|
Home > Archive > IIS Server Security > May 2007 > IIS Read Only Access to IIS Manager
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IIS Read Only Access to IIS Manager
|
|
| Dale Meredith 2007-05-09, 1:21 pm |
| Is there a way to configure the server so that certain users can remote
desktop or use a custom MMC with the IIS snap in to launch the IIS Manager,
see the configuratiion settings but not make changes to any settings?
I have some web developers that I'm not keen on give admin rights to 
-Dale
| |
| David Wang 2007-05-12, 7:17 pm |
| On May 9, 10:46 am, Dale Meredith
<DaleMered...@discussions.microsoft.com> wrote:
> Is there a way to configure the server so that certain users can remote
> desktop or use a custom MMC with the IIS snap in to launch the IIS Manager,
> see the configuratiion settings but not make changes to any settings?
>
> I have some web developers that I'm not keen on give admin rights to
>
> -Dale
Read-only access is not possible with any built-in IIS functionality.
IIS is designed to only allow read/write access to Administrators. Non-
administrators have no rights to read nor write because that is
usually security disclosure.
If you want a custom authorization model for IIS configuration, then
you will have to craft the security model yourself. The functionality
is possible with a custom web application. Maybe the various Control
Panels for IIS have this notion, but I cannot suggest any.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
| |
| David Wang 2007-05-12, 7:17 pm |
| On May 9, 10:46 am, Dale Meredith
<DaleMered...@discussions.microsoft.com> wrote:
> Is there a way to configure the server so that certain users can remote
> desktop or use a custom MMC with the IIS snap in to launch the IIS Manager,
> see the configuratiion settings but not make changes to any settings?
>
> I have some web developers that I'm not keen on give admin rights to
>
> -Dale
Can you describe the usage scenario where you want someone to be able
to read IIS configuration but not write to it, and the security
implications of such a model? Would you want the delegated user to be
able to know where all your files are kept and any special username/
passwords (because they can read the configuration but not write). And
how do you distinguish between what is sensitive for you vs what is
sensitive for anyone else?
As you can see, a read-only admin model quickly goes down a slippery
slope. IIS7 is written to support delegated administration, where non-
admins have rights to fully administer their own websites... but read-
only admins are a different beast.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
|
|
|
|
|