Reporting Services 2005 for the DBA – IIS Security

最新推荐文章于 2014-10-03 18:14:31 发布

hery2002

最新推荐文章于 2014-10-03 18:14:31 发布

阅读量1.4k

点赞数

分类专栏： SSRS 文章标签： iis security permissions authentication application 报表

SSRS 专栏收录该内容

13 篇文章 0 订阅

订阅专栏

Author:stevechowles
http://sqlblogcasts.com/blogs/stevechowles/archive/2007/06/08/reporting-services-2005-for-the-dba-iis-security.aspx

This is the second part of my IIS article which today covers IIS Security. This is such an important area to understand especially when we get to double hop authentication in a future article. Before you read this article make sure you have read my previous article in the series since this one leads right off it.

这是我的文章中关于 IIS 的第二篇 , 本篇讨论的是 IIS 安全 . 这是非常重要的方面 , 特别是对于理解后续的双跃认证的文章 . 在开始阅读这篇文章之前 , 请先阅读我这个系列的之前的文章 .

Getting to the web pages can be quite tricky since there are many hoops you need to jump through in order to get there. What I will do is start from the client and progress through a security pipeline until you have reached the web resources you need.

一个 Web 页面的呈现是十分复杂的因为这需要经过很多的环节 . 我们将从客户端开始 , 通过安全通道直到取得所需要的 web 资源 .

IP Address Restrictions

IIS has the ability to deny access with clients that have a specific IP address. For a typical installation the chances are that there will not be any restrictions however; it is worth knowing in the event you get an HTTP Error 403.6 - Forbidden message.

IP 地址限制

IIS 可以显示某些具体 IP 地址的访问 . 默认安装情况下是没有任何限制的 . 这就是很常见的 HTTP Error 403.6 – 禁止访问信息 .

IP Address restrictions are added in IIS Manager. When you view the Properties of the Virtual Directory, click on the Directory Security tab and click the Edit button on IP Address and Domain Name Restrictions.

可以通过 IIS 管理器添加 IP 地址限制 . 在虚拟目录的属性页 , 点击目录安全性然后点击 IP 地址和域名限制的修改按钮

Browser Authentication

When a browser issues an HTTP Request the web server will request Authentication information from the browser. Depending on how your browser is configured will determine if the browser will prompt you for a username and password or just forward your current credentials automatically. After the users credentials have been sent to the server a check is done to ensure the user has a valid windows account. If they have not then the user will get an HTTP Error 401.2 - Unauthorized message.

浏览器验证

当浏览器发送一个 HTTP 请求时 ,web 服务器将从浏览器中获取验证信息 . 根据你的浏览器的配置 , 将确定是提示你输入用户名和密码或者说自动传递当前的凭证信息 . 在用户的凭证被发送到服务器后 , 服务器将验证用户是否是合法的 windows 账户 . 如果不是 , 那么用户将得到 HTTP Error 401.2 – 未授权的错误提示信息 .

For Internet Explorer the simplest way of determining what your setting is set to is by first navigating to the web page. At this time you will either be prompted for a username and password or not. Also if you look at the bottom right of your browser you will see the Zone for the web site. Double click on the Zone to open the Internet Security properties at the correct zone. Some companies may disable the Custom Level button in Group Policy so you cannot change it. If you can click the button go ahead and then scroll right to the bottom. The last entry will be the User Authentication option allowing you to select which option is suitable for you.

确定 IE 浏览器设置的一个简单的方式是在第一次使用浏览器 . 你可以选择是否使用提示用户输入用户和密码方式 . 你也可以从你的浏览器的右下角查看 web 站点说在的区域 . 双击区域打开当前区域的互联网安全属性 . 如果客户化按钮不可用那么是一些公司在组策略里面禁用了客制化按钮 . 点击该按钮滚动到底端 . 最后一项是用户验证选项 , 允许设置合适的用户验证方式 .

One thing I want to stress is that I am only talking about intranet sites here within a company network. Accessing Reporting Services from the Internet is completely different ball game and requires extending Reporting Services functionality to support this.

在这里我要强调的是 , 我只是讨论公司内部的局域网 . 从外部访问报表服务是一个完全不同的模式并且需要额外的报表服务功能来支持 .

Virtual Directory Security

Virtual Directory Security is made up of three areas of interest for us

 What Authentication does the Virtual Directory allow

 What Authorization does the Virtual Directory allow

 What Authorization does the NTFS folder Allow

虚拟目录的安全

虚拟目录的安全由三个有趣的部分组成 :

虚拟目录允许何种认证

虚拟目录允许何种授权

NTFS 文件夹允许何种授权

For Reporting Services the only Authentication allowed by default is Integrated Windows Authentication. Unless you have a valid windows account you cannot access the web sites. You can view the authorization options from IIS Manager. When you view the Properties of the Virtual Directory, click on the Directory Security tab and click the Edit button on Anonymous Access and Authentication Control.

对应报表服务而言 , 默认的认证模式是 windows 集成认证 . 只有有效的 windows 账户才能访问 web 站点 . 可以从 IIS 管理器里面查看相应的认证方式 . 在虚拟目录的属性中 , 点击目录安全性页 . 点击匿名访问和认证控制的修改按钮 .

There are five different types of Authentication allowed however; for Reporting Services it does not support Digest Authentication or .NET Passport Authentication. My advice would be to stick with Integrated Windows Authentication only. You may be tempted to allow Anonymous Access for the virtual directories like you would for some web sites however; this gives everyone the same level of access in Reporting Services and in affect will switch off any Reporting Services security. So this is not advised.

在这里有五种不同的认证方式可以选择 . 对于报表服务不支持摘要认证和 .Net Passport 认证 . 我的建议是仅限于 windows 集成认证 . 可以尝试使用匿名登录 , 就像某些 web 站点一样 , 这将授予每个人的权限去访问报表服务从而屏蔽所有的报表服务安全 . 所以这种方式是不提倡的 .

Authorization is made up of Web Permissions and NTFS folder and file permissions.

授权由 web 权限和 NTFT 文件夹和文件的权限组成 .

On the Directory tab in IIS Manager the Web Permissions shown are those permissions allowed for every user’s access to the Virtual Directory. These permissions dictate the level of access allowed to the website however; there is not a one to one relationship to the underlying NTFS folder or files. If there is a failure at the Web Permissions level the user will receive an HTTP Error 403.2 - Forbidden message. You should not need to changes these permissions for Reporting Services.

在 IIS 管理器上的目录中 ,web 权限表明每一个允许访问虚拟目录的用户和它们相应的权限 . 这些权限限定了用户访问 web 站点的权限 . 这些权限并不是和 NTFS 文件夹和文件下的权限一一对应的 . 如果 web 权限访问失败 , 那么用户将收到 HTTP Error 403.2- 禁止访问的错误信息 . 不必为报表服务而修改这些权限 .

The Virtual Directory points to a physical folder. A user accessing the website will need NTFS folder and file permissions in order to access the web pages. If the Web Permissions have Write access then there must be Write access on the NTFS permissions in order for the user to be able to write otherwise the user will receive an HTTP Error 401.3 - Unauthorized message.

虚拟目录映射到一个物理文件夹 . 用户访问 web 站点需要 NTFS 文件夹和文件的访问权限来访问 web 页面 . 如果 web 权限需要写入权限 , 那么在 NTFS 权限也必须包含写入权限以便用户可以写入 . 否则用户将收到 HTTP Error 403.2- 禁止访问的错误信息 .

By default the NTFS file permissions allow all Authenticated users access to Reporting Services by way of the local Users group.

默认情况下 ,NTFS 文件权限允许本地用户组的授权用户访问报表服务 .

Application Pool Security

The Application Pool runs under the context of a user as configured in IIS Manager. The user can be verified by searching for w3wp.exe in Task Manager and looking across to the User Name column. The default user is NT Authority/NETWORK SERVICE

应用程序缓存池的安全

应用程序缓存池是运行于 IIS 管理器中配置的某个用户下 . 该用户可以在任务管理器理查看 w3wp.exe 进程的用户栏位来确认 . 默认的用户为 NT Authority/NETWORK SERVICE

This user will be used for compiling the application and loading any configuration information. The user used for running the application depends on the Impersonation value in the web.config file for the website. If the there is an entry as follows <identity impersonate=”false”/>, the application will run under the context of the Application Pool user. If the entry is set to True, the application will run under the context of the user running the application.

这个用户用户编译应用程序并加载相应的配置信息 . 该用户是否用于运行应用程序取决于 web 站点上的 web.config 文件中的 Impersonation 的值 . 如果改值为 <identity impersonate=”false”/> , 那么应用程序将运行于应用程序缓存池的用户下 . 反之 , 应用程序将运行于运行该程序的用户之下 .

Reporting Services has the value set to True which means when you access Report Manager, you are accessing the website as yourself which is required in order to use the Security built in to Reporting Services. One point to bear in mind is that Reportserver still uses the Application Pool account for accessing the Reporting Services catalog databases regardless of the value set for Impersonation.

报表服务将该值设为 True , 这就意味着访问报表管理器时 , 也可以访问对应的 web 站点以便使用集成于报表服务中的安全 . 需要记住的一点是不管 Impersonation 的值设置为什么 , 报表服务器始终使用应用程序程序缓存池的帐号去访问报表服务数据库

So what user should you run the Application Pools as? Well when running with NT Authority/NETWORK SERVICE, the Report Server Application Pool account will connect to the SQL Server Repository as <domain>/<machine name>$ where <machine name> is the machine name where Reporting Services is installed. This appears rather generic and your company standard my dictate that you change it to something more meaningful. I will discuss changing the account in a future article.

所以 , 运行应用程序缓存池的用户是什么 ? 当使用 NT Authority/NETWORK SERVICE 运行时 , 报表服务器应用程序缓存池的账户将使用 <domain>/<machine name>$ 来连接 SQL Server 数据库 , 这里 <machine name> 是报表服务所在的服务器的名称 . 这些都是普通的和我随口说说的 , 可以根据具体的公司标准来修改让这些更具有实际意义 . 我将在后续的文章中讨论怎样修改该帐号 .

INTERNALS ALERT

So how does IIS process a request from a browser?

 A user will issue an HTTP request something like http://<server>/Reports

 The request will be sent to the machine identified by <server> and since no port number was specified, there needs to be a process on the machine listening on port 80.

 Port 80 is a standard HTTP port number and on Microsoft platforms will be listened by a kernel process called http.sys

 When http.sys is first initialised it reads the routing table which links each URL to a specific Application Pool

 http.sys will route requests for Report Server to the Report Server Application Pool

 http.sys will route requests for Report Manager to the Report Manager Application Pool

 A worker process called w3wp.exe is started for each application pool

 The worker process will load the ASP.NET ISAPI DLL which is required for Reporting Services

 The worker process will then delegate the request to the HTTP runtime environment which is part of the ISAPI module.

 The worker process for an Application Pool will read the HTTP requests out of it Application Queue

 Once the http has completed the worker process will send the http response back to http.sys

 http.sys will send the http response out on to the network for the client to receive.

那么 IIS 是怎样处理从浏览器过来的请求啦 ?

用户发出像 http://<server>/Reports 的 HTTP 请求