I'm going to reset IIS through a batch file. Using iisreset utility, as the batch file will be used by others who may log in the domain without the administrator account of the target server. How can I make the batch script running with proper permission? Thanks in advance!
And I also don't want to prompt the user to type in username/password as the batch file will be called by other programs.
Problem 1: Resetting remotely from batch. I prefer sc.exe
Example
sc \\webserver stop w3svc
sc \\webserver start w3svc
SC is not as heavy as IISRESET. Actually, I prefer to use WMI to recycle application pools, but that is tricky to do through batch
Problem 2: Allow users who are not Administrators on the target server to reset IIS.
You are either going to have to grant these users (or their group) permissions to control the services or store credentials somewhere. To grant the minimum permissions, see this KB -- a lot of work.
If you don't grant those executing the batch permission to restart services, see Rusell's answer -- create a WCF service.
You could create a windows service (using .net WCF for example) that executes this command. Then the service can run using credentials with administrator access.
Your other programs can call this service remotely.
"iisreset computername" will reset the IIS server if they have admin rights on computername. While I'm not sure how to change the user account in a batch file, this could be a security issue as batch files (as I'm sure you are aware) are stored in plain text.
PS. This would probably be better on ServerFault
Related
How can we force an IIS app pool to go into Unknown state? Is there a way to do this through the inetmgr GUI or through power shell ? I want to test a script that I'm writing, based off the Unknown state of my IIS app pool
As far as I know, if you log into the IIS server machine with non-admin account, then go to inetsrv folder and run "appcmd.exe list apppool" in command prompt ,you will get unkown state like below:
And before that you may need to add this non-admin user access permission to the config folder.
By the way, are you trying to test Powershell session? using "Get-IISapppool" in powershell with non-admin account will also get an empty state showing.
Azure allows partners to manage customer's resources.
But as startups serving enterprise customers, we might be asked to install our software on customer's Azure Linux server resource and manage it, but we dont want them to access the Linux box via shell or clone it entirely thereby making a copy without our knowledge. How do you solve this?
For the install, I'd write a bash script to install your application by wget'ing the binaries and setting some environment settings. If you want to take it a step further, your client can create an ARM template that spins up the VM and installs your app via custom script extension. When it comes to managing the application, you should be able to view log files in Azure using Application Insights and perform administrative functions using the app. If an issue arises that cannot be diagnosed from the log files and the built-in app diagnostics (e.g. the install failed, app cannot write to log files in local dir), I'd do a screen share with the client and troubleshoot.
You could create a web application that would talk to the OS and perform the administrative tasks you wish. This way, you only need to open one port (possiblity 443 - HTTPS) and share login credentials w/ your partner. This way your OS is protected -- administrative tasks can only be performed through a web UI.
By doing a quick Google search, you can find some open-source options:
http://ajenti.org/
http://www.webmin.com/
https://cockpit-project.org/
You need to ensure you create users for your customer with limited access. Get Webdmin as an example: https://doxfer.webmin.com/Webmin/Webmin_Users
A standard, out-of-the-box Webmin installation has only one user
(called root or admin) who can use every feature of every module. On a
home or office system used by just one person, that is all you need.
Even if your system has multiple users, there may be only one who
needed to perform system administration tasks.
However, there are many situations in which the administrator may want
to give some people access to a subset of Webmin's features. For
example, you may have a person in your organization whose job it is to
create and edit DNS zones and records. On a normal Unix system, this
person would have to be given root access so that he can edit the zone
files and re-start the DNS server when necessary. Unfortunately, once
someone is able to login as root he has full control of the system and
can do whatever he wants.
Webmin solves this kind of problem by allowing you to create
additional users who can login, but only access a few modules. You can
further restrict what the user can do within each module, so that he
cannot abuse its features to perform actions that he is not supposed
to. Because Webmin still runs with full root privileges even when used
by a restricted user, it still has access to all the configuration
files and commands that it needs.
We have customer project files on a network drive. Most users do not have write access privileges within some of the directories. I have been tasked with finding a way to allow them to create directories and files programmatically through a user front end we have developed without allowing them to manually make changes by going to the directory in windows explorer. Most of these users do not have local admin rights, nor would that change their network admin privileges.
This is in a .net programming environment.
I see numerous examples for elevating local rights, but none for elevating network rights.
Some options:
-elevate the privileges within the application.
-run an application on the/a server where the server has the necessary rights and performs the necessary task(s).
-create a windows service application that will run on the server with a listener that will receive requests and perform the necessary task(s).
The second two options would require significant hoops to jump through as my company has a very strict IM security policy. The first option would be ideal, but I am not sure it is possible. I'm not sure the second option is possible either for that matter.
Any thoughts or input would be very much appreciated.
Use Impersonation.
RE: How do you do Impersonation in .NET?
Just make sure the credentials you are using for Impersonation have rights to the folders as necessary. You can use domain or local on the file server credentials as necessary.
I've just moved away from IIS6 on Win2003 to IIS8 on Win2012 for hosting ASP.NET applications.
Within one particular folder in my application I need to Create & Delete files. After copying the files to the new server, I kept seeing the following errors when I tried to delete files:
Access to the path 'D:\WebSites\myapp.co.uk\companydata\filename.pdf' is denied.
When I check IIS I see that the application is running under the DefaultAppPool account, however, I never set up Windows permissions on this folder to include IIS AppPool\DefaultAppPool
Instead, to stop screaming customers I granted the following permissions on the folder:
IUSR
Read & Execute
List Folder Contents
Read
Write
IIS_IUSRS
Modify
Read & Execute
List Folder Contents
Read
Write
This seems to have worked, but I am concerned that too many privileges have been set. I've read conflicting information online about whether IUSR is actually needed at all here. Can anyone clarify which users/permissions would suffice to Create and Delete documents on this folder please? Also, is IUSR part of the IIS_IUSRS group?
Update & Solution
Please see my answer below. I've had to do this sadly as some recent suggestions were not well thought out, or even safe (IMO).
I hate to post my own answer, but some answers recently have ignored the solution I posted in my own question, suggesting approaches that are nothing short of foolhardy.
In short - you do not need to edit any Windows user account privileges at all. Doing so only introduces risk. The process is entirely managed in IIS using inherited privileges.
Applying Modify/Write Permissions to the Correct User Account
Right-click the domain when it appears under the Sites list, and choose Edit Permissions
Under the Security tab, you will see MACHINE_NAME\IIS_IUSRS is listed. This means that IIS automatically has read-only permission on the directory (e.g. to run ASP.Net in the site). You do not need to edit this entry.
Click the Edit button, then Add...
In the text box, type IIS AppPool\MyApplicationPoolName, substituting MyApplicationPoolName with your domain name or whatever application pool is accessing your site, e.g. IIS AppPool\mydomain.com
Press the Check Names button. The text you typed will transform (notice the underline):
Press OK to add the user
With the new user (your domain) selected, now you can safely provide any Modify or Write permissions
IUSR is part of the IIS_IUSER group, so I guess you can remove the permissions for IUSR without worrying. Further reading
However, a problem arose over time as more and more Windows system services started to run as NETWORKSERVICE. This is because services running as NETWORKSERVICE can tamper with other services that run under the same identity. Because IIS worker processes run third-party code by default (Classic ASP, ASP.NET, PHP code), it was time to isolate IIS worker processes from other Windows system services and run IIS worker processes under unique identities.
The Windows operating system provides a feature called "Virtual Accounts" that allows IIS to create unique identities for each of its Application Pools. DefaultAppPool is the default pool that is assigned to all Application Pools you create.
To make it more secure you can change the IIS DefaultAppPool Identity to ApplicationPoolIdentity.
Regarding permissions, Create and Delete summarize all the rights that can be given. So whatever you have assigned to the IIS_USERS group is all that they will require.
When I added permissions for IIS_IUSRS to the site folder, resources like JavaScript and CSS were still inaccessible (error 401, forbidden). However, when I added IUSR, it started working. So for sure you cannot remove the permissions for IUSR.
#EvilDr
You can create an IUSR_[identifier] account within your AD environment and let the particular application pool run under that IUSR_[identifier] account:
"Application pool" > "Advanced Settings" > "Identity" > "Custom account"
Set your website to "Applicaton user (pass-through authentication)" and not "Specific user", in the Advanced Settings.
Now give that IUSR_[identifier] the appropriate NTFS permissions on files and folders, for example: modify on companydata.
IIS_IUSRS group has prominence only if you are using ApplicationPool Identity. Even though you have this group looks empty at run time IIS adds to this group to run a worker process according to microsoft literature.
I would use specific user (and NOT Application user). Then I will enable impersonation in the application. Once you do that whatever account is set as the specific user, those credentials would used to access local resources on that server (Not for external resources).
Specific User setting is specifically meant for accessing local resources.
I'm creating a website in IIS 7.5 (with Windows 7) that needs to be able to create further websites. I've written code that uses Microsoft.Web.Administration to create the website programmatically, and this works fine when I run it as administrator.
Now I'm trying to use the same code in the context of my web application. It fails with the error
Error: Cannot read configuration file due to insufficient permissions
for the file redirection.config (which I understand is located in %WinDir%/System32/inetsrv/config).
I've tried creating a new apppool for this specific website, running under the IIS AppPool[AppPoolName] identity. I've then tried to grant that identity permission to edit the IIS config using
ManagementAuthorization.Grant(#"IIS AppPool\MyAppPool", "Default Web Site", false);
but I still get the same error.
What else should I try?
This probably isn't the wisest approach from a security viewpoint. If this site is hijacked then your attackers will be able to interfere with those files (to no good purpose) or even just delete them.
The way we approached this was to separate website creation tasks into a windows service running with the correct rights to perform these activities. In this service is a remoting end point (although these days you'd probably want to use WCF).
We then created a proxy assembly that is signed and registered in the GAC (it would also need to be marked with the APTCA attribute if you're running at less than Full Trust). This assembly passes on the relevant calls to the remoting endpoint in the windows service from the admin web app/service.
This allows us to run the admin site at least privilege and in partial trust mode. The scope of what can be done by way of site admin tasks is narrowed somewhat by whatever functionality is exposed in the windows service application.
This is a technique known as sandboxing.
I've found a way to do it, but I would very much like to hear expert opinion on whether this is a wise thing to do.
I granted Modify and Write permissions for the IIS AppPool\MyAppPool account to %WinDir%/System32/inetsrv/config and the three .config files inside it.