Windows Unprivileged - IIS
Turns out an unprivileged user can be given permissions to configure IIS and IIS web sites.
Note that absolutely none of this is authoritative or directly based on relevant documentation. It’s mostly what I found and figured out and guessed and (in some cases) made up. Some of it may be wrong or dangerous or lead to disaster or confusion. I am not taking responsibility here for anything, not even minor crimes or good taste. Read and act on it at your own peril!
Create a Just-Enough-Admin configuration named IIS.
PS C:\Program Files\WindowsPowerShell\Modules\JEA> New-PSSessionConfigurationFile IIS.pssc
And create a group JEA_IIS.
PS C:\Program Files\WindowsPowerShell\Modules\JEA> New-LocalGroup JEA_IIS
Make three changes to the IIS.pssc file created:
- Set SessionType to ‘RestrictedRemoteServer’.
# Session type defaults to apply for this session configuration. Can be 'RestrictedRemoteServer' (recommended), 'Empty', or 'Default'
SessionType = 'RestrictedRemoteServer'
- Set RunAsVirtualAccount to $true.
# Whether to run this session configuration as the machine's (virtual) administrator account
RunAsVirtualAccount = $true
- Configure RoleDefinitions to use IIS.psrc.
RoleDefinitions = @{'JEA_IIS' = @{RoleCapabilities='IIS'}}
Then create a role capability file for this thing.
PS C:\Program Files\WindowsPowerShell\Modules\JEA\RoleCapabilities> New-PSRoleCapabilityFile IIS.psrc
Add the following entries to the file, at the appropriate places per the hints given in the template file.
ModulesToImport = 'IISAdministration','WebAdministration'
VisibleCmdlets = '*-IIS*','*-Web*'
VisibleExternalCommands = 'C:\Windows\System32\iisreset.exe'
VisibleProviders = 'Variable'
While you can add iisreset.exe as a visible external command, I would recommend against doing the same for appcmd.exe, a much more general tool to control IIS that can output passwords as well as configure application pools to use the LocalSystem account.
Register the hell out of this JEA:
PS C:\Program Files\WindowsPowerShell\Modules\JEA> Register-PSSessionConfiguration IIS -Path .\IIS.pssc
Now add a user to the JEA_IIS group and let him enjoy his powers.
PS C:\> Add-LocalGroupMember -Group JEA_IIS -Member benoit
PS C:\> Get-LocalGroupMember JEA_IIS
ObjectClass Name PrincipalSource
----------- ---- ---------------
User CHAMPIGNAC\benoit Local
PS C:\>
Benoit:
PS C:\> Get-ChildItem 'C:\Program Files\WindowsPowerShell\Modules\JEA\' -Filter *.pssc|ForEach-Object{Import-PSSession (New-PSSession -ConfigurationName $_.BaseName) -AllowClobber}
This will load and include all JEA configurations and give an error for each for which user benoit is not permissioned.
User benoit can now create web sites and, luckily, all application pools created automatically will run as AppPoolIdentity and not LocalSystem, allowing us to grant users full access to the cmdlets.
PS C:\BriseferSite> New-Website -Name Brisefer -PhysicalPath C:\BriseferSite\
Name ID State Physical Path Bindings
---- -- ----- ------------- --------
Brisefer 1 C:\BriseferSite\
PS C:\BriseferSite> New-WebAppPool -Name BriseferPool
Name State Applications
---- ----- ------------
BriseferPool
PS C:\>
Assume that C:\BriseferSite is a folder to which user benoit has access.
Note that running iisreset.exe in that session is a bit more complicated as it does not clobber the real (non-virtualised) iisreset.exe. Hence benoit has explicitly to call iisreset.exe from the JEA session:
PS C:\> Invoke-Command (Get-PSSession|Where-Object{$_.ConfigurationName -eq "IIS"}) {iisreset}
Attempting stop...
Internet services successfully stopped
Attempting start...
Internet services successfully restarted
PS C:\>
It is advisable for the system administrator to give the group JEA_IIS (or other groups or even users) access to the sites in IIS Manager to allow access via IIS Manager.
For completeness’ sake you can also add the JEA group to the ACL of the web server service.
PS C:\> Get-Service *w3*
Status Name DisplayName
------ ---- -----------
Stopped W32Time Windows Time
Stopped w3logsvc W3C Logging Service
Running W3SVC World Wide Web Publishing Service
PS C:\> sc.exe sdshow W3SVC
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
PS C:\> Get-LocalGroup JEA_IIS|Format-List
Description :
Name : JEA_IIS
SID : S-1-5-21-344341352-2539047333-2300305637-1003
PrincipalSource : Local
ObjectClass : Group
PS C:\> sc.exe sdset W3SVC "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-344341352-2539047333-2300305637-1003)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
[SC] SetServiceObjectSecurity SUCCESS
PS C:\> sc.exe sdshow W3SVC
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-344341352-2539047333-2300305637-1003)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
PS C:\>
Next: File shares JEA