IIS 5 & IIS 6
Configuration & Scripting
Script to start/stop specific websites without full admin rights on t...
Last post Oct 22, 2009 09:44 AM by Rovastar
Oct 21, 2009 03:20 PM|idor_brad|LINK
Cross post from the "security" forum as I'm not sure which place this best fits.
I am trying to write a script that will stop my production website and start a second "maintenance" website in its place that will let my users know that the main site is unavailable for updates. I would like this script to be run by someone who does not
have FULL administrator-level access to the box. This is in IIS 6.0 on Windows Server 2003 by the way.
Examples of things that appear to require full admin rights:
cscript.exe c:\inetpub\adminscripts\adsutil.vbs stop_server w3svc/1 -s:RemoteServerName
cscript.exe c:\inetpub\adminscripts\adsutil.vbs start_server w3svc/2 -s:RemoteServerName
cscript.exe c:\windows\system32\iisweb.vbs /stop w3svc/1 /s RemoteServerName /u UserName /p Password
cscript.exe c:\windows\system32\iisweb.vbs /start w3svc/2 /s RemoteServerName /u UserName /p Password
Is there any way to grant permissions to a network account such that they can execute the above commands or something similar, without giving them the rights to do other admin level tasks on the box such as installing random software or adding additional
I would also like for this network account to be able to run a simple iisreset, but I found a loophole around it that allows me to stop and start the World Wide Web Publishing Service using the sc command, which essentially accomplishes the same goals as
an iisreset, but isn't as elegant.
Any help would be appreciated, even if it is to tell me that this definitely isn't possible.
Oct 21, 2009 08:42 PM|Rovastar|LINK
I am not sure if this is possible. Also why would you want this it would give access to non-admin the power to stop the site is that what you really want. Surely you only want the admin the power to stop a site not a random dev, etc.
Also don't cross post.
Oct 22, 2009 09:22 AM|idor_brad|LINK
Let's just chalk the reason for this up to "pointless government bureaucracy". The agency that is responsible for maintaining and updating the web application is different from the agency that is responsible for maintaining and updating the servers themselves,
and the latter agency's policy is that they are the only ones who have admin privileges on all servers.
They are OK with the project lead being able to start and stop websites, but they are not OK with giving him the authorization to install random unauthorized software on the server or perform other tasks which could compromise "their" servers. Whether he
would actually do something like that or not doesn't matter; that's the policy.
Anyway, thanks for responding. Sorry for cross posting - I'm new around here.
Oct 22, 2009 09:44 AM|Rovastar|LINK
It may be worth looking at IIS7/Windows 2008 for delegation of the roles for the stop and start of websites and limited administration for the app admins.