Delegated Administration

by Walter Oliver

The IIS 7 and above administrative user interface, called the IIS Manager, offers a more efficient tool for managing the Web server. It provides support for IIS and ASP.NET configuration settings. It also lets those who host or administer Web sites delegate administrative control to developers or content owners, thus reducing cost of ownership and administrative burden for the server administrator. It supports remote connections over HTTP, and you can use it through a firewall.

For more information about the administration features in IIS, see Delegating Administration.

Before enabling remote delegation, you should consider what features and properties you want to delegate to site owners.

The following table lists a sample set of features, their delegated settings, and reasons to delegate or not on the Web server. Based on the shared hosting environment that you use, you should develop your own set of delegated features that meet your needs.

Note
  1. Some of these features may not appear in the list of features to manage if you have not installed them. For example, if you chose not to install Digest authentication, it will not appear in the list on your Web server.
  2. There will be cases when you want to delegate a particular setting in applicationhost.config without delegating an entire section, here are two key examples:

    1. Delegating errorMode in httpErrors
    2. Delegating scriptErrorSentToBrowser in ASP
Feature Delegated Setting Reason
.NET Compilation Read Only (changed from Read/Write) Specifies settings for ASP.NET compilation processing directives such as the temporary compilation directory. Prevents users from setting the temporary compilation directory manually.
.NET Globalization Read/Write Specifies settings for the default culture and globalization properties for Web requests.
.NET Profile Read/Write Specifies the settings for user selected options in ASP.NET applications.
.NET Roles Configuration Read/Write Specifies the settings for groups for use with .NET users and forms authentication.
.NET Trust Levels Read Only (changed from Read/Write) Specifies the trust level. By locking down the trust level when you follow the ASP.NET guidance in this document, you will set this to Read Only and locking it for the server. Prevents Web site owners from setting the trust level to a higher level than that set by the server administrator. For example, if the administrator sets a custom trust level, make this setting Read Only so it cannot be overridden.
.NET Users Configuration Read/Write Specifies the settings for management of users who belong to roles and that use forms authentication.
Application Settings Read/Write Specifies the settings for storing data (name and value pairs) that managed code applications use at runtime.
ASP Read Only Specifies classic ASP settings.
ASP.NET Impersonation Read/Write Specifies impersonation settings. Site owners can use this to run their site under a different security context.
Authentication - Anonymous Read Only Specifies anonymous authentication settings.
Authentication - Basic Read Only Specifies basic authentication settings.
Authentication - Digest Read Only Specifies digest authentication settings.
Authentication - Forms Read/Write Specifies forms authentication settings.
Authentication - Windows Read Only Specifies Windows authentication settings.
Authorization Rules Read/Write Specifies the list of Allow or Deny rules that control access to content.
CGI Read Only Specifies the properties for CGI applications. You should leave this setting as Read Only to prevent users from changing settings.
Compression Read/Write Specifies the settings to configure compression.
Connection Strings Read/Write Specifies the connection strings that applications use.
Default Document Read/Write Specifies the default document(s) for the Web site. By making this setting Read/Write, users can specify a custom default document for their site without contacting the server administrator.
Directory Browsing Read/Write Specifies directory browsing settings.
Error Pages Read Only Specifies what HTTP error responses are returned.
Failed Request Tracing Rules Read/Write Specifies settings for failed request tracing rules. Enables users to create rules for tracing requests based on parameters like time taken or status code, and diagnose problems with their site.
Feature Delegation Not Delegated (changed from Read/Write) Specifies settings for delegating features to applications. It can be turned off unless server administrators want to enable this feature for site owners.
Handler Mappings Read/Write Specifies the handlers that process requests for certain file types (includes script maps, managed handlers, etc.)
HTTP Redirect Read/Write Specifies the HTTP redirection settings.
HTTP Response Headers Read/Write Specifies HTTP headers that are added to responses from the Web server.
IPv4 Address and Domain Restrictions Read Only Specifies the IP and domain restriction list.
ISAPI Filters Read Only Specifies ISAPI filters that process requests made to the site or server, such as ASP.NET.
Logging Not Delegated Specifies the logging settings for the Web server.
Machine Key Read/Write Specifies hashing and encryption settings for applications services, such as view state, forms authentication and membership and roles.
MIME Types Read Only (changed from Read/Write) Specifies what file types can be served as static files.
Modules Read/Write Specifies native and managed code modules that process requests made to the site or server.
Output Caching Read/Write Specifies rules for caching output.
Pages and Controls Read/Write Specifies page and control settings for applications.
Redirect Rules Read/Write Specifies settings for redirecting requests to another file or URL.
Session State Read/Write Specifies session state and forms authentication cookie settings.
SMTP E-mail Read/Write Specifies email address and delivery options for email sent from the site.
SSL Settings Read Only Specifies settings for SSL.

To enable the Remote Delegation Service using IIS Manager

  1. Navigate to Administrative Tools and click Internet Information Services (IIS) Manager.
  2. Click the server name node.
  3. Double-click the Feature Delegation icon.
  4. On the Feature Delegation page, change any properties that should or should not be delegated.
  5. Click the Back button or select the server name node to return to the server feature list.
  6. Double-click the Management Service icon.
  7. On the Management Service page, in the Actions pane, start the service to enable configuration.
  8. Stop the service to make changes.
  9. Click Enable remote connections.
  10. Select whether you wish to allow only Windows users or both Windows and membership users.
  11. Change the port or certificate if desired.
  12. In the Actions pane, click Start to enable the Remote Delegation service.