Thursday, May 03, 2007

Permissions needed to access the IIS metabase remotely using WMI

In my last two posts I've been talking about programatically reading and editing the IIS metabase using WMI via System.Management. In my examples I've assumed that the code has access to an administrator account's username and password. Of course you wouldn't want to do that in real life, putting an admin password as a literal in your managed code is not a good idea. A much better idea would be to have your application run under a low privilege account and just give it the permissions it needs to access the metabase using windows integrated security. To do this you need these permissions:
  1. Create a new account with minimum rights that your application will run under.
  2. On the web server with the metabase you want to access, add the user to the 'Distributed COM Users' group. This is because WMI uses DCOM.
  3. Open 'Administrative Tools' -> 'Computer Management'. Expand 'Services and Applications', right click 'WMI Control' and under the Security tab, expand 'Root'. Find the 'MicrosoftIISv2' node and give the user the required permissions.
  4. Finally you have to give access to the nodes you require in the metabase. Using the metabase explorer (from the IIS Resource Kit), find the node you want to access, right click it and choose permissions. If the node doesn't have any permissions set a dialog will ask you if you want to copy the permissions of the parent node or edit the parent node permissions, make your choice and then set the permissions you require in the permissions dialog.

No comments: