views:

24

answers:

2

I'm creating a website in IIS 7.5 (with Windows 7) that needs to be able to create further websites. I've written code that uses Microsoft.Web.Administration to create the website programmatically, and this works fine when I run it as administrator.

Now I'm trying to use the same code in the context of my web application. It fails with the error

Error: Cannot read configuration file due to insufficient permissions

for the file redirection.config (which I understand is located in %WinDir%/System32/inetsrv/config).

I've tried creating a new apppool for this specific website, running under the IIS AppPool[AppPoolName] identity. I've then tried to grant that identity permission to edit the IIS config using

ManagementAuthorization.Grant(@"IIS AppPool\MyAppPool", "Default Web Site", false);

but I still get the same error.

What else should I try?

A: 

I've found a way to do it, but I would very much like to hear expert opinion on whether this is a wise thing to do.

I granted Modify and Write permissions for the IIS AppPool\MyAppPool account to %WinDir%/System32/inetsrv/config and the three .config files inside it.

Samuel Jack
+1  A: 

This probably isn't the wisest approach from a security viewpoint. If this site is hijacked then your attackers will be able to interfere with those files (to no good purpose) or even just delete them.

The way we approached this was to separate website creation tasks into a windows service running with the correct rights to perform these activities. In this service is a remoting end point (although these days you'd probably want to use WCF).

We then created a proxy assembly that is signed and registered in the GAC (it would also need to be marked with the APTCA attribute if you're running at less than Full Trust). This assembly passes on the relevant calls to the remoting endpoint in the windows service from the admin web app/service.

This allows us to run the admin site at least privilege and in partial trust mode. The scope of what can be done by way of site admin tasks is narrowed somewhat by whatever functionality is exposed in the windows service application.

This is a technique known as sandboxing.

Kev
@Kev, Thanks: I had thought of the sandboxed approach, but I was hoping that there was a reasonably secure approach involving less work!
Samuel Jack
Kev
@Kev, Well, I've just spent the last 2 hours on the sandboxing approach and it seems to have worked! It was actually pretty straightforward using WCF and TopShelf (http://topshelf-project.com) to host the Windows Service
Samuel Jack
@samuel - nice one. :)
Kev