Securing Administration

You perform Windows Server AppFabric administrative duties by using the AppFabric tooling capabilities found in IIS Manager within AppFabric. Almost all of the IIS Manager functionality is found in the standard cmdlets that ship with AppFabric. The AppFabric tool set is very powerful. You can create a functional AppFabric installation by selecting a box, clicking a mouse, or running cmdlets. However, a AppFabric installation can quickly become unusable if an unauthorized user gains access to all or part of the AppFabric system and its supporting components. This topic focuses on how to secure administrative functionality for AppFabric.

AppFabric Administrative Privileges

When using any of the AppFabric tools from an administrative standpoint you always operate under your own security context. This makes it easier to administer AppFabric and its’ supporting technologies such as Windows Server, IIS, and SQL Server. To administer AppFabric you must be a member of either the conceptual Application Server Administrators (AS_Administrators Windows security group) or the conceptual Application Server Operators (AS_Observers Windows security group).

For remote administration of AppFabric, AS_Administrators and AS_Observers groups have corresponding administrative privileges. AppFabric may be installed on a server to which users can connect remotely by using IIS security mode with IIS Manager. As administrator, to allow users to query the monitoring and persistence stores you must add the IIS Manager account (typically the built-in Network Service account) to either AS_Administrators or AS_Observers on the remote server. You select the security group based upon what permissions you want remote users to have. When users authenticate into IIS only for administrative tools, they run as members of either the AS_Administrators or AS_Observers group with the appropriate restrictions and permissions. This is a Windows security rule and can’t be changed. To administer AppFabric remotely by using IIS Manager you need to be a domain administrator. For remote administrative duties you access resources as yourself. There is no impersonation or proxy that gives you an alternative remote identity.

An AppFabric administrator can use the Feature Delegation option in IIS to delegate various security permissions for all Web sites on a computer. For example, you can set read-only permissions for directory browsing, or disable logging. The Feature Delegation option is displayed in the Management section of Features View at the computer level.

IIS also permits granular locking and unlocking of certain configuration settings at different scope levels by using configuration locking. You perform configuration locking by directly editing XML elements in configuration files. A locked configuration setting can only be unlocked at the level at which it was locked, and cannot be modified at lower levels. You can use this option when you don’t want to use the same configuration for different sites and need to override a few select properties. You can perform lock management at the section level or for individual attributes, elements, and collection elements and directives. There is no direct tooling support for this feature, so you must manually edit the configuration file at the appropriate level of parental scope where you want the changes to cascade through the child folders.

For the typical administrative tasks surrounding installation, configuration, and execution duties for AppFabric, assign users to the local LOCALHOST\Administrators group. This allows members to edit server, site, or application configuration, to deploy and undeploy applications, and to run supporting programs like IIS Manager, MSDeploy, or SvcConfigEditor.

securitySecurity Note
Be aware that if you grant permissions for a service account to query the monitoring and persistence stores, you are giving the same permissions to all applications that run under that account.

Remote Administration

When administering AppFabric locally, you run under the account under which you are logged in. To administer AppFabric remotely, the IIS Management Service allows local and domain administrators to use IIS Manager to remotely manage a Web server. Only a local administrator can configure the IIS Management Service to enable remote connections. After that is done, you can use either of the following modes to manage security when accessing a remote AppFabric computer:

  • Windows Credentials Only. In this mode, the IIS Web Management Service runs under your credentials. This means that you can perform all of the actions that you could perform if you were locally connected to the remote computer. For example, if locally you have permissions to modify an application’s Web.config file, you can also modify that file remotely. Access to AppFabric resources is guarded by your membership in the AS_Observers and AS_Administrators groups.

  • Windows Credentials or IIS Manager Authentication Security. In this mode you log on and run as LOCALSERVICE on the remote computer. In this case you may see different information with IIS Manager than if you are using Windows Credentials Only. Because LOCALSERVICE by default has permissions to administer all applications on the computer (modify Web.config files and query and modify persistence and monitoring data), the effective permissions on the connection are determined by the scope at which you connect. For example, if your credentials allow you to connect to a specific application, AppFabric makes sure that you can access information only about that application without allowing you to see sensitive persistence data.

You will use the following conceptual groups and their corresponding Windows security groups to administer AppFabric both locally and remotely:

  • Application Server Administrators. Members of the Application Server Administrators conceptual group (total access permissions) map to the AS_Administrators Windows security group. Members of the AS_Administrators group can suspend, resume, terminate, or delete persisted instances, create and remove event sources and event collectors, and view, purge, and archive monitoring data. AppFabric setup creates the AS_Administrators group at installation time and adds the NT AUTHORITY\LOCAL SERVICE account to this group. LOCAL SERVICE is the account under which the Event Collection service and the Workflow Management service operate. You can manually add members to the AS_Administrators group for whom you want to grant full access to administer AppFabric.

  • Application Server Observers. Members of the Application Server Observers conceptual group (partial access permissions) map to the AS_Observers Windows security group. Members of the AS_Observers group have partial visibility into application persistence and monitoring data and can enumerate applications and services, view application and service configuration, view monitoring data, and examine persisted instances. AppFabric setup creates the AS_Observers group at installation time but does not insert any accounts into this group. You can manually add members to the AS_Observers group for whom you want to grant partial access to administer AppFabric.

For more information about securing configuration, delegation, and remote administration by using IIS, see Securing Configuration (, and Configuring Remote Administration and Feature Delegation in IIS 7.0 (