Windows上如何开放监听服务端口的权限

在Windows上,如果你有一个server,想监听某个端口的客户端请求,可能会遇到类似的错误:

HTTP could not register URL http://+:8000/. Your process does not have access rights to this namespace

参考这篇文章:
https://blogs.msdn.microsoft.com/drnick/2006/10/16/configuring-http-for-windows-vista/

这是因为,从Vista以后,除非你用管理员权限启动应用,否则默认你是无法获得端口的权限的。
解决方法是使用如下命令

netsh http add urlacl url=http://+:8000/ user=MYMACHINE\UserName

netsh 是一个功能强大的命令,Windows的网络命令行。其中有不同的子空间。http是其中的一个。netsh http可以查看所有可用的命令。

回收这个权限的话使用

netsh http delete urlacl url=http://+:8000/

查看关于netsh http add的windows帮助
https://docs.microsoft.com/en-us/windows/win32/http/add-urlacl

格式如下

add urlacl [url=]string
           [[user=]string
           {[[listen={yes|no}] [delegate={yes|no}]] | [sddl=]string}

可见它有两种描述方式,可以用listen和delegate参数,或者用SDDL语法来描述。关于SDDL,可以参考:
https://docs.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-definition-language

https://docs.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-string-format
不过我觉得看了基本也看不懂。简单来讲,用netsh http show urlacl的时候,最下方会有它对应的SDDL字符串:

    Reserved URL            : http://+:3387/rdp/
        User: NT SERVICE\TermService
            Listen: Yes
            Delegate: No
            SDDL: D:(A;;GX;;;S-1-5-80-446051430-1559341753-4161941529-1950928533-810483104)

    Reserved URL            : http://127.0.0.1:8884/
        User: \Everyone
            Listen: Yes
            Delegate: No
            SDDL: D:(A;;GX;;;WD)

Quora上查到一篇关于ACL和防火墙的搞笑比喻

Consider yourself to be the guard manning the entrance to President Trump’s press conference. You have been instructed not to admit any reporter from BBC, CNN, NY Times, Guardian etc. Someone’s given you a list of names of the reporters who belong to any of these organisations. You stand at the entrance, and whenever a reporter comes in, you:
Ask for their press affiliation card.
Check the name on the card against the list you have.
If the name is present, you deny them entry.
Else, you let them enter the conference room.

Now consider yourself to be a secret service agent assigned to the security detail of President Trump. When someone comes to meet the president, you:
Check their name against the list of visitors cleared for that day.
Check their ID. Make sure the ID is genuine. Match the face.
Question the visitor as to the purpose of visit. You are trained to look for tells.
Send them through a metal detector. Do manual frisking.
If they are carrying a briefcase or mobile phone, check those too.
Make sure background checks are done, and the all-clear is in place.
Ultimately, allow them near the president.
In the first instance, you are an ACL (Access Control List). In the second instance, you are a Firewall.
Note that it is quite easy to fool an ACL. A fake press card might do it. Or a borrowed one. You could be affiliated to multiple agencies (CNN + Fox, for example). You might approach the guard with a FedEx or Pizza delivery. You could alter your name. Your agency might have taken an anti-Trump line after the block list was published. And so on.
Also, using ACLs in inefficient. Suppose a reporter steps out to grab a coffee. They have to go through the same rigmarole while returning. The president might want to invite a reporter from CNN just as a one-off; but they won’t be let through.
In the second instance you are a Firewall. You do have a pre-published list, but that is not the final word in allowing anyone through. You go through a number of secondary checks and will end up catching pretty much all the attackers. The FedEx package you will divert into a threat assessment room; where it is evaluated for letter bombs, anthrax etc. before it is delivered to the president (it was his credit card statement). The pizza might be tested for toxins. And so on. There could be pre-defined clearance levels by which frequent visitors might not have to go through the process every time (improving the speed for the others).
Not all firewalls have all these features, but even the bare minimum set of features commonly found are far superior to the most feature-rich ACLs.

参考:
用代码方式创建DACL,https://docs.microsoft.com/en-us/windows/win32/secbp/creating-a-dacl


转载请注明出处。如果您觉得本文有用,请不吝点赞。
更多教程请在网易云课堂,B站, 优酷或腾讯视频搜索黑山老雕。

你可能感兴趣的:(Windows上如何开放监听服务端口的权限)