As shown in Figure 9.3, IIS allows you to specify an Access Control List (ACL) for the site to prevent unauthorized administrative access. By default, only the local administrators' group on a server has access to the configuration of the Web site. Although you can certainly add all users to the local administrators' group to grant operator privileges, this option yields a condition where too many rights are granted to the user .
Typically, security organizations strive to grant the most restrictive set of rights to a user account while still retaining the ability to perform essential job functions. To attain this model in IIS, you must create one group for each administrator type. This could be divided by site, business unit, geographic location, or any other mechanism employed in your organization to define Web site operators.
With the groups created, you can use the AdminACL property of the IIsWebServer object to set a Discretionary Access Control List (DACL) on the specific site tree in the Metabase. This will grant or deny permission to access/modify the keys according to group membership.
Use the following Visual Basic code to query the currently defined site operators:
Dim Site As IADs Dim ServerName As String Dim SiteIndex As Long ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value Set Site = GetObject("IIS://" & ServerName & "/W3SVC/" & SiteIndex) Set SecurityDescriptor = Site.AdminAcl Set DiscretionaryAcl = SecurityDescriptor.DiscretionaryAcl For Each Item In DiscretionaryAcl If Item.AccessMask = 11 Or Item.AccessMask = 262315 Then Debug.Print Item.Trustee End If Next
To establish a new site operator, use the following Visual Basic code, which will create an array of entries for the ACL:
Dim Site As IADs Dim ACE As Variant Dim DiscretionaryACL As Variant Dim ServerName As String Dim SiteIndex As Long Dim NewOperator As String ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value NewOperator = "New_Operator_in_Format_Domain\Username" Set Site = GetObject("IIS://" & ServerName & "/W3SVC/" & SiteIndex) Set SecurityDescriptor = Site.AdminACL Set DiscretionaryACL = SecurityDescriptor.DiscretionaryACL Set ACE = CreateObject("AccessControlEntry") ACE.Trustee = NewOperator ACE.AccessMask = 11 DiscretionaryACL.AddAce ACE SecurityDescriptor.DiscretionaryACL = DiscretionaryACL Site.AdminACL = SecurityDescriptor Site.SetInfo
Note
The trustee account used in the ACE must exist and be accessible. The ACE will only be added after the account has been verified .
Use the following Visual Basic code to remove a specific operator Access Control Entry (ACE) from the site operators ACL:
Dim Site As IADs Dim ACE As Variant Dim DiscretionaryACL As Variant Dim ServerName As String Dim SiteIndex As Long Dim OperatorToRemove As String ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value OperatorToRemove = "User_Name_to_Remove" Set Site = GetObject("IIS://" & ServerName & "/W3SVC/" & SiteIndex) Set SecurityDescriptor = Site.AdminACL Set DiscretionaryACL = SecurityDescriptor.DiscretionaryACL Set ACE = CreateObject("AccessControlEntry") ACE.Trustee = OperatorToRemove ACE.AccessMask = 11 DiscretionaryACL.RemoveAce ACE SecurityDescriptor.DiscretionaryACL = DiscretionaryACL Site.AdminACL = SecurityDescriptor Site.SetInfo
Top |