Programmatically Administering the Web Operators Property Sheet
Programmatically Administering the Web Operators Property Sheet
As shown in Figure 9.3, IIS allows you to specify an Access Control List (ACL) for the site to prevent unauthorized administrative access. By default, only the local administrators' group on a server has access to the configuration of the Web site. Although you can certainly add all users to the local administrators' group to grant operator privileges, this option yields a condition where too many rights are granted to the user .
Figure 9.3. Default Web Site Properties Configuration dialog box ”Operators tab.
Typically, security organizations strive to grant the most restrictive set of rights to a user account while still retaining the ability to perform essential job functions. To attain this model in IIS, you must create one group for each administrator type. This could be divided by site, business unit, geographic location, or any other mechanism employed in your organization to define Web site operators.
With the groups created, you can use the AdminACL property of the IIsWebServer object to set a Discretionary Access Control List (DACL) on the specific site tree in the Metabase. This will grant or deny permission to access/modify the keys according to group membership.
Querying Operators Using Visual Basic
Use the following Visual Basic code to query the currently defined site operators:
Dim Site As IADs Dim ServerName As String Dim SiteIndex As Long ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value Set Site = GetObject("IIS://" & ServerName & "/W3SVC/" & SiteIndex) Set SecurityDescriptor = Site.AdminAcl Set DiscretionaryAcl = SecurityDescriptor.DiscretionaryAcl For Each Item In DiscretionaryAcl If Item.AccessMask = 11 Or Item.AccessMask = 262315 Then Debug.Print Item.Trustee End If Next Setting a New Operator Using Visual Basic
To establish a new site operator, use the following Visual Basic code, which will create an array of entries for the ACL:
Dim Site As IADs Dim ACE As Variant Dim DiscretionaryACL As Variant Dim ServerName As String Dim SiteIndex As Long Dim NewOperator As String ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value NewOperator = "New_Operator_in_Format_Domain\Username" Set Site = GetObject("IIS://" & ServerName & "/W3SVC/" & SiteIndex) Set SecurityDescriptor = Site.AdminACL Set DiscretionaryACL = SecurityDescriptor.DiscretionaryACL Set ACE = CreateObject("AccessControlEntry") ACE.Trustee = NewOperator ACE.AccessMask = 11 DiscretionaryACL.AddAce ACE SecurityDescriptor.DiscretionaryACL = DiscretionaryACL Site.AdminACL = SecurityDescriptor Site.SetInfo Note
The trustee account used in the ACE must exist and be accessible. The ACE will only be added after the account has been verified .
Removing an Operator Using Visual Basic
Use the following Visual Basic code to remove a specific operator Access Control Entry (ACE) from the site operators ACL:
Dim Site As IADs Dim ACE As Variant Dim DiscretionaryACL As Variant Dim ServerName As String Dim SiteIndex As Long Dim OperatorToRemove As String ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value OperatorToRemove = "User_Name_to_Remove" Set Site = GetObject("IIS://" & ServerName & "/W3SVC/" & SiteIndex) Set SecurityDescriptor = Site.AdminACL Set DiscretionaryACL = SecurityDescriptor.DiscretionaryACL Set ACE = CreateObject("AccessControlEntry") ACE.Trustee = OperatorToRemove ACE.AccessMask = 11 DiscretionaryACL.RemoveAce ACE SecurityDescriptor.DiscretionaryACL = DiscretionaryACL Site.AdminACL = SecurityDescriptor Site.SetInfo | Top |
EAN: 2147483647
Pages: 194
- Enterprise Application Integration: New Solutions for a Solved Problem or a Challenging Research Field?
- Healthcare Information: From Administrative to Practice Databases
- A Hybrid Clustering Technique to Improve Patient Data Quality
- Relevance and Micro-Relevance for the Professional as Determinants of IT-Diffusion and IT-Use in Healthcare
- Development of Interactive Web Sites to Enhance Police/Community Relations