IIS Read Only Access to IIS Manager

IIS Read Only Access to IIS Manager

am 09.05.2007 19:46:01 von DaleMeredith

Is there a way to configure the server so that certain users can remote
desktop or use a custom MMC with the IIS snap in to launch the IIS Manager,
see the configuratiion settings but not make changes to any settings?

I have some web developers that I'm not keen on give admin rights to :)

-Dale

Re: IIS Read Only Access to IIS Manager

am 13.05.2007 01:46:00 von David Wang

On May 9, 10:46 am, Dale Meredith
wrote:
> Is there a way to configure the server so that certain users can remote
> desktop or use a custom MMC with the IIS snap in to launch the IIS Manager,
> see the configuratiion settings but not make changes to any settings?
>
> I have some web developers that I'm not keen on give admin rights to :)
>
> -Dale


Read-only access is not possible with any built-in IIS functionality.

IIS is designed to only allow read/write access to Administrators. Non-
administrators have no rights to read nor write because that is
usually security disclosure.

If you want a custom authorization model for IIS configuration, then
you will have to craft the security model yourself. The functionality
is possible with a custom web application. Maybe the various Control
Panels for IIS have this notion, but I cannot suggest any.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Re: IIS Read Only Access to IIS Manager

am 13.05.2007 01:50:20 von David Wang

On May 9, 10:46 am, Dale Meredith
wrote:
> Is there a way to configure the server so that certain users can remote
> desktop or use a custom MMC with the IIS snap in to launch the IIS Manager,
> see the configuratiion settings but not make changes to any settings?
>
> I have some web developers that I'm not keen on give admin rights to :)
>
> -Dale


Can you describe the usage scenario where you want someone to be able
to read IIS configuration but not write to it, and the security
implications of such a model? Would you want the delegated user to be
able to know where all your files are kept and any special username/
passwords (because they can read the configuration but not write). And
how do you distinguish between what is sensitive for you vs what is
sensitive for anyone else?

As you can see, a read-only admin model quickly goes down a slippery
slope. IIS7 is written to support delegated administration, where non-
admins have rights to fully administer their own websites... but read-
only admins are a different beast.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//