获得IIS的一些安全问题
[英]Getting some Security issues with IIS
问题描述
My Code behind 
我的代码背后
using System;
using System.Data;
using System.Configuration;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;
using System.IO;
public partial class _Default : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
DirectoryInfo theFolder = new DirectoryInfo(@"C:\temp\Server_Attachments\6");
string Attachment = "";
foreach (FileInfo nextFile in theFolder.GetFiles())
{
Attachment += "<a href=\"C:\\temp\\Server_Attachments\\6\\blabla.xls\">" + nextFile.ToString() + "</a><br />";
div1.InnerHtml = Attachment;
}
}
protected void Attach_File(object sender, EventArgs e)
{
FileUpload1.SaveAs(@"C:\Server_Attachments\6");
}
}
and my HTML page is like this 我的HTML页面是这样的
<div id="div1" runat="server"></div>
<asp:Label ID="Label1" runat="server" Text=" Attach a file : "></asp:Label><br />
<asp:FileUpload ID="FileUpload1" runat="server" Font-Names="Tahoma" Font-Size="Small" />
<br />
<asp:Button ID="Button2" runat="server" Text=" Attach " Font-Names="Tahoma" Font- Size="Small" OnClick="Attach_File" />
Neither the hyperlinks, neither the upload is working :( 既没有超链接,也没有上传工作:(
when I am clicking on the hyperlinks nothing is happening (although "Save target as" is working).
当我点击超链接时,没有发生任何事情(虽然“目标另存为”正在运行)。 when I am trying to upload, I have got the error "Access to the path 'C:\\Server_Attachments\\6' is denied."
当我尝试上传时,我收到错误“访问路径'C:\\ Server_Attachments \\ 6'被拒绝。”
It is obviously a security issue. 这显然是一个安全问题。 I have checked which account was running the program and it is NETWORK SERVICE. 我已经检查了哪个帐户正在运行该程序,它是NETWORK SERVICE。
How do I fix this ? 我该如何解决 ? Can I give full access to NETWORK SERVICE? 我可以完全访问NETWORK SERVICE吗? Is it secure? 它安全吗?
3 个解决方案
解决方案1
2 2013-11-12 09:27:17
You should consider the permissions for the whole application and the resouces it can access. 您应该考虑整个应用程序的权限以及它可以访问的资源。
Good practice would be to create a new user on the server, remove this from the users group and add it as a member of the IIS_IUSER group. 好的做法是在服务器上创建一个新用户,从用户组中删除它并将其添加为IIS_IUSER组的成员。
The folders the application accesses can now be given access t this user, it also good to create a database login for this user and map the applications database. 现在,应用程序访问的文件夹可以访问该用户,也可以为该用户创建数据库登录并映射应用程序数据库。
This way your application is isolated from other applications by permissions. 这样,您的应用程序通过权限与其他应用程序隔离。
解决方案2
1 已采纳 2013-11-12 09:54:00
If you want to allow file upload then that's what you have to do. 如果您想允许文件上传,那么您就必须这样做。 Yes, that's potentially a security issue - you need to make sure everything else is locked down. 是的,这可能是一个安全问题 - 您需要确保其他所有内容都被锁定。
Give "Write" access to "Network Service" for the upload folder. 为上传文件夹提供“网络服务”的“写入”访问权限。 Give "Read" access to "Network Service" for the download folder. 为下载文件夹提供“网络服务”的“读取”访问权限。
no need to grant full control to Network Service. 无需授予对网络服务的完全控制权。
解决方案3
0 2013-11-12 09:14:26
为该文件夹的IIS_IUSER提供写访问权限并尝试。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.