简体繁体 English

Web服务混乱-IIS-如何获取网站的当前目录和权限问题

[英]Web Service Confusion - IIS - How to get web site's current directory and permissions issues

原文 2012-06-05 21:07:14 8 1 c#/ .net/ web-services/ iis/ .net-3.5

I have a few newbie web service/Windows rights questions since I've typically been a LINUX/embedded dev in the past. 由于过去我通常是LINUX /嵌入式开发人员，因此我有一些新手Web服务/ Windows权限问题。

What directories does a web service executing on a server have access to by default? 默认情况下，在服务器上执行的Web服务可以访问哪些目录？

I ask because I tried to write to C:\\ and got an access violation. 我问是因为我试图写C：\\并遇到访问冲突。 I kind of assumed I would in this case, but I assume there are some areas of the file system the web service can write to and read from by default, right? 我有点假设在这种情况下可以，但是我假设默认情况下Web服务可以在文件系统中写入和读取文件的某些区域，对吗？ Or is it just the current working directory? 还是仅仅是当前的工作目录？

* How can I give a web service permissions to look at a new directory it didn't have default access to? * 如何授予Web服务权限以查看没有默认访问权限的新目录？ * *

This is C# - ASMX - .NET 3.5 - IIS 这是C＃-ASMX-.NET 3.5-IIS

1 个解决方案

The WebService doesn't really have any associated access controls associated with it (in a sense). WebService实际上并没有任何关联的访问控制（在某种意义上）。 It is however tied to the access control of the user account which is being used to run the application. 但是，它与用于运行应用程序的用户帐户的访问控制有关。 By default this is usually some built in user account with limited permissions. 默认情况下，这通常是一些具有有限权限的内置用户帐户。

IIS uses a number of built-in Windows accounts, as well as accounts that are specific to IIS. IIS使用许多内置Windows帐户以及特定于IIS的帐户。 For security reasons, you should be aware of the different accounts and their default user privileges. 出于安全原因，您应该注意不同的帐户及其默认用户特权。 It can be a security risk to change the identity of a worker process so that it runs as an account with a high level of access, such as the LocalSystem user account. 更改工作进程的身份，使其以具有较高访问级别的帐户（例如LocalSystem用户帐户）运行，可能会带来安全风险。

See a list of possible user accounts here: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/3648346f-e4f5-474b-86c7-5a86e85fa1ff.mspx?mfr=true 在此处查看可能的用户帐户列表： http : //www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/3648346f-e4f5-474b-86c7-5a86e85fa1ff.mspx?mfr=true

If you have Anonymous Authentication enabled you can usually check the settings on that to see which account is being used to run the web service. 如果启用了匿名身份验证，通常可以检查该设置以查看正在使用哪个帐户运行Web服务。 (Depending on which version of IIS you are using, clicking Edit should let you view the default user account) （根据所使用的IIS版本，单击“编辑”应该可以查看默认的用户帐户）

After finding the account, usually you will have to explicitly grant it the permissions on the folders (read and write) that you want to give it access to. 找到该帐户后，通常必须显式授予该帐户对您要授予其访问权限的文件夹（读取和写入）的权限。 The default user account usually has pretty limited access (and for good reason). 默认用户帐户通常具有非常有限的访问权限（并且有充分的理由）。 You can grant permissions on the Security tab of the properties of any of the folders on a Windows file system (Properties->Security) 您可以在Windows文件系统上任何文件夹的属性的“ 安全性”选项卡上授予权限（“属性”->“安全性”）

If you're using Windows Authentication , then you should have the same access rights as the authenticated user using the application as long as the resources are local to the IIS server. 如果您使用的是Windows Authentication ，那么只要资源是IIS服务器的本地资源，您就应该与使用该应用程序的经过身份验证的用户具有相同的访问权限。