New users and groups introduced in IIS 6.0 and Their default permissions

Q: We have been using IIS for some years and are migrating the web site to IIS 6.0 (new server, not upgrade ). I want to control security, but do not want to over-control it, so that the system cannot process files. I also found that new users and groups, such as asp net users and iis_wpg groups, have been added to Windows Server 6.0 with IIS 2003 installed. I want to know how to set the security of these users and groups, to ensure the security of new web sites. Please tell me how to set permissions when creating a web site. In this way, I can add other settings as needed. The default permissions of the wwwroot folder are listed below for your reference.

Administrators (group-Administrator): full control
Iis_wpg (group-IWAM _ server name, Local Service,
Network Service and system): read and execute
Interactive: List folder content
IUSR _ server name: List folder content
Network: List folder content
Network Service: List folder content
Ows_123456789_admin (group-Administrators Group): List folder content
Ows_987654321_admin (group-Administrator): List folder content
System: full control
Users (group-ASPnet, Authenticated Users Group, interactive ):
Read and execute
You can see that many permissions are set here, and some are redundant. I need to create a new master folder for other web sites and want to ensure that the permission settings fully meet my needs.

A: The answer to "What permissions should I have" is "minimum permissions to meet requirements ". IIS only needs the NTFS permission to send static content and scripts. All other permissions are based on your business needs.

From the permissions you listed, I can see that IIS 6 and FrontPage 2002 extensions are newly installed on your server. It is worth noting that the permissions required on the server (sometimes users and groups) change each time a service or product is added. First, let's take a look at the permission settings for the wwwroot folder when IIS 6 is installed by default on Windows Server 2003 without FrontPage Server Extensions installed. They are:

Administrators-full control
System-full control
Iis_wpg-list folder content, read and execute, read
Users-list folder content, read and execute, read
Internet Guest Account-write denied
The default permissions of IIS 6 listed by me are different from those on your server, because you have installed FrontPage Server Extensions (FPSE) 2002. As you can see, there are many differences in permission settings. Permissions after FPSE is added:

Network-list folder content
Network Service-list folder content
Interactive-list folder content
Ows _ <suffix>-permissions vary with roles.
Internet Guest Account-list folder content
You are right. Some of the settings overlap. The biggest change is the permission of the Internet Guest account,

Deleted "reject write" and added "list folder content ". In this way, anonymous web users have the same permissions and network permissions as interactive groups. Since an IUSR account is either a member of a network group or a member of an interactive group, it is theoretically unnecessary to list IUSR account permissions. In addition, the network service group is a member of iis_wpg and therefore does not need to be specifically listed.

FPSE permission usage may be confusing. It is mainly used to solve the following problems: the user first uses the user account for authentication to enter the web site, and then browses other content that can only be accessed anonymously using the NTFS permission. In this case, the user may be denied access, and you may want the user to read the content. Fortunately, in Windows Server 2003, You can have fspe use the local user group instead of the built-in permissions for network and interactive groups. For more information, read the http://www.microsoft.com/technet/prodtechnol/ sppt/sharepnt/proddocs/admindoc/owsj03.asp and the content at the http://www.microsoft.com/serviceproviders/whitepapers/fpse2002.asp.

Finally, no ASPnet user is installed on the IIS 6 server by default. It is loaded only after Asp.net is installed. Asp net users are not used unless you run Asp.net in Working Process Isolation Mode to be compatible with IIS 5. By default, these applications run under the network services account. For more information about Asp.net and IIS 6, see the IIS 6 Resource Guide.

Back to Top
What is Web garden?
Q: IIS 6.0 has a new function named Web garden. With this function, you can configure the application pool to use multiple worker processes. When does IIS create an additional working process? What knowledge should we know before we implement the Web Park?

A: When you create an application pool, you will be notified to IIS 6 to create a workflow to transfer the content of the Web site, file, and folder assigned to the application pool. You can configure the application pool to start more than one worker process, which improves scalability. This function is called Web garden, which is a small "Web farm ". Instead of using multiple computers to transmit the same content (Web farm), you can use multiple processes in one computer to transmit the same content.

When you configure an IIS 6 application as a web garden, you only need to go to the "Maximum number of worker processes" box on the "performance" tab of "application pool properties, set the number of worker processes greater than 1. If the value is greater than 1, each request starts a new worker process instance. The maximum number of worker processes that can be started is the maximum number of worker processes you specify. Subsequent requests will be sent to the working process cyclically.

Web parks are useful when your application resources are limited. For example, if your connection to the database is slow, you can use multiple working processes to increase user throughput and the number of connections to the database.

Although the use of web Parks is very useful in some cases, you must note that the session information of each worker process is unique. Because requests are routed to the application pool Worker Process cyclically, the Web garden may not be very useful for the applications in which session information is stored.

In a few cases, resource competition may occur when multiple worker processes run the same application. For example, if all worker processes attempt to record information to log files, or use resources that are not dedicated to multiple concurrent accesses, resource competition may occur.

If these problems do not exist, the Web garden may be one of the functions you need and will play a very important role.

Back to Top
Basic Authentication and integrated Windows Authentication
Q: I have an internal enterprise website. I want all verified users to access a directory on another server. I have mapped the remote server content to the drive of the Web server, and to test, grant the Everyone group full control over the shared resource NTFs and then our application accesses the content by referencing the drive letter.

When we configure integrated Windows authentication for this directory, all users cannot access the remote location. However, if we use Basic Authentication and specify a domain, users can access the remote content. My question is, why cannot I remember the creden for the user to access the remote server for integrated Windows authentication, while basic authentication is OK?

A: Although this seems to be caused by the inability to remember creden。 for integrated Windows authentication, this is not the case. To ensure the security of any site or server, the key to the problem is to balance the function and security. Basic Authentication uses the local logon type, also known as "interactive" logon. This type of credential can be delegated to other servers. Therefore, you can use the creden。 obtained through basic authentication to successfully access the remote system. This is also true for accessing the SQL server. You can use basic authentication to authenticate the client and forward the credential to the SQL server configured to use SQL authentication. However, when you use integrated Windows authentication to verify the IIS server, the "network" logon type is used. This type of logon is much more secure than basic authentication, but creden。 cannot be forwarded to other servers unless Kerberos is used in the enterprise intranet. Once Kerberos is used (and configured correctly), user creden。 can be delegated in the entire directory forest (see Microsoft Knowledge Base Article 326089 ).

To conveniently and reliably access remote content without considering the authentication type, When you configure a virtual directory to access remote content, you will be prompted to provide a user name and password valid for both the IIS server and remote server. When you access a virtual directory, the request is sent to the specified user, regardless of the authentication method used by the user, the remote content can be accessed.

Unless you can use Kerberos, we recommend that you modify the application to use a standard virtual directory instead of a mapped drive. In this way, remote content can be accessed reliably. In addition, it is not recommended to use a mapped drive because the mapped drive is included in the configuration file of the user who created the ing. If other users log on to this IIS server, the ing drive does not exist and there is no association between them and your application.

Submit your questions to IIS. Although you cannot be sure to reply to the question, the question selected will be listed in the next issue of IIS Question and Answer column together with the answer.

To obtain questions and answers from the previous months of the iis q & A column, click here.

On behalf of Microsoft, we sincerely hope that the information in this article will help you, but you shall bear the risks arising from your use of this article. All information in this document is provided as is, and there is no warranty, express or implied, on its accuracy, integrity, applicability, ownership, and non-infringement principles; microsoft does not participate in the creation of any third-party products or information mentioned in this book, nor does it recommend, support or provide any warranty to you. Any loss caused by the use of this information, whether direct, indirect, special, or accidental or inevitable, even if such loss has been warned, microsoft will not assume any responsibility.

This article from the csdn blog, reproduced please indicate the source: http://blog.csdn.net/xushen8314/archive/2008/02/23/2115551.aspx