1.windows 2008 r2 user group relationship
I have been using windows 2008r2 iis7.5 for a long time, but I still haven’t figured out the relationship between windows user groups.
Recently organized through search as follows
Open the Windows User Group Manager (Server Management->Configuration->Local Users and Groups->Groups)
Focus on the following groups
| Group | Group members | Remark |
| Administrators | Administrator | super administrator |
| Guests | Anonymous accounts are generally disabled | |
| Power Users | The group with the highest permissions except admin | |
| IIS_IUSRS | All iis virtual accounts belong to this group | |
| users | NT AUTHORITY\INTERACTIVE(S-1-5-4) NT Authority\Authenticated User |
Pay special attention to the members in the group. You can see that basically all users (except Guests) belong to users, so users should be more careful when assigning permissions. |
2. Right-click on any file->Security->Edit->Add->Advanced->Find Now
More user groups can be seen here (these are built-in groups)
| * Everyone | Any user belongs to this group, including members of the Guests group, so if you enable Guests, you need to be particularly careful when assigning Everyone. | |
| * Authenticated Users | Any user who logs in to this computer with a valid user account belongs to this group. The difference from Everyone is that Guests are not included. |
|
| * interactive | Any user logged in locally (remote desktop, terminal) belongs to this group. | |
| NT AUTHORITY\INTERACTIVE(S-1-5-4) | It should be similar to interactive | |
| NT Authority\Authenticated User | Should be similar to Authenticated Users | |
| anonymous logon | This is the lowest permission group when the user opens ftp, Network Neighbors, etc. and is not logged in. | |
| creator group | Creator's group | |
| Creator owner | Creator (excluding group) | |
| * IUSR | The anonymous identity authentication of IIS 7 is carried out through this user. The difference from IIS_IUSRS is that you can add real users below (the following is the virtual account under IIS_IUSRS), (it is not recommended, it is more convenient to use the IIS_IUSRS virtual user directly) 1. Open IIS Manager, double-click the site you want to set up. 2. In the functional view, double-click Authentication. 3. Select Anonymous Authentication and click Edit. 4. Click on the specific user and set it. 5. Enter the username and password of the user and confirm. http://blog.chinaunix.net/uid-20344928-id-3306130.html |
|
| local service | local service | |
| network | Any user who logs into this computer through the network belongs to this group | |
| network service | Internet service | |
| owner rights | owner | |
| remote interactive logon | Remote interactive login (remote desktop, console) | |
| * system | This group has the same or even higher permissions than Administrators |
Special attention needs to be paid to the group with "*"
2.windows virtual user
In the Windows 2003 era, if you need to set separate permissions for websites, you need to create separate users for each website.
Windows 2008 iis7.5 adds a new virtual account, which eliminates the need to create separate users for each website.
1. Enable virtual account
In Website->Basic Settings->Connect As->Application User
At this time, the virtual account is enabled.
Check the process manager:
You can see that the user behind php-cgi.exe w3wp.exe is "application pool name"
This is the virtual user
You can use Baidu "applicationpoolidentity" or iis7.5 virtual account to query related knowledge.
3. Set website permissions (assuming that the server is mainly used for website access and the server program is iis+php)
According to the user group relationship, when the website is running with a virtual account, the group to which iis php belongs is IIS_IUSRS
1.C drive has read-only permission by default for "user" (assuming the website directory is not on C drive)
2. For drive letters other than the c drive, delete user permissions other than system administrators and users (keep the original ones, which can theoretically be deleted. At most, give users read-only permissions, and do not give users read-write permissions).
3. Set drive letters other than c drive to deny access to all permissions of the IIS_IUSRS group (deny access permissions > allow permissions)
4. Pay special attention to the php directory, php upload directory, and php Session directory that require read and write permissions (if you have not modified and php is on the c drive, these directories have read and write permissions in the default temporary directory of Windows)
5. Set php.ini open_basedir to restrict the PHP read and write directories to the website directory (multiple directories can be set)
6. Set up the website directory and give the account " IIS AppPool\Application Pool Name" read permissions, and grant read and write permissions to certain directories based on the website program.
The account " IIS AppPool\Application Pool Name" cannot be found and needs to be entered manually.
7.php Other security settings refer to the online decision and cannot have exec permission to run.
4.Example
Assumption: PHP is installed on the c drive, Session directory, and the upload directory has not been modified.
The website is at: "d:\www"
Website 1 d:\www\www.a.com Application pool name www.a.com
Website 2 d:\www\www.b.com Application pool name www.b.com
1. d:disk IIS_IUSRS does not have read and write permissions
2. php.ini open_basedir= d:\www\
3.d:\www\www.a.com Authorize account "IIS AppPool\www.a.com" to read permissions
4.d:\www\www.b.com Authorize account "IIS AppPool\www.b.com" to read permissions
(1) The iis php of www.a.com runs with the permission "IIS AppPool\www.a.com" and can only read the data of d:\www\www.a.com.
(2) In addition, the "IIS AppPool\www.a.com" account belongs to Authenticated Users "users" and has read permissions for some directories on the user's c drive.
Because iis needs to read the c drive configuration file and for other reasons (such as php running), "IIS AppPool\www.a.com" must have read permission (the c drive should not be modified by default, if you really prohibit it Reading, iis will cause an error).
(3) But we also restricted the file reading and writing directory in PHP to .d:\www\, so the PHP program of www.a.com can only read the directory data of d:\www\www.a.com
Cannot access d:\www\www.b.com and other non-website directories (to prevent cross-site)
Basic permission description:
php.ini settings restrict access to d:\www\
IIS_IUSRS access denied "d:\"
"IIS AppPool\www.a.com" allows access to d:\www\www.a.com
In this way, the website can only access the current website directory. The setting is relatively simple.
4. Reference instructions
https://www.cnblogs.com/yjmyzz/archive/2009/10/26/1590033.html iis virtual account
https://blog.csdn.net/kexiuyi/article/details/51704688 windows2008 user group
Other Baidu searches and personal experiences