User Access

billybob01

I need to assign access to 3 users on one of my servers so that they can use the website ONLY and not have access to any other resource on the server. At the moment i have assigned them local Admin rights just to get around this problem for now but the manager says thats too much for them. Would delegation of control work?

Sie

Admin rights for users IS too much if you ask me.

When you say website access am I right in assuming this is access to IIS or something else?

sprkymrk

If you are talking about IIS6 (or higher) management, then unfortunately they will need admin rights. In IIS5 and lower they had a special group that could manage the web server w/o admin rights. Now that is not possible. I have seen some horrible hacks that supposedly allow you to do it w/o admin rights but I don't recommend them.

I have a situation similar here, where one guy needs to administer IIS but not the whole server. Here is what I did:

1. Made his account a local admin on the server.
2. Set the "deny logon locally" and "deny logon through TS" for that account (to keep him from actually logging into the server).
3. Create a custom MMC on his desktop with event viewer for the web server.
4. Download and install "IIS6 Manager for WXP" on his workstation. Available on Microsoft's website:

Internet Information Services (IIS) 6.0 Manager for Windows XP

billybob01

Many thanks for that sprkymrk. My manager recconds microsoft have a whitepaper on how to give a user only rights to IIS?

billybob01

Ooops forgot to ask. When you say "Deny the user the rights to logon locally and "Deny logon rights through TS" you do mean on the users PC?

theseman

I beleive he meant on that particular server, so the user could not actually log in with full admin rights. A good solution for this particular problem, given the obvious problems with trying to delegate IIS administration.

sprkymrk

billybob01 wrote:

Many thanks for that sprkymrk. My manager recconds microsoft have a whitepaper on how to give a user only rights to IIS?

I don't know of any whitepaper by MS. I have only seen some really bad hacks (hacking registry and system files) on third party sites. I don't recommend any of them. I have seen the server become unstable in certain situations.

theseman wrote:

I beleive he meant on that particular server, so the user could not actually log in with full admin rights. A good solution for this particular problem, given the obvious problems with trying to delegate IIS administration.

Correct, on the server.

blargoe

This is a GLARING inadequacy with Microsoft IIS. I think I read IIS 7 fixed it.

Even sprkymrk's answer isn't all that secure since they would still have the ability to use any management console to administer that part of the system if they knew how. You could perhaps disable the remote registry service, effectively preventing anyone from remotely accessing the registry and (I think) the computer management MMC. Then you have the problem of them being able to access the C$, D$, etc. shares and take ownership of any folders on the system whether he has permissions or not.

Probably better (if the manager is OK with it) to follow sprkymrk's advice with disabling logon, and be sure you turn on security logging for the system, auditing any folders you value. Even better would be to have a development server for the web developers to use to work from, and have the production box IIS configured identically but have the server locked down and have you copy the files to it when there are changes to be published.

Is this server serving any other function other than being a web server?

sprkymrk

blargoe wrote:

This is a GLARING inadequacy with Microsoft IIS. I think I read IIS 7 fixed it.

That would be nice. I haven't heard anything one way or the other though.

blargoe wrote:

Even sprkymrk's answer isn't all that secure since they would still have the ability to use any management console to administer that part of the system if they knew how.

Presumably, you have some level of trust here since you are making them responsible for IIS management. The security I proposed is more of a stop-gap measure to keep them from screwing up or messing around with parts of the server they are not responsible for. If you set the Security Options I mentioned with a GPO linked to the IIS Server's respective OU (rather than the Local Security Policy on the server) they won't be able to change it unless they are domain admins or delegated that priveledge. So computer management access won't really grant them more power than they already have. I suppose they could mess up something in Disk Managment or run a defrag at an innopportune time. Worst case might be creating back-door admin accounts, but the use of restricted groups would help with that. Layered security is the rule. Either which way, you're absolutley right about it not being a perfect solution, but to take it much farther or make it more complicated would imply you don't trust these individuals, and if that's the case why are they administering a web server?

blargoe wrote:

You could perhaps disable the remote registry service, effectively preventing anyone from remotely accessing the registry and (I think) the computer management MMC.

Including the IIS6 MMC so they can't do their jobs...

blargoe wrote:

Then you have the problem of them being able to access the C$, D$, etc. shares and take ownership of any folders on the system whether he has permissions or not.

The [drive letter]$ shares can be disabled too. However, I'm not sure what functions, if any, that may interfere with. Might be worth testing sometime.

blargoe wrote:

and be sure you turn on security logging for the system, auditing any folders you value.

Very good advice!

blargoe wrote:

Is this server serving any other function other than being a web server?

And a very good question.

billybob01

It`s not a case of not trusting these people, it`s just to prevent any accidental screw ups. Many thanks for the replies guys.