I am running IIS 6.0 on Windows 2003 Server. our web developers needed to create or edit websites, for security reasons I cannot simply give them admin rights or the password to the admin account.
I have created an account for them to logon remotely to the webserver, however, they do not have the proper rights to use the IIS management console. Is there a way to provide users without admin rights the ability to use IIS to create, edit and manage websites from a remote desktop connection?
Any help would be appreciated.
You must be a member of the Local administrators group to administer IIS 6 and below.
IIS 7 (when released) will remove such restrictions.
IIS6 does not come with such delegated administration capabilities, but various Control Panel Applets supplement that market.
Also... IIS7 does not exactly remove such restrictions. ;-)
The security model of IIS7 configuration derives from NTFS ACLs on the distributed .config configuration files as well as Allow/Deny/Inherit logic of the configuration properties within the distributed .config hierarchy. I know I know, it sounds more complicated than it actually works. Without getting hung up on the details, here is how I rationalize it:
All the pieces have to align for distributed administration to work properly. For example, you may have NTFS ACLs to write configuration values into a web.config file, but if the web.config file is not considered part of the .config hierarchy or whose property configuration was not delegated to that part of the hierarchy, the IIS configuration subsystem simply ignores your changes and IIS server core never sees nor acts on it (well, right now it just fails fast, so IIS7 is finicky about broken configuration, but you get the idea). Likewise, if you have no NTFS ACLs to change web.config files, you have no way to configure IIS even if the configuration properties are all delegated.
Thus, IIS7 restricts non-administrators from performing the following tasks via NTFS ACLs on the applicationHost.config file. This list merely illustrates our logical design and not necessarily exhaustive nor complete.
Non-administrators can change any other IIS configuration as long as it is delegated to their portion of the .config hierarchy, and they have NTFS ACLs to modify web.config files.
Security is the reason why non-administrators cannot perform those tasks by default. Why? Well... non-administrators can easily elevate privileges via those tasks, which sorta destroys the purpose of delegating privileges...
You control all of this by controlling who can associate websites, applications and global modules, and application pools... which means that you simply cannot maintain security AND give non-administrators the ability to Create and Edit websites AND publish code into it. And no, we are not going to build hierarchies of inheritance simply to support the ability to only change Application Pool identity at one level but not another. Just too complicated a feature - you need to re-think your developer sandbox.
I understand that your desires are logical and reasonable, but logical/reasonable != secure. I hope I have explained why your requirements are actually contrary to your security desires.
Prior to IIS7, IIS did not have a configuration subsystem which allowed rich definition and delegation, so IIS control panel applets all run with Administrator/LocalSystem privileges and provide a proprietary/individual delegation view.
IIS7 comes with a rich and delegation friendly configuration subsystem that should be customizable to fit many requirements without needing control panel applets. Of course, IIS7 is totally extensible, from the server core to its configuration and administration via the UI, Commandline, and Scripting, so you can always implement your own logic on top of our primitives. You have the choice.