Remote management is a greatly revamped feature in IIS 7.0. The ability to manage remotely the web server from a variety of client (and server) operating systems leverages with feature delegation to allow for a really distributed and locked down administration infrastructure. I won't go into much detail of the clockwork behind, only the necessary to understand why certain policies may break the remote management feature.

Inner workings of remote management

This remote management service is a stand alone web server (a hostable web core (HWC)). When a remote user successfully authenticates, this web core service creates (using NT Service\WMSVC identity) in %systemroot%\ServiceProfiles\LocalService\AppData\Local\Temp\WMSvc a Web Site infrastructure in which it will deploy (on demand) the appropriate web services. The remote IIS Manager connects to these web services to accomplish the management tasks.

The web services are as following:

  • Login requests to login.axd
  • Code download requests to download.axd
  • Management service requests to service.axd
  • Ping requests to ping.axd
  • These web services are deployed on demand, using the user NT Service\WMSVC is impersonating.

    Security policies role

    Here, and having all the configuration options established following http://learn.iis.net/page.aspx/113/getting-started-with-iis-manager/ and http://learn.iis.net/page.aspx/159/configuring-remote-administration-and-feature-delegation-in-iis-7/ the service web site creation and web service deployment may fail for several reasons related to users privileges and rights.

    Troubleshooting these issues

    • NT Service\WMSVC must have the proper impersonation rights and privileges.

    • The users that will be remote managers of the web server must have the proper logon rights and privileges.

    • And most importantly the remote managers must be able to traverse the directory hierarchy in order to be able to deploy and have access to the web services. This policy is SeChangeNotifyPrivilege which is a cryptic name for "Bypass traverse checking". From Technet: This user right determines which users can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories.

    As we can see, this structure for remote management can be broken using strict policies. In fact, excluding Everyone (strict) and Users (stricter) from having SeChangeNotifyPrivilege rights gives this error:

    Error 401

    The user impersonated cannot access the directory containing the web service he or she needs to perform management tasks. The previous behaviour is recognized when a remote management user which is a local Administrator of the web server connects through remote management to the web server. Further on, any user can connect (he/she still gets an error (access denied exception)) when accessing any remote management task) to the remote management service. That's because the Administrator connection has created all the management web site directory infrastructure and the following users don't need to create them on connection. When access to the web service files is checked the exception is returned.

    The management site folder infrastructure remains created as long as the management service is running.

    That's all for now and be careful with policies!