Restart IIS site and app pools rights for simple user in Win10?

STF413 0 Reputation points
2021-07-12T05:14:35.91+00:00

Hi,

My company applies Least Privilege principle to all company computers, esp workstations.

In one of them, a Win 10 version 2004, a simple user (ie without local admin rights) needs to restart IIS websites and applicaiton pools. Everytime he needs to do so, an admin has to login and do so for him. I'd like to know if it's possible to configure IIS such that he could do so himself?

I've found in some forum that people said it's not possible and that's against security. Fine, but is there an official article from Microsoft stating this? If I can find such article, it could settle a lot of questions.

In the case that this is not possible, is it possible to let him run "iisreset" as a simple user?

Thanks

Internet Information Services
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Bruce Zhang-MSFT 3,751 Reputation points
    2021-07-12T09:30:14.143+00:00

    Hi @STF413 ,

    Reset or Restart IIS is a very important action. When you restart IIS, all session connected to web server are dropped. Any data held in web applications is lost. All Internet sites are unavailable until Internet services are restarted.

    So Microsoft suggest users avoid restarting, stopping, or rebooting server if at all possible.

    • If each user, even he has the least privilege, can restart IIS easily, will have a bad experience for website users.
    • Frequent restarts of IIS by multiple users may also cause the server to go down.
    • The most insecure thing is that as long as any external attack obtains any user information, it has the authority to maliciously damage the server. This is a very terrible consequence.
      -

    Microsoft emphasized the safety and reasons for restarting IIS in this document. You can refer to it.

    In order to solve the problem that needs to restart IIS, Microsoft suggests you use application pool recycling and several other features.

    In order to allow users with least privileges to perform certain operations, IIS has a feature called Delegation.


    If the answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our  documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best regards,
    Bruce Zhang

    0 comments No comments

  2. STF413 0 Reputation points
    2021-07-12T09:47:47.42+00:00

    Hello BruceZhang,

    Thanks for your reply. However, you have failed to notice that I talked about a workstation edition of Windows (Windows 10). I understood that there are security issues on server editions of Windows if I let users do what I requested. But in our case, the Win10 is serving a web application demo. so the "only" user of the webapp is the user of the computer itself. So the security problem you mentioned does NOT apply in my case.

    About "delegation", I have found that article before. But I don't see those things shown in the screenshots. Are you sure the article applies to Win 10? Or does it only work for IIS 7?

    0 comments No comments

  3. Bruce Zhang-MSFT 3,751 Reputation points
    2021-07-13T07:34:18.06+00:00

    Hi @STF413 ,

    I'm sorry I didn't notice your actual situation. If your users only have the computer itself, the potential risk will be reduced. You can completely restart IIS for users with least privileges.

    About delegation, it applies to Win10. IIS doesn't remove this feature on IIS10. It is still supported now.

    You can also create a bat file to restart IIS. Then users with least privilege can use cmd to execute file.


    If the answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our  documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best regards,
    Bruce Zhang

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.