你的位置:首页 > Windows

IIS 6.0所需要的默认权限

2009-05-28 浏览:(2195) Windows 评论(0)

INTRODUCTION 

This article describes the default permissions and the user rights on a newly installed application server that has Internet Information Services (IIS) 6.0 installed. 

MORE INFORMATION 

The following tables document the NTFS file system permissions, registry permissions, and Microsoft Windows user rights. This information applies if Microsoft ASP.NET is included as part of the installation suite. This article focuses on the World Wide Web Publishing Service and does not consider other components, such as the File Transfer Protocol (FTP) service, the Simple Mail Transfer Protocol (SMTP) service, and Microsoft FrontPage Server Extensions (FPSE). 

Note For the purposes of this document, the IUSR_MachineName account is used interchangeably with a configured anonymous account. 

NTFS permissions 

Directory Users\Groups Permissions 

%windir%\help\iishelp\common Administrators Full control 

%windir%\help\iishelp\common System Full control 

%windir%\help\iishelp\common IIS_WPG Read 

%windir%\help\iishelp\common Users (See Note 1.) Read, execute 

%windir%\IIS Temporary Compressed Files Administrators Full control 

%windir%\IIS Temporary Compressed Files System Full control 

%windir%\IIS Temporary Compressed Files IIS_WPG List, read, write 

%windir%\IIS Temporary Compressed Files Creator owner Full control 

%windir%\system32\inetsrv Administrators Full control 

%windir%\system32\inetsrv System Full control 

%windir%\system32\inetsrv Users Read, execute 

%windir%\system32\inetsrv\*.vbs Administrators Full control 

%windir%\system32\inetsrv\ASP compiled templates Administrators Full control 

%windir%\system32\inetsrv\ASP compiled templates IIS_WPG Read 

%windir%\system32\inetsrv\History Administrators Full control 

%windir%\system32\inetsrv\History System Full control 

%windir%\system32\Logfiles Administrators Full control 

%windir%\system32\inetsrv\metaback Administrators Full control 

%windir%\system32\inetsrv\metaback System Full control 

Inetpub\Adminscripts Administrators Full control 

Inetpub\wwwroot (or content directories) Administrators Full control 

Inetpub\wwwroot (or content directories) System Full control 

Inetpub\wwwroot (or content directories) IIS_WPG Read, execute 

Inetpub\wwwroot (or content directories) IUSR_MachineName Read, execute 

Inetpub\wwwroot (or content directories) ASPNET (See Note 2.) Read, execute 

Note 1 You must have permissions to this directory when you use Basic authentication or Integrated authentication and when custom errors are configured. For example, when error 401.1 occurs, the logged-on user sees the expected detailed custom error only if permissions to read the 4011.htm file have been granted to that user. 

Note 2 By default, ASP.NET is used as the ASP.NET process identity in IIS 5.0 isolation mode. If ASP.NET is switched to IIS 5.0 isolation mode, ASP.NET must have access to the content areas. ASP.NET process isolation is detailed in IIS Help. For additional information, visit the following Microsoft Web site: 

ASP.NET process isolation 

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol 

/windowsserver2003/proddocs/standard/aaconruntimeprocessisolation.asp 

Registry permissions 

Location Users\Groups Permissions 

HKLM\System\CurrentControlSet\Service\ASP Administrators Full control 

HKLM\System\CurrentControlSet\Service\ASP System Full control 

HKLM\System\CurrentControlSet\Service\ASP IIS_WPG Read 

HKLM\System\CurrentControlSet\Service\HTTP Administrators Full control 

HKLM\System\CurrentControlSet\Service\HTTP System Full control 

HKLM\System\CurrentControlSet\Service\HTTP IIS_WPG Read 

HKLM\System\CurrentControlSet\Service\IISAdmin Administrators Full control 

HKLM\System\CurrentControlSet\Service\IISAdmin System Full control 

HKLM\System\CurrentControlSet\Service\IISAdmin IIS_WPG Read 

HKLM\System\CurrentControlSet\Service\w3svc Administrators Full control 

HKLM\System\CurrentControlSet\Service\w3svc System Full control 

HKLM\System\CurrentControlSet\Service\w3svc IIS_WPG Read 

Windows User Rights 

Policy Users 

Access this computer from the network Administrators 

Access this computer from the network ASPNET 

Access this computer from the network IUSR_MachineName 

Access this computer from the network IWAM_MachineName 

Access this computer from the network Users 

Adjust memory quotas for a process Administrators 

Adjust memory quotas for a process IWAM_MachineName 

Adjust memory quotas for a process Local service 

Adjust memory quotas for a process Network service 

Bypass traverse checking IIS_WPG  

Allow log on locally (see Note) Administrators 

Allow log on locally (see Note) IUSR_MachineName 

Deny logon locally ASPNET 

Impersonate a client after authentication Administrators 

Impersonate a client after authentication ASPNET 

Impersonate a client after authentication IIS_WPG 

Impersonate a client after authentication Service 

Log on as a batch job ASPNET 

Log on as a batch job IIS_WPG 

Log on as a batch job IUSR_MachineName 

Log on as a batch job IWAM_MachineName 

Log on as a batch job Local service 

Logon as a service ASPNET 

Logon as a service Network service 

Replace a process level token IWAM_MachineName 

Replace a process level token Local service 

Replace a process level token Network service 

Note In a new default installation of Microsoft Windows Server 2003 with IIS 6.0, the Users group and the Everyone group have Bypass traverse checking permissions. The worker process identity inherits Bypass traverse checking permissions through one of these groups. If both groups are removed from Bypass traverse checking permissions, and the worker process identity does not inherit Bypass traverse checking permissions through any other assignment, the worker process does not start. If the Users group and the Everyone group must be removed from the Bypass traverse checking permissions, add the IIS_WPG group to permit IIS to function as expected. 

Note In IIS 6.0, when Basic authentication is configured as one of the authentication options, the LogonMethod metabase property for Basic authentication is NETWORK_CLEARTEXT. The NETWORK_CLEARTEXT logon type does not require the Allow log on locally user right. This also applies to Anonymous authentication. For additional information, see the "Basic Authentication Default Logon Type" topic in IIS Help. You can also visit the following Microsoft Web site: 

Basic authentication 

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol 

/windowsserver2003/proddocs/standard/sec_auth_basicauth.asp?frame=true 

REFERENCES 

For additional information about how to implement and manage IIS security, visit the following Microsoft Web sites: 

Windows Server 2003 Security Guide 

http://go.microsoft.com/fwlink/?LinkId=14845 

TechNet 

http://www.microsoft.com/technet/security/prodtech/iis/default.mspx 

Security how-to resources 

http://www.microsoft.com/technet/itsolutions/howto/sechow.mspx 

Improving Web application security: threats and countermeasures 

http://msdn.microsoft.com/library/en-us/dnnetsec/html/ThreatCounter.asp

  • 发表评论
  • 查看评论
【暂无评论!】

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。