You
can configure IIS 7.0 to be remotely administered, and you can minimize
the amount of authority you give. Let’s first look at how to configure
IIS 7.0 to be remotely administered:
To
add the IIS Management Service using Server Manager, begin by opening
IIS Manager and selecting your web server in the left pane.
In the Management area (if grouped by area), double-click Management Service to open the Management Service pane (see Figure 1).
Make the following configuration changes:
Check the box Enable Remote Connections.
Select Windows Credentials or IIS Manager Credentials.
Leave the default selections in the Connections section for IP address, port, SSL certificate, and logging.
On the lower portion, if desired, restrict access by IP address.
Notice
at the top of the right pane that you are told that the Management
Service (WMSVC) is stopped, and you need to start the service before
remote connections can be made. Start WMSVC by clicking the Start
button. By default, the service is set to Manual; you can set the
service to Automatic if desired.
Now
that you have successfully enabled remote connections to IIS 7.0, you
need to define what the remote managers will be able to change within
IIS. Follow these steps:
1. | With
your web server still selected in IIS Manager, double-click the Feature
Delegation applet. The Feature Delegation pane appears, showing all the
configurable features in IIS 7.0 and the level of delegation allowed
for each.
|
2. | Select Directory Browsing, and you see the different levels of delegation you can assign:
- Read/Write: This unlocks the configuration portion of the feature in the Applicationhost.config file.
- Read Only: This locks the configuration portion of the feature in the Applicationhost.config file.
- Not Delegated: This locks the configuration portion of the feature in the Applicationhost.config file.
- Configuration Read/Write: This unlocks the configuration portion of the feature in the Applicationhost.config file. You manage this setting outside IIS.
- Configuration Read/Only: This locks the configuration portion of the feature in the Applicationhost.config file, but it allows configuration changes outside IIS.
- Not Delegated: This locks the configuration portion of the feature in the Applicationhost.config file.
|
3. | While we still have Directory Browsing selected, click Read Only.
|
4. | Select your website in IIS Manager and double-click the Directory Browsing applet. A runtime error is generated, as shown in Figure 2, and you cannot configure directory browsing for the website.
|
5. | Click
OK on the error message. In the top of the right pane, a message now
states, “Could not retrieve the directory browsing settings.”
|
You
have seen how you can lock down specific configuration features in IIS
7.0. Keep in mind the following points when delegating rights with IIS:
Back up the configuration files before performing modifications.
Configure with the most restrictive settings possible.
Do not change the system account.
When
you’re delegating rights, many features need to be considered. What if
you have multiple IIS servers in your organization? How can you make
sure your configuration is the same on all IIS servers? In this case,
you can use the Shared Configuration applet under the Management
section (when grouped by area) in order to use a shared configuration
file or, if you have the master file, to export your file to a shared
location for other servers to use.
Note
The
Shared Configuration tool is not limited to the delegation and rights
configuration of IIS 7.0. This tool shares all the configuration
settings for IIS.
