規劃 SharePoint Server 安全性強化Plan security hardening for SharePoint Server

摘要:了解 SharePoint Server 2013 和 SharePoint Server 2016 及資料庫伺服器角色,包括針對連接埠、 通訊協定及服務的特定強化需求的安全性強化。Summary: Learn about security hardening for SharePoint Server 2013 and SharePoint Server 2016 and database server roles, including specific hardening requirements for ports, protocols, and services.

安全伺服器快照Secure server snapshots

在伺服器陣列環境中的個別伺服器具有特定角色。這些伺服器的安全性強化建議取決於每一部伺服器扮演的角色。本文包含兩種伺服器角色的安全快照:In a server farm environment, individual servers have specific roles. Security hardening recommendations for these servers depend on the role each server plays. This article contains secure snapshots for two categories of server roles:

快照會分成一般設定類別。針對每個類別所定義的特性代表 SharePoint Server 的最佳的強化的狀態。本文不包含強化環境中的其他軟體的指導。The snapshots are divided into common configuration categories. The characteristics defined for each category represent the optimal hardened state for SharePoint Server. This article does not include hardening guidance for other software in the environment.

除了強化特定角色的伺服器之外,也必須將防火牆置於伺服器陣列伺服器與外部要求之間來保護 SharePoint 伺服器陣列。本文中的指引可用於設定防火牆。In addition to hardening servers for specific roles, it is important to protect the SharePoint farm by placing a firewall between the farm servers and outside requests. The guidance in this article can be used to configure a firewall.

SharePoint 伺服器SharePoint servers

本節說明 SharePoint server 的強化特性。某些指引適用於特定的服務應用程式;在下列情況下,需要套用僅在執行指定的服務應用程式相關聯的服務的伺服器上的相對應的特性。This section identifies hardening characteristics for SharePoint servers. Some of the guidance applies to specific service applications; in these cases, the corresponding characteristics need to be applied only on the servers that are running the services associated with the specified service applications.

類別Category 特性Characteristic
在 [服務] MMC 嵌入式管理單元中列出的服務Services listed in the Services MMC snap-in
請啟用下列服務:Enable the following services:
ASP.NET 狀態服務 (如果您使用 InfoPath Forms Services 或 Project Server 2016)ASP.NET State service (if you are using InfoPath Forms Services or Project Server 2016)
檢視狀態服務 (如果您使用 InfoPath Forms Services)View State service (if you are using InfoPath Forms Services)
World Wide Web Publishing 服務World Wide Web Publishing Service
確定並未停用下列服務:Ensure that these services are not disabled:
對 Windows Token 服務的宣告Claims to Windows Token Service
SharePoint 管理SharePoint Administration
SharePoint 計時器服務SharePoint Timer Service
SharePoint Tracing ServiceSharePoint Tracing Service
SharePoint VSS 編寫器SharePoint VSS Writer
確定在主控這些對應角色的伺服器上並未停用下列服務:Ensure that these services are not disabled on the servers that host the corresponding roles:
AppFabric 快取服務AppFabric Caching Service
SharePoint 使用者程式碼主機SharePoint User Code Host
SharePoint 搜尋主機控制器SharePoint Search Host Controller
SharePoint Server SearchSharePoint Server Search
連接埠和通訊協定Ports and protocols
TCP 80、TCP 443 (SSL)TCP 80, TCP 443 (SSL)
自訂搜尋編目的連接埠,如果已設定 (例如編目檔案共用或非預設連接埠上的網站)Custom ports for search crawling, if configured (such as for crawling a file share or a website on a non-default port)
搜尋索引元件所使用的連接埠— TCP 16500-16519 (僅限內部伺服器陣列)Ports used by the search index component — TCP 16500-16519 (intra-farm only)
AppFabric 快取服務所需的連接埠— TCP 22233-22236Ports required for the AppFabric Caching Service — TCP 22233-22236
Windows Communication Foundation 通訊所需的連接埠— TCP 808Ports required for Windows Communication Foundation communication — TCP 808
所需的 SharePoint 伺服器與服務應用程式 (預設值為 HTTP) 之間的通訊連接埠:Ports required for communication between SharePoint servers and service applications (the default is HTTP):
HTTP 繫結:TCP 32843HTTP binding: TCP 32843
HTTPS 繫結:TCP 32844HTTPS binding: TCP 32844
net.tcp 繫結:TCP 32845 (若協力廠商針對服務應用程式而實作此選項,才會用到)net.tcp binding: TCP 32845 (only if a third party has implemented this option for a service application)
如果您電腦的網路環境使用 Windows Server 2012、 Windows Server 2008、 Windows Server 2008 R2、 Windows 7 或 Windows Vista 與 Windows Windows Server 2012 和 Windows Vista 以前的版本,您必須啟用這兩連線下列的連接埠範圍:If your computer network environment uses Windows Server 2012, Windows Server 2008, Windows Server 2008 R2, Windows 7, or Windows Vista together with versions of Windows earlier than Windows Server 2012 and Windows Vista, you must enable connectivity over both the following port ranges:
高的連接埠範圍 49152 到 65535High port range 49152 through 65535
低的連接埠範圍 1025年透過 5000Low port range 1025 through 5000
預設的 SQL Server 通訊的連接埠 — TCP 1433、 UDP 1434。如果 SQL Server 電腦上封鎖這些連接埠且資料庫安裝在具名執行個體上,設定 SQL Server 用戶端別名以便連接至具名執行個體。Default ports for SQL Server communication — TCP 1433, UDP 1434. If these ports are blocked on the SQL Server computer and databases are installed on a named instance, configure a SQL Server client alias for connecting to the named instance.
Microsoft SharePoint Foundation 使用者程式碼服務 (適用於沙箱解決方案) — TCP 32846。必須在所有前端和前端與分散式快取的伺服器上的輸出連線開啟此連接埠。此連接埠必須開啟前端與前端與此服務已開啟位置的分散式快取伺服器上的輸入連線。Microsoft SharePoint Foundation User Code Service (for sandbox solutions) — TCP 32846. This port must be open for outbound connections on all Front-end and Front-end with Distributed Cache servers. This port must be open for inbound connections on Front-end and Front-end with Distributed Cache servers where this service is turned on.
確定連接埠仍然開啟供使用者可存取的 Web 應用程式使用。Ensure that ports remain open for Web applications that are accessible to users.
封鎖管理中心網站所用連接埠的外部存取。Block external access to the port that is used for the Central Administration site.
電子郵件整合的 SMTP — TCP 25 或自訂 TCP 連接埠如果您已設定外送電子郵件使用非預設連接埠。SMTP for e-mail integration — TCP 25, or a custom TCP port if you've configured outbound e-mail to use a non-default port.
登錄Registry
無其他指導No additional guidance
稽核與記錄Auditing and logging
若是記錄檔移至新位置,請務必更新記錄檔位置使對應新位置。也請更新目錄存取控制清單 (ACL)。If log files are relocated, ensure that the log file locations are updated to match. Update directory access control lists (ACLs) also.
Web.configWeb.config
在執行安裝程式之後,每個所建立的 Web.config 檔案請遵循下列建議:Follow these recommendations for each Web.config file that is created after you run Setup:
不允許透過 PageParserPaths 元素,編譯資料庫頁面或以指令碼編寫資料庫頁面。Do not allow compilation or scripting of database pages via the PageParserPaths elements.
請確定<安全模式>CallStack ="false"且 AllowPageLevelTrace ="false"。Ensure <SafeMode> CallStack="false" and AllowPageLevelTrace="false".
確定每個區域的最大控制項網頁組件限制設為低。Ensure that the Web Part limits around maximum controls per zone are set low.
確定 SafeControls 清單設為您網站所需的最小控制項集合。Ensure that the SafeControls list is set to the minimum set of controls needed for your sites.
確定您的 Workflow SafeTypes 清單設為所需的最低 SafeTypes 層級。Ensure that your Workflow SafeTypes list is set to the minimum level of SafeTypes needed.
請確定該 customerrors (<customErrors 模式 ="在"/>)。Ensure that customErrors is turned on (<customErrors mode="On"/>).
視需要考慮 Web proxy 設定 (<system.net>/<defaultProxy>)。Consider your Web proxy settings as needed (<system.net>/<defaultProxy>).
Upload.aspx 限制設為最高合理預期使用者上傳的大小。效能可以受到超過 100 MB 的上傳。Set the Upload.aspx limit to the highest size you reasonably expect users to upload. Performance can be affected by uploads that exceed 100 MB.

資料庫伺服器角色Database server role

注意

在 SharePoint Server 2016 MinRole 功能加上,已變更角色的概念。如需角色的資訊,請參閱Planning for 在 SharePoint Server 2016 MinRole 伺服器部署。With the addition to the MinRole feature in SharePoint Server 2016, the concept of roles has changed. For information about roles, see Planning for a MinRole server deployment in SharePoint Server 2016.

SharePoint server 的主要建議是由封鎖預設用於 SQL Server 通訊,而建立自訂這個通訊的連接埠的連接埠安全伺服器陣列之間的通訊。如需如何設定 SQL Server 通訊的連接埠的詳細資訊,請參閱本文稍後的封鎖標準 SQL Server 連接埠The primary recommendation for SharePoint Server is to secure inter-farm communication by blocking the default ports used for SQL Server communication and establishing custom ports for this communication instead. For more information about how to configure ports for SQL Server communication, see Blocking the standard SQL Server ports, later in this article.

類別Category 特性Characteristic
連接埠Ports
封鎖 UDP 1434。Block UDP 1434.
考慮封鎖 TCP 1433。Consider blocking TCP 1433.

本文不會說明如何保護 SQL Server。如需如何保護 SQL Server 的詳細資訊,請參閱 <保護 SQL Server (http://go.microsoft.com/fwlink/p/?LinkId=186828)。This article does not describe how to secure SQL Server. For more information about how to secure SQL Server, see Securing SQL Server (http://go.microsoft.com/fwlink/p/?LinkId=186828).

特定連接埠、通訊協定及服務指導Specific port, protocol, and service guidance

本文的其餘部分更詳細說明 SharePoint Server 的特定強化需求。The rest of this article describes in greater detail the specific hardening requirements for SharePoint Server.

本節內容:In this section:

封鎖標準 SQL Server 連接埠Blocking the standard SQL Server ports

用來連線至 SQL Server 的特定連接埠都受到資料庫是否安裝 SQL Server 預設執行個體或 SQL Server 具名執行個體上。SQL Server 預設執行個體接聽的用戶端要求上 TCP 1433。SQL Server 具名執行個體接聽指派隨機的連接埠號碼。此外,如果 (根據是否可使用先前指派的連接埠號碼) 重新啟動執行個體可以指派具名執行個體的連接埠號碼。The specific ports used to connect to SQL Server are affected by whether databases are installed on a default instance of SQL Server or a named instance of SQL Server. The default instance of SQL Server listens for client requests on TCP 1433. A named instance of SQL Server listens on a randomly assigned port number. Additionally, the port number for a named instance can be reassigned if the instance is restarted (depending on whether the previously assigned port number is available).

根據預設,先使用 TCP 1433 連線 [連線至 SQL Server 的用戶端電腦。這個通訊的失敗時,用戶端電腦查詢 UDP 1434 判斷資料庫執行個體接聽所在的連接埠接聽 SQL Server 解析度服務。By default, client computers that connect to SQL Server first connect by using TCP 1433. If this communication is unsuccessful, the client computers query the SQL Server Resolution Service that is listening on UDP 1434 to determine the port on which the database instance is listening.

SQL Server 的預設連接埠通訊行為引進數種問題影響的伺服器強化。首先,SQL Server 所使用的連接埠是眾連接埠及 SQL Server 解析度服務已緩衝區溢位攻擊和拒絕服務攻擊,包括 「 Slammer"蠕蟲病毒的目標。即使 SQL Server 更新為降低 SQL Server 解析度服務中的安全性問題,眾的連接埠會保持目標。其次,如果資料庫安裝 SQL server 具名執行個體,相對應的通訊埠隨機指派且可以變更。此表現方式可能可以防止強化的環境中的伺服器對伺服器通訊。若要控制哪些 TCP 連接埠是開啟或封鎖功能的基本保護您的環境。The default port-communication behavior of SQL Server introduces several issues that affect server hardening. First, the ports used by SQL Server are well-publicized ports and the SQL Server Resolution Service has been the target of buffer overrun attacks and denial-of-service attacks, including the "Slammer" worm virus. Even if SQL Server is updated to mitigate security issues in the SQL Server Resolution Service, the well-publicized ports remain a target. Second, if databases are installed on a named instance of SQL Server, the corresponding communication port is randomly assigned and can change. This behavior can potentially prevent server-to-server communication in a hardened environment. The ability to control which TCP ports are open or blocked is essential to securing your environment.

注意

我們建議使用標準 SQL 連接埠,但確定防火牆設定為只允許與需要存取 SQL Server 的伺服器之間的通訊。不需要存取 SQL Server 的伺服器應封鎖透過 TCP 連接埠 1433年和 UDP 連接埠 1444年連線至 SQL Server。We recommend to use the standard SQL ports, but ensure the firewall is configured to only allow communication with the servers that need access to the SQL Server. Servers that don't need access to the SQL Server should be blocked from connecting to the SQL Server over TCP port 1433 and UDP port 1444.

有數種方法可用來封鎖連接埠。您可以使用防火牆封鎖這些連接埠。不過,除非您可以確認有無其他路由到網路區段,並且沒有惡意使用者都擁有存取權的網路區段,建議是封鎖下列連接埠直接在伺服器上的主控的 SQL Server。這可以透過使用 [控制台] 中的 Windows 防火牆。There are several methods you can use to block ports. You can block these ports by using a firewall. However, unless you can be sure that there are no other routes into the network segment and that there are no malicious users that have access to the network segment, the recommendation is to block these ports directly on the server that hosts SQL Server. This can be accomplished by using Windows Firewall in Control Panel.

將 SQL Server 資料庫執行個體設定為在非標準的連接埠上接聽Configuring SQL Server database instances to listen on a nonstandard port

SQL Server 讓使用者能夠重新指派預設執行個體及任何所使用的連接埠具名執行個體。在 SQL Server 中,您可以重新連接埠指派使用 SQL Server 組態管理員。SQL Server provides the ability to reassign the ports that are used by the default instance and any named instances. In SQL Server, you reassign ports by using SQL Server Configuration Manager.

設定 SQL Server 用戶端別名Configuring SQL Server client aliases

在伺服器陣列、 所有前端網頁伺服器和應用程式伺服器是 SQL Server 用戶端電腦。如果您在 SQL Server 電腦上封鎖 UDP 1434 或變更預設執行個體的預設連接埠,您必須連線至 SQL Server 電腦的所有伺服器上設定 SQL Server 用戶端別名。在此案例中,SQL Server 用戶端別名指定具名執行個體所接聽的 TCP 連接埠。In a server farm, all front-end Web servers and application servers are SQL Server client computers. If you block UDP 1434 on the SQL Server computer, or you change the default port for the default instance, you must configure a SQL Server client alias on all servers that connect to the SQL Server computer. In this scenario, the SQL Server client alias specifies the TCP port that the named instance is listening on.

若要連線至 SQL Server 執行個體,您可以在目標電腦上安裝 SQL Server 用戶端元件並再使用 SQL Server 組態管理員設定 SQL Server 用戶端別名。若要安裝 SQL Server 用戶端元件、 執行安裝程式並選取 [只有下列用戶端元件進行安裝:To connect to an instance of SQL Server, you install SQL Server client components on the target computer and then configure the SQL Server client alias by using SQL Server Configuration Manager. To install SQL Server client components, run Setup and select only the following client components to install:

  • 連接元件Connectivity Components

  • 管理工具 (包括 SQL Server 組態管理員)Management Tools (includes SQL Server Configuration Manager)

如需封鎖標準 SQL Server 連接埠的特定強化步驟,請參閱 < Configure SQL Server security for SharePoint ServerFor specific hardening steps for blocking the standard SQL Server ports, see Configure SQL Server security for SharePoint Server.

服務應用程式通訊Service application communication

根據預設,SharePoint 伺服器與伺服器陣列內的服務應用程式之間的通訊,是與繫結至 TCP 32843 使用 HTTP 來進行。當您發佈服務應用程式時,您可以選取 HTTP 或 HTTPS 與下列繫結:By default, communication between SharePoint servers and service applications within a farm takes place by using HTTP with a binding to TCP 32843. When you publish a service application, you can select either HTTP or HTTPS with the following bindings:

  • HTTP 繫結:TCP 32843HTTP binding: TCP 32843

  • HTTPS 繫結:TCP 32844HTTPS binding: TCP 32844

另外,開發服務應用程式的協力廠商可實作第三種選擇:Additionally, third parties that develop service applications can implement a third choice:

  • net.tcp 繫結:TCP 32845net.tcp binding: TCP 32845

您可以變更的通訊協定和連接埠的每個服務應用程式的繫結。在管理中心的 [服務應用程式] 頁面上選取的服務應用程式] 和 [發佈You can change the protocol and port binding for each service application. On the Service Applications page in Central Administration, select the service application, and then click Publish.

也可檢視及使用Get-spservicehostconfigSet-spservicehostconfig PowerShell Microsoft 指令程式來變更 HTTP/HTTPS/net.tcp 繫結。The HTTP/HTTPS/net.tcp bindings can also be viewed and changed by using the Get-SPServiceHostConfig and Set-SPServiceHostConfig Microsoft PowerShell cmdlets.

服務應用程式與 SQL Server 之間的通訊,是透過標準的 SQL Server 連接埠或您設定的 SQL Server 通訊的連接埠進行。Communication between service applications and SQL Server takes place over the standard SQL Server ports or the ports that you configure for SQL Server communication.

外部伺服器連線Connections to external servers

SharePoint Server 的數項功能可以設定來存取位於伺服器陣列外的伺服器電腦的資料。如果您在外部伺服器電腦上設定位於資料的存取權,請確定您啟用適當的電腦之間的通訊。在大多數情況下,連接埠、 通訊協定及服務的使用取決於外部資源。例如:Several features of SharePoint Server can be configured to access data that resides on server computers outside of the server farm. If you configure access to data that is located on external server computers, ensure that you enable communication between the appropriate computers. In most cases, the ports, protocols, and services that are used depend on the external resource. For example:

  • 檔案共用的連線會使用檔案及印表機共用服務。Connections to file shares use the File and Printer Sharing service.

  • 外部 SQL Server 資料庫的連線會使用預設或自訂的連接埠來進行 SQL Server 通訊。Connections to external SQL Server databases use the default or customized ports for SQL Server communication.

  • 與 Oracle 資料庫的連線一般使用 OLE DB。Connections to Oracle databases typically use OLE DB.

  • Web 服務的連線使用 HTTP 和 HTTPS。Connections to Web services use both HTTP and HTTPS.

下表列出的功能可用來存取位於伺服器陣列外之伺服器電腦中的資料。The following table lists features that can be configured to access data that resides on server computers outside the server farm.

功能Feature 描述Description
內容編目Content crawling
您可以將編目規則設定為對位於外部資源上的資料進行編目,這些外部資源包含網站、檔案共用、Exchange 公用資料夾及商務資料應用程式。在編目外部資料來源時,編目角色會直接與這些外部資源通訊。You can configure crawl rules to crawl data that resides on external resources, including Web sites, file shares, Exchange public folders, and business data applications. When crawling external data sources, the crawl role communicates directly with these external resources.
如需詳細資訊,請參閱 < Manage crawling in SharePoint ServerFor more information, see Manage crawling in SharePoint Server.
Business Data Connectivity 連線Business Data Connectivity connections
網頁伺服器及應用程式伺服器會直接與設定 Business Data Connectivity 連線的電腦通訊。Web servers and application servers communicate directly with computers that are configured for Business Data Connectivity connections.

電子郵件整合的服務需求Service requirements for e-mail integration

電子郵件整合需要使用兩項服務:E-mail integration requires the use of two services:

SMTP 服務SMTP service

伺服器陣列中至少必須有一部前端網頁伺服器使用簡易郵件傳送通訊協定 (SMTP) 服務,才可以進行電子郵件整合。內送電子郵件需要 SMTP 服務。若是外寄電子郵件,則可以使用 SMTP 服務,或透過組織中專用的電子郵件伺服器 (如 Microsoft Exchange Server 電腦) 傳送外寄電子郵件。E-mail integration requires the use of the Simple Mail Transfer Protocol (SMTP) service on at least one of the front-end Web servers in the server farm. The SMTP service is required for incoming e-mail. For outgoing e-mail, you can either use the SMTP service or route outgoing email through a dedicated e-mail server in your organization, such as a Microsoft Exchange Server computer.

Microsoft SharePoint 目錄管理服務Microsoft SharePoint Directory Management service

SharePoint Server 包含內部服務 Microsoft SharePoint 目錄管理服務,用於建立電子郵件通訊群組。當您設定電子郵件整合時,您必須啟用目錄管理服務功能,可讓使用者建立通訊群組清單的選項。當使用者建立的 SharePoint 群組並他們選取選項,以建立通訊群組清單時,Microsoft SharePoint 目錄管理服務會在 Active Directory 環境中建立相對應的 Active Directory 通訊群組清單。SharePoint Server includes an internal service, the Microsoft SharePoint Directory Management Service, for creating e-mail distribution groups. When you configure e-mail integration, you have the option to enable the Directory Management Service feature, which lets users create distribution lists. When users create a SharePoint group and they select the option to create a distribution list, the Microsoft SharePoint Directory Management Service creates the corresponding Active Directory distribution list in the Active Directory environment.

在強化安全性的環境中,建議透過保護與 Microsoft SharePoint 目錄管理服務相關的檔案 (亦即 SharePointEmailws.asmx),來限制此服務的存取權。例如,您可以只允許伺服器陣列帳戶存取這個檔案。In security-hardened environments, the recommendation is to restrict access to the Microsoft SharePoint Directory Management Service by securing the file associated with this service, which is SharePointEmailws.asmx. For example, you might allow access to this file by the server farm account only.

此外,這項服務需要 Active Directory 環境中建立 Active Directory 通訊群組清單物件的權限。建議您設定不同的組織單位 (OU) 在 Active Directory 中的 SharePoint Server 物件。只有此 OU 應該允許寫入權限由 Microsoft SharePoint 目錄管理服務的帳戶。Additionally, this service requires permissions in the Active Directory environment to create Active Directory distribution list objects. The recommendation is to set up a separate organizational unit (OU) in Active Directory for SharePoint Server objects. Only this OU should allow write access to the account that is used by the Microsoft SharePoint Directory Management Service.

工作階段狀態的服務需求Service requirements for session state

Project Server 2016 和 InfoPath Forms Services 維護工作階段狀態。如果您伺服器陣列內部署這些功能或產品,請勿停用 [ASP.NET State service]。此外,如果您要部署 InfoPath Forms Services,請勿停 View State service。Both Project Server 2016 and InfoPath Forms Services maintain session state. If you are deploying these features or products within your server farm, do not disable the ASP.NET State service. Additionally, if you are deploying InfoPath Forms Services, do not disable the View State service.

SharePoint Server 產品服務SharePoint Server Products services

請勿停用安裝 SharePoint Server (先前所列的快照中) 的服務。Do not disable services that are installed by SharePoint Server (listed in the snapshot previously).

如果您的環境不允許以本機系統身分執行的服務,只有在了解結果且可解決這些結果時,才考慮停用 SharePoint Administration Service。此服務是以本機系統身分執行的 Win32 服務。If your environment disallows services that run as a local system, you can consider disabling the SharePoint Administration service only if you are aware of the consequences and can work around them. This service is a Win32 service that runs as a local system.

這項服務的 SharePoint 計時器服務用以執行需要在伺服器上,例如建立網際網路資訊服務 (IIS) 網站、 部署程式碼,並停止及啟動服務的管理權限的動作。如果您停用此服務,您無法完成從管理中心網站部署的相關工作。您必須使用 Microsoft PowerShell 執行Start-spadminjob cmdlet (或使用 Stsadm.exe 命令列工具執行execadmsvcjobs作業) 至 SharePoint server 及執行其他操作完成多部伺服器部署部署的相關工作。This service is used by the SharePoint Timer service to perform actions that require administrative permissions on the server, such as creating Internet Information Services (IIS) Web sites, deploying code, and stopping and starting services. If you disable this service, you cannot complete deployment-related tasks from the Central Administration site. You must use Microsoft PowerShell to run the Start-SPAdminJob cmdlet (or use the Stsadm.exe command-line tool to run the execadmsvcjobs operation) to complete multiple-server deployments for SharePoint Server and to run other deployment-related tasks.

Web.config 檔案Web.config file

.NET Framework 使用 XML 格式的設定檔來設定應用程式,尤其是 ASP.NET。.NET Framework 根據設定檔來定義設定選項。設定檔是文字格式的 XML 檔。單一系統上可以且通常會存在多個設定檔。The .NET Framework, and ASP.NET in particular, use XML-formatted configuration files to configure applications. The .NET Framework relies on configuration files to define configuration options. The configuration files are text-based XML files. Multiple configuration files can, and typically do, exist on a single system.

在 Machine.config 檔案中定義的.NET framework 的整個系統的組態設定。Machine.config 檔案位於 %SystemRoot%\Microsoft.NET\Framework%VersionNumber%\CONFIG\ 資料夾。可加以修改包含在 Machine.config 檔案中的預設設定會影響整個系統上使用.NET Framework 應用程式的行為。System-wide configuration settings for the .NET Framework are defined in the Machine.config file. The Machine.config file is located in the %SystemRoot%\Microsoft.NET\Framework%VersionNumber%\CONFIG\ folder. The default settings that are contained in the Machine.config file can be modified to affect the behavior of applications that use the .NET Framework on the whole system.

如果在應用程式的根資料夾中建立 Web.config 檔案,則可以變更單一應用程式的 ASP.NET 組態設定。執行此動作時,Web.config 檔案中的設定會覆寫 Machine.config 檔案中的設定。You can change the ASP.NET configuration settings for a single application if you create a Web.config file in the root folder of the application. When you do this, the settings in the Web.config file override the settings in the Machine.config file.

當您使用管理中心擴充 Web 應用程式時、 SharePoint Server 會自動建立的 Web 應用程式的 Web.config 檔案。When you extend a Web application by using Central Administration, SharePoint Server automatically creates a Web.config file for the Web application.

本文上述的網頁伺服器和應用程式伺服器快照,列出 Web.config 檔案的設定建議。這些建議適用於每個建立的 Web.config 檔案,包含管理中心網站的 Web.config 檔案。The Web server and application server snapshot presented earlier in this article lists recommendations for configuring Web.config files. These recommendations are intended to be applied to each Web.config file that is created, including the Web.config file for the Central Administration site.

如需 ASP.NET 設定檔及編輯 Web.config 檔案的詳細資訊,請參閱ASP.NET 設定(http://go.microsoft.com/fwlink/p/?LinkID=73257)。For more information about ASP.NET configuration files and editing a Web.config file, see ASP.NET Configuration (http://go.microsoft.com/fwlink/p/?LinkID=73257).

另請參閱See also

概念Concepts

SharePoint Server 的安全性Security for SharePoint Server