I have a special web site that can create new sites using IIS7 ServerManager:
using (ServerManager serverManager = new ServerManager())
{
开发者_如何转开发 // create new site logic here
}
This special site has to be running under system account to be able to manage IIS7. Is there any way to create a special windows user to be set as site's application pool identity and give this user special rights only to access IIS7 but not a full system access?
The reason why I want to do this is to give site's process identity as less permissions as possible.
Please let me know if the question is not clear enought :)
If you create a new account to be the app pool identity you need to use this code to give it the right priviliges then after than add the required rights to create sites:
navigate to:
C:\Windows\Microsoft.NET\Framework\v2.0.50727
then do:
aspnet_regiis -ga DomainOrMachineName\AccountName
See here http://msdn.microsoft.com/en-us/library/ff649309.aspx#paght000009_step2
It really depends on exactly what that application should be able to do, if all you want to do is the ability to create a new site, you can create an account and grant read and write access to %windir%\system32\inetsrv\config\applicationHost.config. Having said that be very careful of doing that, since once they can write to that file they could do powerfull things, for example, add a new Application pool running as System and at that point be able to run their code using an identity as powerfull as it gets.
If you want to allow them to recycle, start & stop, etc, for runtime objects like sites, application pools, app domains, etc, then you will need additional steps, but I would not recommend doing that.
Also, if you are actually setting encrypted properties (such as a password in the Application Pools, or Virtual Directories) then you will also need to grant permissions for the encryption keys, but I would also recommend against that, since that would give them the ability to decrypt the passwords.
精彩评论