tags:

views:

24

answers:

2
Q: 

How to give Website permission to create further Websites in IIS 7.5?

I'm creating a website in IIS 7.5 (with Windows 7) that needs to be able to create further websites. I've written code that uses Microsoft.Web.Administration to create the website programmatically, and this works fine when I run it as administrator.

Now I'm trying to use the same code in the context of my web application. It fails with the error

Error: Cannot read configuration file due to insufficient permissions

for the file redirection.config (which I understand is located in %WinDir%/System32/inetsrv/config).

I've tried creating a new apppool for this specific website, running under the IIS AppPool[AppPoolName] identity. I've then tried to grant that identity permission to edit the IIS config using

ManagementAuthorization.Grant(@"IIS AppPool\MyAppPool", "Default Web Site", false);

but I still get the same error.

What else should I try?

A: 

I've found a way to do it, but I would very much like to hear expert opinion on whether this is a wise thing to do.

I granted Modify and Write permissions for the IIS AppPool\MyAppPool account to %WinDir%/System32/inetsrv/config and the three .config files inside it.

Samuel Jack  2010-07-08 16:53:01
+1  A: 

This probably isn't the wisest approach from a security viewpoint. If this site is hijacked then your attackers will be able to interfere with those files (to no good purpose) or even just delete them.

The way we approached this was to separate website creation tasks into a windows service running with the correct rights to perform these activities. In this service is a remoting end point (although these days you'd probably want to use WCF).

We then created a proxy assembly that is signed and registered in the GAC (it would also need to be marked with the APTCA attribute if you're running at less than Full Trust). This assembly passes on the relevant calls to the remoting endpoint in the windows service from the admin web app/service.

This allows us to run the admin site at least privilege and in partial trust mode. The scope of what can be done by way of site admin tasks is narrowed somewhat by whatever functionality is exposed in the windows service application.

This is a technique known as sandboxing.

Kev  2010-07-08 22:19:34
@Kev, Thanks: I had thought of the sandboxed approach, but I was hoping that there was a reasonably secure approach involving less work!
Samuel Jack  2010-07-09 09:23:56
Kev  2010-07-09 10:17:56
@Kev, Well, I've just spent the last 2 hours on the sandboxing approach and it seems to have worked! It was actually pretty straightforward using WCF and TopShelf (http://topshelf-project.com) to host the Windows Service
Samuel Jack  2010-07-09 12:07:28
@samuel - nice one. :)
Kev  2010-07-09 13:30:15

related questions

IE6 security login (debugging via VirtualPC)
Asp.net Reinstalling a DLL into the GAC
Failed to load resources from resource file.
What does an IISReset do?
How do I secure a folder used to let users upload files?
VBScript/IIS - How do I automatically set ASP.NET version for a particular website
IIS 6/COM+ hangs
Web server farms with IIS ? Basic Infos
.NET 3.5 Service Pack 1 causes 404 pages on ASP.NET Web App
What Url rewriter do you use for ASP.Net?
Publishing to IIS - Best Practices
ASP.NET Proxy Application
PHP on IIS
How do I stop IIS7 dropping my cookies?
HTTPS in IIS 5.1
Best tool for performance testing ASP.NET
Alternative Hostname for an IIS web site for internal access only
SQL Server 2008 FileStream on a Web Server
Solutions for working with multiple branches in ASP.Net
Dual vs. Quadcore on a Webserver
PHP Error - Uploading a file
Visual Studio 2008 debugger already attached work-around
Linux shell equivalent on IIS
Bandwith throttling in IIS 6 by IP Address
Checklist for IIS 6/ASP.NET Windows Authentication?