How to configure Secure publishing for IIS

IsIISConfiguration security release method

IISReleaseWebService, webpage, upload and downloadProgramAnd so on. For example, it can prevent other programs from accessing, downloading your publishing resources, and prohibit unauthorized users from uploading things.

I. Secure release

WebServiceClass,WebrequestClass,WebClientClasses all have a common attribute:CredentialsAttribute, which is an accessInternetThe authentication credential required by the resource.

Open IIS Select the release directory, right-click, and select "properties" from the shortcut menu. The main Directory tab contains four options: script resource access, read, write, and directory browsing. If you only need to read from the Internet, select "read". If you want to allow write, select "write". Do not select "directory browsing". Generally, do not allow Internet browsing directories, select "medium (shared)" for application protection. If yes Iis6.0 You must also set the access permissions for the buffer pool. Go to computer management and add a user SNT, Make it affiliated Users To go to the Directory Security tab. --- > Anonymous access and authentication control --- > Edit. Do not select "anonymous access" to integrate Windows "Verification" is selected. Convert the disk of the release directory NTFS Format. Right-click a website directory and choose Properties to go to The Security tab. ( For example, the default website pointing to the directory is: C: \ Inetpub \ wwwroot , Select Wwwroot) SNT User and Users Add the group so that they have the "read and run, list folder directories, and read" permission. If you need to upload resources to this directory, you must also select the "write" permission. (Note: System Directory Winnt Or Windows Also allocate Users The Group has the "read and run, list folder directories, and read" permission, because II To access Microsoft. NET Directory and Temp Directory, Documents and Settings Add SNT User, so that it has the "read and run, list folder directories and read, write" permission ). If you configure a release directory that can be uploaded IIS Extension Service Webdev Set to "allowed ".

Program portabilityCodeAdd the following program:

Networkcredential = new networkcredential (username, password)

(WebServiceClass orWebrequestClass orWebClientClass). Credentials = networkcredential

You can use the relevant classes to access the published resources.

Example:

[Visual Basic, C #, C ++] The following example collects user name and password information from the user and createsNetworkcredential. Use thisNetworkcredentialSetCredentialsAttribute. When a request is made, the creden stored in this attribute are used to verify the requester's access.

[Visual Basic]

 

'Create a new webrequest to the mentioned URL.

Dim mywebrequest as webrequest = webrequest. Create (URL)

 

'Set' preauthenticate 'Property to true.

Mywebrequest. preauthenticate = true

Console. writeline (controlchars. Cr + "Please enter ur credentials for the requested URL ")

Console. writeline ("username ")

Dim username as string = console. Readline ()

Console. writeline ("password ")

Dim password as string = console. Readline ()

 

'Create a new' networkcredential 'object.

Dim networkcredential as new networkcredential (username, password)

 

'Associate the 'networkcredentials' object with the 'webrequest' object.

Mywebrequest. Credentials = networkcredential

 

'Assign the response object of 'webrequest' to a 'webresponse' variable.

Dim mywebresponse as webresponse = mywebrequest. getresponse ()

[C #]// Create a new webrequest to the mentioned URL.

Webrequest mywebrequest = webrequest. Create (URL );

 

// Set 'preauthenticate' property to true. credentials will be sent with the request.

Mywebrequest. preauthenticate = true;

 

Console. writeline ("\ nplease enter UR Credentials for the requested URL ");

Console. writeline ("username ");

String username = console. Readline ();

Console. writeline ("password ");

String Password = console. Readline ();

 

// Create a new 'networkcredential' object.

Networkcredential = new networkcredential (username, password );

 

// Associate the 'networkcredentials' object with the 'webrequest' object.

Mywebrequest. Credentials = networkcredential;

 

// Assign the response object of 'webrequest' to a 'webresponse' variable.

Webresponse mywebresponse = mywebrequest. getresponse ()

 

2. Anonymous: no client authentication

IIS 5.0 provides three independent options: low ( IIS process), medium (Pool) and high (independent ). IIS is an anonymous Internet User Account. The default value is iusr_machine , this is another local account created when IIS is installed (similar to iwam_machine ). If the anonymous option is enabled for a given resource, IIS checks whether the requested resources ( HTML file, Asp file, and> scripts and GIF files ). If the DACL on the file allows anonymous Internet user accounts, IIS executes client requests with the support of this account, instead of trying a more expensive authentication option. This means that IIS simulates this anonymous Internet User Account and opens the file during simulation. If DACL rejects access to this anonymous Internet User, then, IIS is migrated to the next AUTHENTICATION option in the list. If other options are not enabled for this resource, access is denied. Please note that I have carefully identified this account using abstract terms. This is because it is not always iusr_machine . Of course, each Web Resource ( Web site, virtual directory, and file system directory) in the IIS metabase or file) all have the following (inherited) attributes:

AnonymoususernameThis is a valid user account name.InternetWhen a user requests a specific resource,IISUse this account to create a logon session for them.
AnonymoususerpassThe password of the account you just described.

AnonymouspasswordsyncThis is a magical Boolean attribute that I will describe.

By default, metadatabase (allWebIn the root of the node)W3svcNode settingsAnonymoususernameIsIusr_machineAnd setAnonymouspasswordsyncIsTrue. This attribute is amazing.LSATo call a special sub-Identity AuthenticationDLLEnableInetinfo. exeYou can obtain a logon session without providing a password. This basically provides you with a logon, and you do not need to check the password at all. This is a good feature. Note: Only local accounts are supported. If you are alert to this feature, think about it.Inetinfo. exeIs running inSystemLogin session, so isTCB. This isTCBIn the local machine.

By MyselfIn IIS 5.0Experience, if password synchronization option is used, the login session generated for anonymous users will be a network login session without network creden, becauseIISIt makes sense to obtain a logon session without providing a password. If this feature is not used and a password is explicitly specified, a logon session is an interactive logon session with network creden. Of course, if you use a local account, these network creden。 will not be very helpful unless you create a matched user name and password on another machine.

Note that when two or more resources are shared with the same anonymous account (in typical cases,IISTry to cache a separate login session and simulate the session for all these resources, even crossing the Independent Application boundary.