如何在域控制器上分配IIS 7.5文件系統訪問權限？

Question

我有一些不尋常的情況。

我正在處理安裝在Windows Server 2008 R2域控制器計算機上的IIS 7.5。

我正試圖編寫一個C＃程序，在我的IIS上安裝我的Web應用程序。除了當我需要將應用程序池的訪問權限分配給安裝Web應用程序的文件夾時，一切正常。

已經做了一些研究，我發現，我需要分配以下用戶帳戶訪問後：

IIS應用程序池\ [AppPoolName]

所以我想出了這個代碼：

setFolderPermissions(@"C:\inetpub\www_test1", 
    @"IIS AppPool\" + strAppPoolName, 
    System.Security.AccessControl.FileSystemRights.Read | System.Security.AccessControl.FileSystemRights.ListDirectory, 
    System.Security.AccessControl.AccessControlType.Allow); 

public static string setFolderPermissions(string strFolderPath, string sUserName, FileSystemRights rights, AccessControlType access) 
{ 
    DirectoryInfo info = new DirectoryInfo(strFolderPath); 

    DirectorySecurity ds = info.GetAccessControl(); 
    ds.AddAccessRule(new FileSystemAccessRule(sUserName, 
         rights, 
         InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit, 
         PropagationFlags.None, 
         access)); 

    info.SetAccessControl(ds); 
} 

除了在域控制器上使用上述方法時，上述方法除外。它會拋出以下異常：

部分或全部標識引用無法翻譯。

以及我如何分配這些權限的唯一方法是通過在命令行這樣手動：

C:\Users\Administrator>icacls "C:\inetpub\www_test1" /grant "IIS AppPool\MyAppsoolName":(CI)(OI)(M) 

任何想法如何做到這一點icacls東西用C＃？

Answer 1

更好的是，創建自己的應用程序池，使用給定的憑據運行。併爲Web應用程序安裝的文件夾上的給定憑證（用戶名）分配權限。

Answer 2

您應該不會在域控制器上運行IIS，建議我的Microsoft，因爲這可能會導致安全性和權限問題。

如果您確實想要這樣做，您應該使用域帳戶來運行應用程序池，而不是集成的IIS Apppool。這不起作用，因爲域控制器沒有本地帳戶，並且IIS APPool帳戶是本地帳戶。

檢查此瞭解更多詳情

http://blogs.technet.com/b/abizerh/archive/2009/07/16/should-iis-be-installed-on-domain-controller.aspx

Answer 3

我想我用一個非託管的方式得到它。事實證明，在C＃有點難看，但這裏的概念：

uint nOSErr; 
if(!(nOSErr = setFolderPermissions(@"C:\inetpub\www_test1", @"IIS AppPool\" + strAppPoolName, OSFileAccess.FILE_GENERIC_READ))) 
{ 
    throw new Exception("Failed to change permissions, error code=" + nOSErr); 
} 

public static uint setFolderPermissions(string strFolderPath, string strUserName, OSFileAccess access) 
{ 
    //Set folder permissions 
    //RETURN: 
    //  = 0 if success 
    //  = Otherwise error code -- check GetLastError 
    uint dwRes = 0; 

    try 
    { 
     IntPtr pZero = IntPtr.Zero; 

     IntPtr pSecDesc = pZero; 
     IntPtr pDacl = pZero; 
     if ((dwRes = GetNamedSecurityInfo(strFolderPath, SE_OBJECT_TYPE.SE_FILE_OBJECT, SECURITY_INFORMATION.DACL_SECURITY_INFORMATION, 
      out pZero, out pZero, out pDacl, out pZero, out pSecDesc)) == ERROR_SUCCESS) 
     { 
      try 
      { 
       EXPLICIT_ACCESS ea = new EXPLICIT_ACCESS(); 

       ea.grfAccessPermissions = access; 
       ea.grfAccessMode = AccessMode.GRANT_ACCESS; 
       ea.grfInheritance = AceFlags.CONTAINER_INHERIT_ACE | AceFlags.OBJECT_INHERIT_ACE; 
       ea.Trustee.MultipleTrusteeOperation = UIntPtr.Zero; 
       ea.Trustee.pMultipleTrustee = UIntPtr.Zero; 
       ea.Trustee.TrusteeForm = (UIntPtr)(TrusteeForm.TRUSTEE_IS_NAME); 
       ea.Trustee.ptstrName = strUserName; 

       IntPtr pNewDacl = pZero; 
       if((dwRes = SetEntriesInAcl(1, ref ea, pDacl, out pNewDacl)) == ERROR_SUCCESS) 
       { 
        try 
        { 
         if ((dwRes = SetNamedSecurityInfo(strFolderPath, SE_OBJECT_TYPE.SE_FILE_OBJECT, SECURITY_INFORMATION.DACL_SECURITY_INFORMATION, 
          IntPtr.Zero, IntPtr.Zero, pNewDacl, IntPtr.Zero)) == ERROR_SUCCESS) 
         { 
          //Done 
         } 
        } 
        finally 
        { 
         //Free mem 
         if (pNewDacl != IntPtr.Zero) 
         { 
          LocalFree(pNewDacl); 
          pNewDacl = IntPtr.Zero; 
         } 
        } 
       } 
      } 
      finally 
      { 
       //Free mem 
       if (pSecDesc != IntPtr.Zero) 
       { 
        LocalFree(pSecDesc); 
        pSecDesc = IntPtr.Zero; 
       } 
      } 
     } 
    } 
    catch 
    { 
     dwRes = ERROR_INVALID_DATA; 
    } 

    return dwRes; 
} 


enum SE_OBJECT_TYPE 
{ 
    SE_UNKNOWN_OBJECT_TYPE = 0, 
    SE_FILE_OBJECT, 
    SE_SERVICE, 
    SE_PRINTER, 
    SE_REGISTRY_KEY, 
    SE_LMSHARE, 
    SE_KERNEL_OBJECT, 
    SE_WINDOW_OBJECT, 
    SE_DS_OBJECT, 
    SE_DS_OBJECT_ALL, 
    SE_PROVIDER_DEFINED_OBJECT, 
    SE_WMIGUID_OBJECT, 
    SE_REGISTRY_WOW64_32KEY 
} 

[Flags] 
enum SECURITY_INFORMATION : uint 
{ 
    OWNER_SECURITY_INFORMATION = 0x00000001, 
    GROUP_SECURITY_INFORMATION = 0x00000002, 
    DACL_SECURITY_INFORMATION = 0x00000004, 
    SACL_SECURITY_INFORMATION = 0x00000008, 
    UNPROTECTED_SACL_SECURITY_INFORMATION = 0x10000000, 
    UNPROTECTED_DACL_SECURITY_INFORMATION = 0x20000000, 
    PROTECTED_SACL_SECURITY_INFORMATION = 0x40000000, 
    PROTECTED_DACL_SECURITY_INFORMATION = 0x80000000 
} 

[DllImport("advapi32.dll", CharSet = CharSet.Auto)] 
static extern uint GetNamedSecurityInfo(
    string pObjectName, 
    SE_OBJECT_TYPE ObjectType, 
    SECURITY_INFORMATION SecurityInfo, 
    out IntPtr pSidOwner, 
    out IntPtr pSidGroup, 
    out IntPtr pDacl, 
    out IntPtr pSacl, 
    out IntPtr pSecurityDescriptor); 

[DllImport("kernel32.dll", SetLastError = true)] 
static extern IntPtr LocalFree(IntPtr hMem); 

[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto, Pack = 0)] //Platform independent (32 & 64 bit) - use Pack = 0 for both platforms. IntPtr works as well. 
internal struct TRUSTEE 
{ 
    internal UIntPtr pMultipleTrustee; // must be null 
    internal UIntPtr MultipleTrusteeOperation; 
    internal UIntPtr TrusteeForm; 
    internal UIntPtr TrusteeType; 
    //[MarshalAs(UnmanagedType.LPStr)] 
    internal string ptstrName; 
} 

[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)] 
internal struct EXPLICIT_ACCESS 
{ 
    internal OSFileAccess grfAccessPermissions; 
    internal AccessMode grfAccessMode; 
    internal AceFlags grfInheritance; 
    internal TRUSTEE Trustee; 
} 

private const uint ERROR_SUCCESS = 0; 

[Flags] 
public enum OSFileAccess : uint 
{ 
    AccessSystemSecurity = 0x1000000, // AccessSystemAcl access type 
    MaximumAllowed = 0x2000000,  // MaximumAllowed access type 

    Delete = 0x10000, 
    ReadControl = 0x20000, 
    WriteDAC = 0x40000, 
    WriteOwner = 0x80000, 
    Synchronize = 0x100000, 

    StandardRightsRequired = 0xF0000, 
    StandardRightsRead = ReadControl, 
    StandardRightsWrite = ReadControl, 
    StandardRightsExecute = ReadControl, 
    StandardRightsAll = 0x1F0000, 
    SpecificRightsAll = 0xFFFF, 

    FILE_READ_DATA = 0x0001,  // file & pipe 
    FILE_LIST_DIRECTORY = 0x0001,  // directory 
    FILE_WRITE_DATA = 0x0002,  // file & pipe 
    FILE_ADD_FILE = 0x0002,   // directory 
    FILE_APPEND_DATA = 0x0004,  // file 
    FILE_ADD_SUBDIRECTORY = 0x0004,  // directory 
    FILE_CREATE_PIPE_INSTANCE = 0x0004, // named pipe 
    FILE_READ_EA = 0x0008,   // file & directory 
    FILE_WRITE_EA = 0x0010,   // file & directory 
    FILE_EXECUTE = 0x0020,   // file 
    FILE_TRAVERSE = 0x0020,   // directory 
    FILE_DELETE_CHILD = 0x0040,  // directory 
    FILE_READ_ATTRIBUTES = 0x0080,  // all 
    FILE_WRITE_ATTRIBUTES = 0x0100,  // all 

    GENERIC_READ = 0x80000000, 
    GENERIC_WRITE = 0x40000000, 
    GENERIC_EXECUTE = 0x20000000, 
    GENERIC_ALL = 0x10000000, 

    SPECIFIC_RIGHTS_ALL = 0x00FFFF, 
    FILE_ALL_ACCESS = StandardRightsRequired | Synchronize | 0x1FF, 

    FILE_GENERIC_READ = StandardRightsRead | FILE_READ_DATA | FILE_READ_ATTRIBUTES | FILE_READ_EA | Synchronize, 

    FILE_GENERIC_WRITE = StandardRightsWrite | FILE_WRITE_DATA | FILE_WRITE_ATTRIBUTES | FILE_WRITE_EA | FILE_APPEND_DATA | Synchronize, 

    FILE_GENERIC_EXECUTE = StandardRightsExecute | FILE_READ_ATTRIBUTES | FILE_EXECUTE | Synchronize 
} 

internal enum AccessMode 
{ 
    NOT_USED_ACCESS = 0, 
    GRANT_ACCESS, 
    SET_ACCESS, 
    DENY_ACCESS, 
    REVOKE_ACCESS, 
    SET_AUDIT_SUCCESS, 
    SET_AUDIT_FAILURE 
} 

[Flags] 
internal enum AceFlags 
{ 
    OBJECT_INHERIT_ACE = 0x1, 
    CONTAINER_INHERIT_ACE = 0x2, 
    NO_PROPAGATE_INHERIT_ACE = 0x4, 
    INHERIT_ONLY_ACE = 0x8, 
    INHERITED_ACE = 0x10, 
    SUCCESSFUL_ACCESS_ACE_FLAG = 0x40, 
    FAILED_ACCESS_ACE_FLAG = 0x80 
} 

enum TrusteeForm 
{ 
    TRUSTEE_IS_SID, 
    TRUSTEE_IS_NAME, 
    TRUSTEE_BAD_FORM, 
    TRUSTEE_IS_OBJECTS_AND_SID, 
    TRUSTEE_IS_OBJECTS_AND_NAME 
} 


[DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Auto)] 
static extern uint SetEntriesInAcl(
    int cCountOfExplicitEntries, 
    ref EXPLICIT_ACCESS pListOfExplicitEntries, 
    IntPtr OldAcl, 
    out IntPtr NewAcl); 

[DllImport("advapi32.dll", CharSet = CharSet.Auto)] 
static extern uint SetNamedSecurityInfo(
    string pObjectName, 
    SE_OBJECT_TYPE ObjectType, 
    SECURITY_INFORMATION SecurityInfo, 
    IntPtr psidOwner, 
    IntPtr psidGroup, 
    IntPtr pDacl, 
    IntPtr pSacl);