Author:stevechowles
http://sqlblogcasts.com/blogs/stevechowles/archive/2007/06/08/reporting-services-2005-for-the-dba-iis-security.aspx
This is the second part of my IIS article which today covers IIS Security. This is such an important area to understand especially when we get to double hop authentication in a future article. Before you read this article make sure you have read my previous article in the series since this one leads right off it.
这是我的文章中关于
IIS
的第二篇
,
本篇讨论的是
IIS
安全
.
这是非常重要的方面
,
特别是对于理解后续的双跃认证的文章
.
在开始阅读这篇文章之前
,
请先阅读我这个系列的之前的文章
.
Getting to the web pages can be quite tricky since there are many hoops you need to jump through in order to get there. What I will do is start from the client and progress through a security pipeline until you have reached the web resources you need.
一个
Web
页面的呈现是十分复杂的因为这需要经过很多的环节
.
我们将从客户端开始
,
通过安全通道直到取得所需要的
web
资源
.
IP Address Restrictions
IIS has the ability to deny access with clients that have a specific IP address. For a typical installation the chances are that there will not be any restrictions however; it is worth knowing in the event you get an HTTP Error 403.6 - Forbidden message.
IP
地址限制
IIS
可以显示某些具体
IP
地址的访问
.
默认安装情况下是没有任何限制的
.
这就是很常见的
HTTP Error 403.6 –
禁止访问
信息
.
IP Address restrictions are added in IIS Manager. When you view the Properties of the Virtual Directory, click on the Directory Security tab and click the Edit button on IP Address and Domain Name Restrictions.
可以通过
IIS
管理器添加
IP
地址限制
.
在虚拟目录的属性页
,
点击目录安全性然后点击
IP
地址和域名限制的修改按钮
Browser Authentication
When a browser issues an HTTP Request the web server will request Authentication information from the browser. Depending on how your browser is configured will determine if the browser will prompt you for a username and password or just forward your current credentials automatically. After the users credentials have been sent to the server a check is done to ensure the user has a valid windows account. If they have not then the user will get an HTTP Error 401.2 - Unauthorized message.
浏览器验证
当浏览器发送一个
HTTP
请求时
,web
服务器将从浏览器中获取验证信息
.
根据你的浏览器的配置
,
将确定是提示你输入用户名和密码或者说自动传递当前的凭证信息
.
在用户的凭证被发送到服务器后
,
服务器将验证用户是否是合法的
windows
账户
.
如果不是
,
那么用户将得到
HTTP Error 401.2 –
未授权
的错误提示信息
.
For Internet Explorer the simplest way of determining what your setting is set to is by first navigating to the web page. At this time you will either be prompted for a username and password or not. Also if you look at the bottom right of your browser you will see the Zone for the web site. Double click on the Zone to open the Internet Security properties at the correct zone. Some companies may disable the Custom Level button in Group Policy so you cannot change it. If you can click the button go ahead and then scroll right to the bottom. The last entry will be the User Authentication option allowing you to select which option is suitable for you.
确定
IE
浏览器设置的一个简单的方式是在第一次使用浏览器
.
你可以选择是否使用提示用户输入用户和密码方式
.
你也可以从你的浏览器的右下角查看
web
站点说在的区域
.
双击区域打开当前区域的互联网安全属性
.
如果客户化按钮不可用那么是一些公司在组策略里面禁用了客制化按钮
.
点击该按钮滚动到底端
.
最后一项是用户验证选项
,
允许设置合适的用户验证方式
.
One thing I want to stress is that I am only talking about intranet sites here within a company network. Accessing Reporting Services from the Internet is completely different ball game and requires extending Reporting Services functionality to support this.
在这里我要强调的是
,
我只是讨论公司内部的局域网
.
从外部访问报表服务是一个完全不同的模式并且需要额外的报表服务功能来支持
.
Virtual Directory Security
Virtual Directory Security is made up of three areas of interest for us
What Authentication does the Virtual Directory allow
What Authorization does the Virtual Directory allow
What Authorization does the NTFS folder Allow
虚拟目录的安全
虚拟目录的安全由三个有趣的部分组成
:
虚拟目录允许何种认证
虚拟目录允许何种授权
NTFS
文件夹允许何种授权
For Reporting Services the only Authentication allowed by default is Integrated Windows Authentication. Unless you have a valid windows account you cannot access the web sites. You can view the authorization options from IIS Manager. When you view the Properties of the Virtual Directory, click on the Directory Security tab and click the Edit button on Anonymous Access and Authentication Control.
对应报表服务而言
,
默认的认证模式是
windows
集成认证
.
只有有效的
windows
账户才能访问
web
站点
.
可以从
IIS
管理器里面查看相应的认证方式
.
在虚拟目录的属性中
,
点击目录安全性页
.
点击匿名访问和认证控制的修改按钮
.
There are five different types of Authentication allowed however; for Reporting Services it does not support Digest Authentication or .NET Passport Authentication. My advice would be to stick with Integrated Windows Authentication only. You may be tempted to allow Anonymous Access for the virtual directories like you would for some web sites however; this gives everyone the same level of access in Reporting Services and in affect will switch off any Reporting Services security. So this is not advised.
在这里有五种不同的认证方式可以选择
.
对于报表服务不支持摘要认证和
.Net Passport
认证
.
我的建议是仅限于
windows
集成认证
.
可以尝试使用匿名登录
,
就像某些
web
站点一样
,
这将授予每个人的权限去访问报表服务从而屏蔽所有的报表服务安全
.
所以这种方式是不提倡的
.
Authorization
is made up of Web Permissions and NTFS folder and file permissions.
授权由
web
权限和
NTFT
文件夹和文件的权限组成
.
On the Directory tab in IIS Manager the Web Permissions shown are those permissions allowed for every user’s access to the Virtual Directory. These permissions dictate the level of access allowed to the website however; there is not a one to one relationship to the underlying NTFS folder or files. If there is a failure at the Web Permissions level the user will receive an HTTP Error 403.2 - Forbidden message. You should not need to changes these permissions for Reporting Services.
在
IIS
管理器上的目录中
,web
权限表明每一个允许访问虚拟目录的用户和它们相应的权限
.
这些权限限定了用户访问
web
站点的权限
.
这些权限并不是和
NTFS
文件夹和文件下的权限一一对应的
.
如果
web
权限访问失败
,
那么用户将收到
HTTP Error 403.2-
禁止访问
的错误信息
.
不必为报表服务而修改这些权限
.
The Virtual Directory points to a physical folder. A user accessing the website will need NTFS folder and file permissions in order to access the web pages. If the Web Permissions have Write access then there must be Write access on the NTFS permissions in order for the user to be able to write otherwise the user will receive an HTTP Error 401.3 - Unauthorized message.
虚拟目录映射到一个物理文件夹
.
用户访问
web
站点需要
NTFS
文件夹和文件的访问权限来访问
web
页面
.
如果
web
权限需要写入权限
,
那么在
NTFS
权限也必须包含写入权限以便用户可以写入
.
否则用户将收到
HTTP Error 403.2-
禁止访问
的错误信息
.
By default the NTFS file permissions allow all Authenticated users access to Reporting Services by way of the local Users group.
默认情况下
,NTFS
文件权限允许本地用户组的授权用户访问报表服务
.
Application Pool Security
The Application Pool runs under the context of a user as configured in IIS Manager. The user can be verified by searching for w3wp.exe in Task Manager and looking across to the User Name column. The default user is NT Authority/NETWORK SERVICE
应用程序缓存池的安全
应用程序缓存池是运行于
IIS
管理器中配置的某个用户下
.
该用户可以在任务管理器理查看
w3wp.exe
进程的用户栏位来确认
.
默认的用户为
NT Authority/NETWORK SERVICE
This user will be used for compiling the application and loading any configuration information. The user used for running the application depends on the Impersonation value in the web.config file for the website. If the there is an entry as follows <identity impersonate=”false”/>, the application will run under the context of the Application Pool user. If the entry is set to True, the application will run under the context of the user running the application.
这个用户用户编译应用程序并加载相应的配置信息
.
该用户是否用于运行应用程序取决于
web
站点上的
web.config
文件中的
Impersonation
的值
.
如果改值为
<identity impersonate=”false”/>
,
那么应用程序将运行于应用程序缓存池的用户下
.
反之
,
应用程序将运行于运行该程序的用户之下
.
Reporting Services has the value set to True which means when you access Report Manager, you are accessing the website as yourself which is required in order to use the Security built in to Reporting Services. One point to bear in mind is that Reportserver still uses the Application Pool account for accessing the Reporting Services catalog databases regardless of the value set for Impersonation.
报表服务将该值设为
True
,
这就意味着访问报表管理器时
,
也可以访问对应的
web
站点以便使用集成于报表服务中的安全
.
需要记住的一点是不管
Impersonation
的值设置为什么
,
报表服务器始终使用应用程序程序缓存池的帐号去访问报表服务数据库
So what user should you run the Application Pools as? Well when running with NT Authority/NETWORK SERVICE, the Report Server Application Pool account will connect to the SQL Server Repository as <domain>/<machine name>$ where <machine name> is the machine name where Reporting Services is installed. This appears rather generic and your company standard my dictate that you change it to something more meaningful. I will discuss changing the account in a future article.
所以
,
运行应用程序缓存池的用户是什么
?
当使用
NT Authority/NETWORK SERVICE
运行时
,
报表服务器应用程序缓存池的账户将使用
<domain>/<machine name>$
来连接
SQL Server
数据库
,
这里
<machine name>
是报表服务所在的服务器的名称
.
这些都是普通的和我随口说说的
,
可以根据具体的公司标准来修改让这些更具有实际意义
.
我将在后续的文章中讨论怎样修改该帐号
.
INTERNALS ALERT
So how does IIS process a request from a browser?
A user will issue an HTTP request something like http://<server>/Reports
The request will be sent to the machine identified by <server> and since no port number was specified, there needs to be a process on the machine listening on port 80.
Port 80 is a standard HTTP port number and on Microsoft platforms will be listened by a kernel process called http.sys
When http.sys is first initialised it reads the routing table which links each URL to a specific Application Pool
http.sys will route requests for Report Server to the Report Server Application Pool
http.sys will route requests for Report Manager to the Report Manager Application Pool
A worker process called w3wp.exe is started for each application pool
The worker process will load the ASP.NET ISAPI DLL which is required for Reporting Services
The worker process will then delegate the request to the HTTP runtime environment which is part of the ISAPI module.
The worker process for an Application Pool will read the HTTP requests out of it Application Queue
Once the http has completed the worker process will send the http response back to http.sys
http.sys will send the http response out on to the network for the client to receive.
那么
IIS
是怎样处理从浏览器过来的请求啦
?
该请求将被发送到标记为
<server>
的机器
,
并且没有指定具体的端口
.
在相应的服务器上有一个监听于
80
端口的进程
.
80
端口是一个标准的
HTTP
端口并且该端口被监听于在微软平台上一个叫做
http.sys
的核心进程
.
当
http.sys
进程第一次初始化时
,
该进程将读取某一个具体的应用程序缓存池中的所有
URL
的路由表
.
http.sys
进程将发送从报表服务器过来的所有请求到报表服务器的应用程序缓存池
.
http.sys
进程将发送从报表管理器过来的所有请求到报表管理器的应用程序缓存池
.
一个名称为
w3wp.exe
工作进程被每个应用程序缓存池唤起
.
该工作进程将加载用于报表服务的
ASP.NET ISAPI DLL.
该工作进程将做为所有请求的委托传递到
HTTP
运行环境中
,
该环境是
ISAPI
模块的一部分
.
对于应用程序缓存池的该工作进程将从应用程序队列中读出
HTTP
请求
.
当
http
完成工作进程时
,
将把
http
的响应发送给
http.sys
进程
.
http.sys
将
http
的响应发送到网络上传递给客户端接收
.