IIS Read Only Access to IIS Manager

Web Server Talk > Web Servers reviews > IIS server support > IIS Server Security > IIS Read Only Access to IIS Manager

Last Thread Next Thread Next

IIS Read Only Access to IIS Manager

Dale Meredith

05-09-07 06:21 PM

Is there a way to configure the server so that certain users can remote
desktop or use a custom MMC with the IIS snap in to launch the IIS Manager,
see the configuratiion settings but not make changes to any settings?

I have some web developers that I'm not keen on give admin rights to 

-Dale

[ Post a follow-up to this message ]

Re: IIS Read Only Access to IIS Manager

David Wang

05-13-07 12:17 AM

On May 9, 10:46 am, Dale Meredith
<DaleMered...@discussions.microsoft.com> wrote:
> Is there a way to configure the server so that certain users can remote
> desktop or use a custom MMC with the IIS snap in to launch the IIS Manager
,
> see the configuratiion settings but not make changes to any settings?
>
> I have some web developers that I'm not keen on give admin rights to 
>
> -Dale

Read-only access is not possible with any built-in IIS functionality.

IIS is designed to only allow read/write access to Administrators. Non-
administrators have no rights to read nor write because that is
usually security disclosure.

If you want a custom authorization model for IIS configuration, then
you will have to craft the security model yourself. The functionality
is possible with a custom web application. Maybe the various Control
Panels for IIS have this notion, but I cannot suggest any.

//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

[ Post a follow-up to this message ]

Re: IIS Read Only Access to IIS Manager

David Wang

05-13-07 12:17 AM

On May 9, 10:46 am, Dale Meredith
<DaleMered...@discussions.microsoft.com> wrote:
> Is there a way to configure the server so that certain users can remote
> desktop or use a custom MMC with the IIS snap in to launch the IIS Manager
,
> see the configuratiion settings but not make changes to any settings?
>
> I have some web developers that I'm not keen on give admin rights to 
>
> -Dale

Can you describe the usage scenario where you want someone to be able
to read IIS configuration but not write to it, and the security
implications of such a model? Would you want the delegated user to be
able to know where all your files are kept and any special username/
passwords (because they can read the configuration but not write). And
how do you distinguish between what is sensitive for you vs what is
sensitive for anyone else?

As you can see, a read-only admin model quickly goes down a slippery
slope. IIS7 is written to support delegated administration, where non-
admins have rights to fully administer their own websites... but read-
only admins are a different beast.

//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

[ Post a follow-up to this message ]