One of the questions I was recently asked was how to manage application pools in IIS when you are not an administrator on the server.  The answer is Web Deploy.  Web deploy is an IIS extension that is primarily used for web deployment between environments but it does have a couple of commands that will allow us to manage application pools.  A prerequisite for all this to work is that you have already granted IIS delegation to the users/groups that require this access.

We will discuss the following:

  • How to install and configure web deploy
  • How to create a runCommand Rule.
  • How to modify permissions on recycleApp to tighten security a little.
  • How to grant extra permissions for wmsvc that are required the runCommand and how to change wmsvc from default authentication of basic to NTLM.

How to install and configure Web Deploy

Download Web deploy from the Microsoft Web Deploy Site

Double click the downloaded Executable to start installation.

Click next on the Setup screen.

Click to accept the license and click next.

Click next on CEIP screen (do not check anything).

Click Custom then right click IIS Deployment Handler and select Entire Feature will be installed on the hard drive then click next (See screen shot below).

 

Click Install

Click finish



Create Rule for runCommand

TechNet has more detailed information on the runCommand if you would like to learn more.  Note Allowing users to use runCommand through the WMSvc is a security risk and should be avoided if possible.  In this case we  require Local Administrator rights to manage the application pools but do not have this right, so using the runCommand is the only way to do this.


Load IIS Manager

Click on root site.

Double click on Management Service Delegation

  

Within Management Service Delegation click Add Rule on right. Note: Webdeploy by default creates several out of the box rules but does not create one for runCommand.

 
Click Blank Rule then click OK

  


In the pop up window,

under Providers select RunCommand from the dropdown.

Under Actions select *

For Path enter c:\windows\system32\inetsrv  (This allows us to use appcmd located in this path).

For Identity Type select SpecificUser

click Set to enter the ID and password and Confirm Password

Note: The account must be in the administrators group on the server.  This is the account that the runCommand will use for commands issued.  Be very careful with this as you are in essence allowing the person issuing the command to act as an admin on the server. Webdpeloy by default creates a  local account WdeployAdmin that is a member of this group

  • To enter a local account simply enter the ID and password if you have one or use the account  WDeployAdmin that is already created. You will need to change the password for this in order to enter it.
  • To enter a domain account enter domain\user and password.

Click OK when done.

You will now get a pop up that asks for the Name (Group) that will be allowed to execute this provider.
Change the name to Contoso\App Admins  (This is the account we previously granted IIS delegation to)  verify Access Type  is allow, and then click to check is Role? because we are using an AD group to grant access to issue this command. Note: Do not use * as the name because we are allowing wmsvc to use the runCommand and we want to tighten the security.
 
Your screen should like the information below.

Modify Rule for recycleApp

Load IIS Manager

Click on root site.

Double click on Management Service Delegation
  
In the Management Service Delegation   screen click to expand recycleApp.


 
Right click on the green hexagon and click edit.
In the Name field replace * with contoso\app admins. This allows only member of that group to issue this command whereas the default allows anybody that has IIS or delegated IIS admin rights to issue this command.
Click to check Is in Role? Then click OK
For extra security you may delete the extra rules that are created out of the box that will not be used (backupManager, backupSettings, etc...)


Set Permissions required for WMSVC to use the runCommand


WMSVC by default runs with basic authentication, to change this to use NTLM we need to create the following registry key. (As always back up your registry before making changes).
From a command prompt type regedit.
Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WebManagement\Server
Right click on Server and select new DWORD 32bit. For Value Name enter WindowsAuthenticationEnabled set the Value data to 1. Close regedit.

More information on this entry can be found here 

To allow the WMSVC the right to use the runCommand functionality we need to grant it the right to  replace a Process level token. Note: you can try granting this right through the local security policy but I could not get this to work, so I used SC Privs wmsvc  command.
From a command prompt type sc privs wmsvc SeChangeNotifyPrivilege/SeImpersonatePrivilege/SeAssignPrimaryTokenPrivilege
Run  sc qprivs wmsvc to make sure SeAssignPrimaryTokenPrivilege has been added to existing privileges. More information on this can be found here.

Recycle WMSVC with the following commands at a command prompt

net stop wmsvc
net start wmsvc

Let’s test our configuration!  Log in with an account that is allowed to log in locally but is not an administrator and is part of contoso\app admins.


Open a command prompt and issue the following command cd “c: \Program Files\IIS\Microsoft Web Deploy V3” This will put us in the directory for msdeploy.

First let get a list of application pools using the run Command. My Web application is called SharePoint – 80 so the command looks like below:


msdeploy.exe -verb:sync -source:runcommand -dest:runcommand="C:\Windows\System32\inetsrv\appcmd.exe list apppool",wmsvc="http://sp2010:8172/msdeploy.axd?site=SharePoint - 80",AuthType=NTLM –allowUntrusted

  

We can see that I have an application pool called SharePoint – 80 and the status is started.

Let’s recycle it.

msdeploy.exe -verb:sync -source:recycleApp -dest:recycleApp="SharePoint - 80",wmsvc=SP2010,AuthType=NTLM,recycleMode="RecycleAppPool" –allowUntrusted

 
Not a lot of information coming back so maybe instead of using the appcmd.exe list apppool  for the runCommand we may have better results with appcmd list wp which lists the running worker processes and PIDs.  Then we could very that after a recycle a new PID shows for the apppool we recycled.

msdeploy.exe -verb:sync -source:runcommand -dest:runcommand="C:\Windows\System32\inetsrv\appcmd.exe list WP",wmsvc="http://sp2010:8172/msdeploy.axd?site=SharePoint - 80",AuthType=NTLM –allowUntrusted