How to use Web Deploy for administration of Application Pools by Non Administrators.
One of the questions I was recently asked was how to manage application pools in IIS when you are not an administrator on the server. The answer is Web Deploy. Web deploy is an IIS extension that is primarily used for web deployment between environments but it does have a couple of commands that will allow us to manage application pools. A prerequisite for all this to work is that you have already granted IIS delegation to the users/groups that require this access.
We will discuss the following:
- How to install and configure web deploy
- How to create a runCommand Rule.
- How to modify permissions on recycleApp to tighten security a little.
- How to grant extra permissions for wmsvc that are required the runCommand and how to change wmsvc from default authentication of basic to NTLM.
How to install and configure Web Deploy
Download Web deploy from the Microsoft Web Deploy Site.
Double click the downloaded Executable to start installation.
Click next on the Setup screen.
Click to accept the license and click next.
Click next on CEIP screen (do not check anything).
Click Custom then right click IIS Deployment Handler and select Entire Feature will be installed on the hard drive then click next (See screen shot below).
Create Rule for runCommand
TechNet has more detailed information on the runCommand if you would like to learn more. Note Allowing users to use runCommand through the WMSvc is a security risk and should be avoided if possible. In this case we require Local Administrator rights to manage the application pools but do not have this right, so using the runCommand is the only way to do this.
Load IIS Manager
Click on Server.
Double click on Management Service Delegation
In the pop up window,
under Providers select RunCommand from the dropdown.
Under Actions select *
For Path enter c:\windows\system32\inetsrv (This allows us to use appcmd located in this path).
For Identity Type select SpecificUser
click Set to enter the ID and password and Confirm Password
Note: The account must be in the administrators group on the server. This is the account that the runCommand will use for commands issued. Be very careful with this as you are in essence allowing the person issuing the command to act as an admin on the server. Webdpeloy by default creates a local account WdeployAdmin that is a member of this group
- To enter a local account simply enter the ID and password if you have one or use the account WDeployAdmin that is already created. You will need to change the password for this in order to enter it.
- To enter a domain account enter domain\user and password.
Click OK when done.
You will now get a pop up that asks for the Name (Group) that will be allowed to execute this provider.
Change the name to Contoso\App Admins (This is the account we previously granted IIS delegation to) verify Access Type is allow, and then click to check is Role? because we are using an AD group to grant access to issue this command. Note: Do not use * as the name because we are allowing wmsvc to use the runCommand and we want to tighten the security.
Your screen should like the information below.
Modify Rule for recycleApp
Load IIS Manager
Click on root site.
Right click on the green hexagon and click edit.
In the Name field replace * with contoso\app admins. This allows only member of that group to issue this command whereas the default allows anybody that has IIS or delegated IIS admin rights to issue this command.
Click to check Is in Role? Then click OK
For extra security you may delete the extra rules that are created out of the box that will not be used (backupManager, backupSettings, etc...)
Set Permissions required for WMSVC to use the runCommand
WMSVC by default runs with basic authentication, to change this to use NTLM we need to create the following registry key. (As always back up your registry before making changes).
From a command prompt type regedit.
Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WebManagement\Server
Right click on Server and select new DWORD 32bit. For Value Name enter WindowsAuthenticationEnabled set the Value data to 1. Close regedit.
More information on this entry can be found here
To allow the WMSVC the right to use the runCommand functionality we need to grant it the right to replace a Process level token. Note: you can try granting this right through the local security policy but I could not get this to work, so I used SC Privs wmsvc command.
From a command prompt type sc privs wmsvc SeChangeNotifyPrivilege/SeImpersonatePrivilege/SeAssignPrimaryTokenPrivilege
Run sc qprivs wmsvc to make sure SeAssignPrimaryTokenPrivilege has been added to existing privileges. More information on this can be found here.
Recycle WMSVC with the following commands at a command prompt
net stop wmsvc
net start wmsvc
Let’s test our configuration! Log in with an account that is allowed to log in locally but is not an administrator and is part of contoso\app admins.
Open a command prompt and issue the following command cd “c: \Program Files\IIS\Microsoft Web Deploy V3” This will put us in the directory for msdeploy.
First let get a list of application pools using the run Command. My Web application is called SharePoint – 80 so the command looks like below:
msdeploy.exe -verb:sync -source:runcommand -dest:runcommand="C:\Windows\System32\inetsrv\appcmd.exe list apppool",wmsvc="http://sp2010:8172/msdeploy.axd?site=SharePoint - 80",AuthType=NTLM –allowUntrusted
We can see that I have an application pool called SharePoint – 80 and the status is started.
Let’s recycle it.
msdeploy.exe -verb:sync -source:recycleApp -dest:recycleApp="SharePoint - 80",wmsvc=SP2010,AuthType=NTLM,recycleMode="RecycleAppPool" –allowUntrusted
Not a lot of information coming back so maybe instead of using the appcmd.exe list apppool for the runCommand we may have better results with appcmd list wp which lists the running worker processes and PIDs. Then we could very that after a recycle a new PID shows for the apppool we recycled.