WMI Rights required to read root\MicrosoftIISv2 in IIS7 with IIS6 compatibility mode
I need to manage my IIS7 (Windows Server 2008) remotely with a WMI IIS6 API. So I added the IIS6 WMI Compatibility and IIS6 Metabase Compatibility roles to access the root\MicrosoftIIsv2 namespace.
I have a domain account which is not administrator on the remote machine ; with this right, everything is ok.
I configured these rights for my domain account to access the root\MicrosoftIIsv2
WMI namespace remotely ; note that these rights work perfectly on a IIS6 and Windows Server 2003 :
DCOM :
- Account in Distributed COM Users > Remote & local access to DCOM
WMI :
- Root\CIMV2 (I need access here too) > Execute methods, Enable Account, Remote Enable
- Root\Default (I need access here too) > Execute methods, Enable Account, Remote Enable
- Root\MicrosoftIISv2 > Execute methods, Enable Account, Provider Write, Remote Enable
IIS Metabase (Metabase Explorer) :
- LM > Full Control (W3SVC inherits these permissions)
I tried to give some access on C:\Windows\System32\inetsrv too ; don't know if needed.
My issue is :
I can't list the IIS WebSites (\root\MicrosoftIISv2:IIsWebServerSetting.Name="W3SVC/*"). I don't get an 'access denied' but nothing is returned.
- My API and powershell tests can connect and execute queries in the root\MicrosoftIISv2 namespace
- I can read the IIsComputer class
- ex:
Get-WmiObject IIsComputer -namespace "ROOT\MicrosoftIISv2" -authentication PacketPrivacy | SELECT *
- ex:
-
I can't read the IIsWebServerSetting, IIsWebServer ... to list the WebSites : the query returns an empty collection
- ex:
Get-WmiObject IIsWebServerSetting -namespace "ROOT\MicrosoftIISv2" -authentication PacketPrivacy | SELECT ServerComment
- ex:
- All queries work perfectly if the account is administrator as already said
- I am using PacketPrivacy authentication
FI: I got a Warning Event 5605 with the Administrator right or not, that does not seem to have an impact :
The root\MicrosoftIISv2 namespace is marked with the RequiresEncryption flag. Access to this namespace might be denied if the script or application does not have the appropriate authentication level. Change the authentication level to Pkt_Privacy and run the script or application again
Ok, I have some more informations, when I use IIS 6 Metabase Explorer with my administrator account I can see the rights are correctly inherited for my non-administrator account.
But when I try to connect using my non-administrator account, I can list the LM
node, but get an "access denied, failed to get a key's data" when I try to browse the child nodes.
I'll check further.
I tried to Trace the WMI Activity, and everything seems OK ; this tends to confirm that the problem lies in IIS Rights.
Resolved.
The WMI and IIS Metabase rights have to be set as you would do on an IIS 6. So they were correct for me.
The specifity is on the IIS Metabase. First of all, in IIS 7 the W3SVC
rights are completely inherited from the root while you have to set the W3SVC/AppPools
rights on IIS 6 if you want to handle the application pools.
Since there's a 'compatiblity', the main difference resides in IIS 7 metabase file system. On IIS 6, the read rights on the inetsrv folder (which is the default for Users
) and the Metabase ACLs are sufficient.
On IIS 7, the rights have to be set on the IIS Metabase AND the IIS 7 configuration folder : %SYSTEMROOT%/system32/inetsrv/config
(and .config files then). By default, only Administrators
(thats why it is perfectly working with the Administrator right) and some other reserved groups can access this folder.
Another point, if you need to execute methods like a Stop
on an application pool, this feature require the Write rights on the configuration folder.