IIS 7.0 : Managing IIS Manager Extensions

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
7/7/2012 6:23:44 PM
In addition to the programmatic and command line options, the IIS 7.0 administration stack also provides a GUI management tool. IIS Manager, which replaces the legacy MMC snap-in from previous IIS versions, has been completely redesigned to provide end users with an intuitive task-based GUI experience for managing the server. The tool, shown in Figure 1, also serves as a foundation for remote IIS 7.0 management, providing secure HTTPS-based remote connectivity and delegated site management. 

In the spirit of IIS 7.0, IIS Manager provides its own extensibility platform, which enables you to add new UI management features and extensively customize the appearance and functionality of the interface. This completes the extensibility picture of the IIS 7.0 administration stack, enabling new configuration sections and administration extensions added at the configuration system layer to also have corresponding UI management experiences for the end user. These UI extensions also benefit from the remote management and delegation capacities that the tool provides. The tool handles all of the network connectivity, authentication against Windows or non-Windows credential stores, and delegated management, enabling your UI extension to focus on the actual management task without taking into account whether it’s being used for local or remote management.

IIS Manager.

Figure 1. IIS Manager.

How IIS Manager Extensions Work

A UI extension’s primary job is to provide the UI experience for managing the particular configuration section or performing any management task. Each UI extension typically consists of the following:

  • The client-side UI module. This is the client-side component that provides the UI experience, including new UI pages and other customizations of the tool’s interface. It invokes the corresponding module service to carry out the required management tasks.

  • The server-side module service. This is the server-side component that provides the underlying management functionality, typically invoking Microsoft.Web.Administration APIs to access the IIS 7.0 administration stack.

The separation between the client UI functionality and the server management functionality is necessary to enable support for remote management. The client-side component is always instantiated on the client, which may be running on the same physical machine as the server being managed or on a remote machine that is connecting to the server through IIS Manager’s management service. The module service is the server-side component, which carries out the underlying management tasks and is always instantiated on the server. This way, the management functionality in the UI extension does not need to concern itself with remote management, because it is always local to the server.

Both the client-side and server-side components are implemented as strongly named .NET assemblies, both of which must be installed into the server’s Global Assembly Cache (GAC) and registered in the server’s configuration. Because of this, both assemblies must be signed by the developer before they can be installed.

IIS Manager uses its own server-level configuration file, Administration.config, which is different from the server-level configuration file used by the Web server (ApplicationHost.config). It is also located in the %windows%\System32\Inetsrv\Config directory. IIS Manager substitutes this file for the root Framework Web.config file when reading its own configuration. This configuration contains the registration information for all of the IIS Manager extensions.

    <!-- Server Modules-->
    <add name="Modules"
Microsoft.Web.Management.Iis, Version=, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
    <add name="Handlers"
Microsoft.Web.Management.Iis, Version=, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
<!-- For all Sites -->
<location path=".">
        <add name="Modules" />
        <add name="Handlers" />

In the excerpt shown here, two UI features that manage IIS 7.0 Web server modules (the "Modules" feature) and Web server handler mappings ("Handlers") are registered and are enabled by default for delegated management of all Web sites.

The <moduleProviders> section defines all of the IIS Manager extensions that are registered on the system and specifies the associated fully qualified type names of the corresponding module provider. Each module provider is responsible for providing the type information for the client-side UI modules and the corresponding server-side module service components at run time. This information is then used by IIS Manager and the management service to initialize the right components.

The <modules> section provides a mechanism to selectively enable the UI modules for a particular site. By default, all of the UI modules are enabled for all sites by being added at the "." level.


In remote management scenarios, the client machine does not need to have the UI extension registered on the server. When IIS Manager makes a remote connection to the server, it can automatically download the client components of the UI extensions registered on the server and display their UI features on the client.

Installing IIS Manager Extensions

Installing IIS Manager extensions is fairly simple. To do so, follow these steps:

  1. Install the client and server .NET assemblies in the server’s GAC.

  2. Register the module provider type in the Administration.config configuration file and optionally enable it for delegated site management.

Remember that the client and server assemblies that comprise the IIS Manager extension must be strongly named, that is, signed by the developer.

To register the module provider type, you have to add its fully qualified type to the <moduleProviders> collection and list the selected name of the module in the <modules> collection inside the Administration.config configuration file. To do this, you need to know the fully qualified type name of the module provider class, which is typically provided by the extension’s developer.


You must trust the source of the code before installing the extensions on your server because the extensions may execute with administrative privileges when you launch IIS Manager on your computer.

Securing IIS Manager Extensions

Just like administration extensions to the configuration system, IIS Manager extensions pose a relatively high risk because they contain code that may run with administrative privileges on the server. As such, if they are malicious or are compromised, they are not restricted in the damage that they can do.

Table 1 lists the programs that load IIS Manager extensions and the privilege under which they are executed.

Table 1. Programs That Load IIS Manager Extensions


Execution Privilege

IIS Manager GUI (Inetmgr.exe)

Caller (typically Administrator for local server administration)

Web Management Service (Wmsvc.exe)

Local Service (NT Service\wmsvc)

Authenticated user (if using Windows Authentication)

When you use IIS Manager locally to manage the server, it runs with the identity of the user that launched the tool. Because local administrators typically do this—it is required for much of the server-level administration such as creating sites and changing server-level configuration—the extensions in the tool run with administrative privileges.

When you use the Web Management Service to administer the server remotely, it runs with the Local Service account (mapped to NT Service\wmsvc by service isolation) or under the impersonated identity of the authenticated user if Windows Authentication was used for the remote connection. As such, administration extensions run with administrative privileges only if the remote user is an Administrator on the machine and Windows Authentication was used to authenticate. When non-Windows authentication is used, the extension will still have access to a number of server resources that the NT Service\wmsvc SID has access to. This affords more protection in case the administration extension is somehow compromised by a remote attack. Of course, the remote management service is locked down and requires authentication to access its functionality, so only users that are specifically granted the right to administer the server remotely and are allowed to use the specific extensions can execute them.

Because IIS Manager supports delegated management of Web sites, users that do not have administrative privileges on the server can be allowed to remotely (or locally) manage their Web site configuration. This management is controlled to a large extent by the configuration delegation, but IIS Manager provides an additional mechanism for controlling what UI features are available to site administrators. This is important when you consider that new administration extensions can expose UI features that go beyond configuration and in some cases do not implement their own delegation control.

In these scenarios, the server administrator needs to prevent site administrators from having access to those UI features. This can be done from the Feature Delegation feature available when connected to the server as a server administrator, as shown in Figure 2. You can completely hide the feature from nonadministrative users by setting its delegation state to "Not Delegated". Or, configure it so that its contents can be viewed but no changes to the underlying state can be made by setting the state to "Read Only". However, keep in mind that the administration extension has the responsibility of properly implementing delegation support. So if in doubt, use the "Not Delegated" option.

Feature Delegation.

Figure 2. Feature Delegation.

When a remote client uses IIS Manager to connect to the server, IIS Manager compares the module providers available on the server with what is available on the client. If a new extension is available on the server, IIS Manager prompts the client to download and install that extension. If the client accepts, IIS Manager installs the extension in the user’s profile (it is not installed to the GAC) and loaded inside IIS Manager, which may be running as an Administrator on the client machine (even though the client may be using nonadministrative credentials to connect remotely to the server). Because of this, it is critical for the server administrator to trust the source of the extension and for the client to trust the server. Otherwise, a malicious extension can be used to compromise the security of the client machines that are using IIS Manager to connect to the server.

You can take advantage of the publisher certificate–based trust model provided by IIS Manager to insure that all extensions you install on your server are signed by a publisher that you trust. You can also configure the clients to trust this specific publisher, thereby ensuring that the code downloaded to their machines is safe. In other words, do not install extensions coming from unknown or untrusted publishers or from unknown or untrusted Web servers!


Do not install administration extensions that come from untrusted publishers, especially when you are connected to a server you do not trust.

Even if you do not accept the download of the extension, your remote administration session will continue working properly, and you will be able to use all of the existing management functionality except for the extension you choose not to download. Next time you connect, you will have an opportunity to download it again.


If for whatever reason the extensions you downloaded have become corrupted or are no longer wanted on your client, you can purge the extension download cache by using the Inetmgr.exe /reset command.

Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
programming4us programming4us