[英]IIS Server: Restrict users to access files of server
I have one server, which allows users to host their web app free of cost.我有一台服务器,它允许用户免费托管他们的 web 应用程序。
In server I have 4 different pools.在服务器中,我有 4 个不同的池。
2 pools are for.Net Framework, 1 pool is for.Net MVC, 1 pool is for.Net Core 3.1 2个池用于.Net Framework,1个池用于.Net MVC,1个池用于.Net Core 3.1
Each pools has 50+ appliations.每个池有 50 多个应用程序。
For security testing I have created one program, Which takes fullpath/location of file and read that file form IIS server.对于安全测试,我创建了一个程序,它采用文件的完整路径/位置并从 IIS 服务器读取该文件。 If any user upload that type of code in my server then they can assess any files.如果任何用户在我的服务器中上传该类型的代码,那么他们可以评估任何文件。
Now, that is the issue with my server.现在,这是我的服务器的问题。
Now, I want to do, My users can access only their application resources not other's too.现在,我想做的是,我的用户只能访问他们的应用程序资源,而不能访问其他人的。
But, I don't know how to do this.但是,我不知道该怎么做。
In order to restrict users to access files in IIS, we could refer to the below configuration in root web.config file.为了限制用户访问 IIS 中的文件,我们可以参考根 web.config 文件中的以下配置。
<location path="myfolder">
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<!--for authentication, we should enable either windows authentication or form authentication in IIS authentication module.-->
<add accessType="Allow" roles="Administrators" />
</authorization>
</security>
</system.webServer>
</location>
It will restrict everything under Myfolder
.它将限制Myfolder
下的所有内容。 In particular, rule out a specific file.特别是,排除特定文件。
<location path="my.jpg">
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" roles="Administrators" />
</authorization>
</security>
</system.webServer>
</location>
Feel free to let me know if there is anything I can help with.如果有什么我可以帮忙的,请随时告诉我。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.