Remote Administration of IIS 7: Isolate and Delegate
My last article discussed setting up IIS 7 for remote administration so you can save yourself that 20 foot walk to the datacenter. While that alone should make me your friend for life, it gets better!
Remember all those department website owners that are always hounding you to setup redirects or tweak a few settings for their web applications? Wouldn’t it be great if they could do it themselves without having to give them Administrator rights to the server? Well, have I got news for you.
With IIS 7 and the remote administration tool you can setup an IIS Manager User (or use Windows Credentials also) and delegate control of sites setup in IIS to those individual owners. They will then be able to login to the server via the remote administration MMC and see only the sites that have been delegated for them to control.
I have covered creating an IIS Manager User before in my article on How to Setup User Authentication in FTP 7 on IIS 7.0, but let’s do a quick review.
Please note I am going to do all of the examples for this article through the IIS Remote Administration console.
Remember that an IIS Manager User is independent of any Windows Accounts that are setup on the server or in the domain. We are going to create a new user named "WebAdmin".
1. Start your remote administrator console and you will see there are at least 3 possible ways to connect to the server you want to work on. I am going to choose the "Recent Connections" route and proceed.
2. The next window will prompt you to provide credentials. Since we haven’t setup our delegated user yet I am going to use the server administrator account.
3. Since I am using the self issued certificate for WMSVC I am getting a warning about the server name not matching.
If you see a message like this, you can set the WMSVC to use a different certificate that you generate or already own. In our case I am going to click on Connect.
4. As you can see I am connected remotely to my server using the "Administrator" account. Now I am going to double click on IIS Manager Users.
5. Now I am going to click Add User in the right pane.
6. The Add User dialog will prompt you to enter a User Name, Password, and then Confirm password.
Note: While the user is not a Windows user account, if you use a weak password you will be warned, but still allowed to proceed.
We now have a user named "WebAdmin" ready and willing to be used as the delegated administrator.
The next step we are going to walkthrough is delegating out the features for an individual site. You can set default values for all the sites by configuring the Feature Delegation at the server level.
1. Select the server you are administrating and in the center pane double click on Feature Delegation.
2. When you first click through you can see all the settings you can delegate and setup defaults.
We are going to leave the defaults for now and click on Custom Site Delegation, in the right pane.
3. In the Custom Site Delegation panel, let’s go to the Sites drop down and select the site you want to work with.
In our case we are going to set this to Default Web Site.
4. I want "WebAdmin" to have full rights to the site so I am going to give full Read/Write delegation rights on this site.
I am going to select all in the center pane, and then click Read/Write in the right pane.
That’s it for setting the delegation rights; now let’s discuss the 3 basic settings:
- Read/Write – The user is able to both see the feature and modify it
- Read – The user is able to see the feature but no modify it
- Not Delegated – The user will be unable to see this feature or modify it in any way
How to Assign a User to the Site
Now we are going to associate the user "WebAdmin" with the Default Web Site domain so that he can be delegated control.
1. Select the site you are managing in the left pane and click on IIS Manager Permissions in the center pane.
2. In the right pane click on Allow User.
3. Select the radio button next to IIS Manager, and while we could type the name, click on the Select button to choose a user.
4. Choose the user you want to assign, in our case "WebAdmin", then click Ok.
5. Now click OK to add the user.
You will now see the user add to the list and the level at which they were added.
Another thing that has to be done is adding permissions to the directories/files that this user will be delegated to. If you are using a Windows account then you must give permissions to that user or a group they belong to. If you are using IIS User Manager you will have to give rights to the NT ServiceWMSVC user.
Note that if you access a path that is not on the local server then the WMSVC service will have to be configured to a user with appropriate permissions.
How to Connect to Delegated Site
Ok, let’s go ahead and see if we can connect to the site.
1. On your client machine go in to IIS Manager and in the left pane click the globe icon at the top and choose Connect to a Site.
2. Next fill in the server name or IP, and then the name of the site you are connecting to and click Next.
3. Now fill in the credentials for the user we created, WebAdmin, and the password, and click Next.
4. If you successfully connect then you will be asked to give this connection a name, and then click Finish.
5. You should now be in the IIS Manager and connected to the site. The login you are using will be inserted after site name.
If for some reason you are having problems connecting you can check the following:
- Firewall Settings – Make sure that the port you setup for WMSVC is open for both inbound and outbound connections on both the client and the server.
- WMSVC Service – Double check that the WMSVC is running.
- User Credentials – Double check that you are connecting to what you should be connecting to with the right user. Connecting to a site is different than connecting to the server.
- FTP 7 – As of this writing you cannot delegate out the management of FTP 7 sites.
Remote Administration of IIS and Delegation of sites to respective owners will help cut down on your administrative overhead for those offerings and free up the time spent on these tasks for other things.
In addition you can preserve the security of your server because you will not have to give those users administrator rights, and can control what they have access to at a very granular level.