFORMATION = 0x00000001,
GROUP_SECURITY_INFORMATION = 0x00000002,
DACL_SECURITY_INFORMATION = 0x00000004,
SACL_SECURITY_INFORMATION = 0x00000008,
UNPROTECTED_SACL_SECURITY_INFORMATION = 0x10000000,
UNPROTECTED_DACL_SECURITY_INFORMATION = 0x20000000,
PROTECTED_SACL_SECURITY_INFORMATION = 0x40000000,
PROTECTED_DACL_SECURITY_INFORMATION = 0x80000000
}
[DllImport("advapi32.dll", CharSet = CharSet.Auto)]
static extern uint GetNamedSecurityInfo(
string pObjectName,
SE_OBJECT_TYPE ObjectType,
SECURITY_INFORMATION SecurityInfo,
out IntPtr pSidOwner,
out IntPtr pSidGroup,
out IntPtr pDacl,
out IntPtr pSacl,
out IntPtr pSecurityDescriptor);
[DllImport("kernel32.dll", SetLastError = true)]
static extern IntPtr LocalFree(IntPtr hMem);
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto, Pack = 0)] //Platform independent (32 & 64 bit) - use Pack = 0 for both platforms. IntPtr works as well.
internal struct TRUSTEE
{
internal UIntPtr pMultipleTrustee; // must be null
internal UIntPtr MultipleTrusteeOperation;
internal UIntPtr TrusteeForm;
internal UIntPtr TrusteeType;
//[MarshalAs(UnmanagedType.LPStr)]
internal string ptstrName;
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)]
internal struct EXPLICIT_ACCESS
{
internal OSFileAccess grfAccessPermissions;
internal AccessMode grfAccessMode;
internal AceFlags grfInheritance;
internal TRUSTEE Trustee;
}
private const uint ERROR_SUCCESS = 0;
[Flags]
public enum OSFileAccess : uint
{
AccessSystemSecurity = 0x1000000, // AccessSystemAcl access type
MaximumAllowed = 0x2000000, // MaximumAllowed access type
Delete = 0x10000,
ReadControl = 0x20000,
WriteDAC = 0x40000,
WriteOwner = 0x80000,
Synchronize = 0x100000,
StandardRightsRequired = 0xF0000,
StandardRightsRead = ReadControl,
StandardRightsWrite = ReadControl,
StandardRightsExecute = ReadControl,
StandardRightsAll = 0x1F0000,
SpecificRightsAll = 0xFFFF,
FILE_READ_DATA = 0x0001, // file & pipe
FILE_LIST_DIRECTORY = 0x0001, // directory
FILE_WRITE_DATA = 0x0002, // file & pipe
FILE_ADD_FILE = 0x0002, // directory
FILE_APPEND_DATA = 0x0004, // file
FILE_ADD_SUBDIRECTORY = 0x0004, // directory
FILE_CREATE_PIPE_INSTANCE = 0x0004, // named pipe
FILE_READ_EA = 0x0008, // file & directory
FILE_WRITE_EA = 0x0010, // file & directory
FILE_EXECUTE = 0x0020, // file
FILE_TRAVERSE = 0x0020, // directory
FILE_DELETE_CHILD = 0x0040, // directory
FILE_READ_ATTRIBUTES = 0x0080, // all
FILE_WRITE_ATTRIBUTES = 0x0100, // all
GENERIC_READ = 0x80000000,
GENERIC_WRITE = 0x40000000,
GENERIC_EXECUTE = 0x20000000,
GENERIC_ALL = 0x10000000,
SPECIFIC_RIGHTS_ALL = 0x00FFFF,
FILE_ALL_ACCESS = StandardRightsRequired | Synchronize | 0x1FF,
FILE_GENERIC_READ = StandardRightsRead | FILE_READ_DATA | FILE_READ_ATTRIBUTES | FILE_READ_EA | Synchronize,
FILE_GENERIC_WRITE = StandardRightsWrite | FILE_WRITE_DATA | FILE_WRITE_ATTRIBUTES | FILE_WRITE_EA | FILE_APPEND_DATA | Synchronize,
FILE_GENERIC_EXECUTE = StandardRightsExecute | FILE_READ_ATTRIBUTES | FILE_EXECUTE | Synchronize
}
internal enum AccessMode
{
NOT_USED_ACCESS = 0,
GRANT_ACCESS,
SET_ACCESS,
DENY_ACCESS,
REVOKE_ACCESS,
SET_AUDIT_SUCCESS,
SET_AUDIT_FAILURE
}
[Flags]
internal enum AceFlags
{
OBJECT_INHERIT_ACE = 0x1,
CONTAINER_INHERIT_ACE = 0x2,
NO_PROPAGATE_INHERIT_ACE = 0x4,
INHERIT_ONLY_ACE = 0x8,
INHERITED_ACE = 0x10,
SUCCESSFUL_ACCESS_ACE_FLAG = 0x40,
FAILED_ACCESS_ACE_FLAG = 0x80
}
enum TrusteeForm
{
TRUSTEE_IS_SID,
TRUSTEE_IS_NAME,
TRUSTEE_BAD_FORM,
TRUSTEE_IS_OBJECTS_AND_SID,
TRUSTEE_IS_OBJECTS_AND_NAME
}
[DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Auto)]
static extern uint SetEntriesInAcl(
int cCountOfExplicitEntries,
ref EXPLICIT_ACCESS pListOfExplicitEntries,
IntPtr OldAcl,
out IntPtr NewAcl);
[DllImport("advapi32.dll", CharSet = CharSet.Auto)]
static extern uint SetNamedSecurityInfo(
string pObjectName,
SE_OBJECT_TYPE ObjectType,
SECURITY_INFORMATION SecurityInfo,
IntPtr psidOwner,
IntPtr psidGroup,
IntPtr pDacl,
IntPtr pSacl);