Iis7 is a revolutionary change in the past. It is no longer the old clothes that have been made up by seams, but all of them have been rewritten.CodeIt brings better performance and scalability. instead of being a Web server, it becomes an application server capable of carrying all communication-based applications. new changes have also brought about new knowledge. To better control iis7 permissions is the most basic part and the first part to be understood. this article gives you a preliminary understanding of the basic knowledge of iis7 permission applications.ProgramI was suddenly confused when I had an unknown permission. Although the following content uses Web services as an example, the principle is also applicable to other applications hosted by iis7, such as ftp.
Worker Process)
Worker Process is the host of the IIS application. In the task manager, you can view each worker process.exe w3wp.exe.
Worker Process Identity-WPI)
Is the identity when the worker process is running:
There is no direct means to set the identity under which the worker process runs, but it is implemented through the identity settings of the application pool.
Application pool)
The application pool contains at least one or more worker processes (Web garden mode ). the application pool identity will be injected into the Worker Process at runtime, and will be run as the application pool identity. it can be considered that the application pool is consistent with the running identity of its worker process.
Application pool identity)
Is the identity of the application pool runtime:
Virtual account application pool identity
You can select an ID from the identity options mentioned above, but it is just a general name and does not actually have this name. it depends on the name of your application pool. For example, if my application pool name is simonwapppool, the full name of this virtual identity is: IIS apppool \ simonwapppool the worker Processin this application pool can be seen from the task manager that w3wp.exe runs under the user simonwapppool. you can assign permissions to this account in the file system. the advantage of doing so is that permissions can be separated for finer-granularity configuration, not like many applications of NetworkService. Setting a permission affects a large volume.
However, sometimes this object cannot be found through the UI is about a bug. You can use the command line icacls to process it.
What is impersonate?
This may be a confusing word, impersonate-play, dress up. it refers to running an application with a new identity instead of an existing identity at a specific time. when a request comes to the IIS processing pipeline temporarily, the context of the authenticated user before authentication is unknown. In this case, your application runs with the WPI permission. after authentication, the context of the authenticated user is created, but it is still not assumed, after the request is mapped to another handler, that is, Handler mapping, the app begins to play the role. Then, the default WPI permission is replaced with the authenticated user permission to execute the app.
For example, we recommend that you set fcgi. Impersonate = true when FastCGI is configured in PHP, as shown in the request for a PHP file.
False: always use the WPI permission. The default permission is NetworkService.
True: authenticated user is used. The default value is IUSR, which means that the permissions set at the site level can take effect.
Two special users and user groups should be noted in iis7, and there is a similar relationship in IIS6
IIS6: iis_wpg-iis7: iis_iusrs
IIS6: IUSR_machinename-iis7: IUSR
The biggest change is that they all become built-in system accounts (built-in accounts) with a unified Sid, the advantage of this is that you can copy the copies of different machines/systems together with the same permission. In the past, because of the different Sid permissions, you can only manually set them one by one, it is much more convenient now.
Iis_iusrs Group
By default, he will have the appropriate permissions to run worker process. all running accounts under WPI are implicitly automatically added to this group to obtain the minimum running permission. for example, if you set the application pool running identity of simonwapppool to application pool identity, the IIS apppool \ simonwapppool user will be automatically added to the iis_iusrs group to have all his permissions. therefore, the assignment of permissions to this group should be very careful and easily affect a large volume without knowing it.
IUSR default anonymous account
Note that he is an anonymous account and has no password, but he belongs to authenticated users, and authenticated users belongs to the users group. Therefore, IUSR has the Users Group permission by default.
Conclusion
I have to write an article in a year. I don't have a chance to write it at the end of the year. Most of the content is summarized more than half a year ago. I wrote some mistakes and omissions today. Please correct them in time. we hope to provide effective reference for your iis7 configuration.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
