The Web Management Service is a service from IIS 7.0 that runs on the
IIS server—that is, the server that is going to be managed remotely. It
provides two important features:
-
It handles remote administration for
the IIS Manager by listening for incoming HTTPS requests from remote
users running IIS Manager. It then executes the request operations
locally. -
It provides access for Windows users
without administrative privileges and non-Windows users, whether they
are using IIS Manager from local or remote machines.
NoteThis service is not functional in Windows
Vista. This means that IIS running under Windows Vista cannot be
managed remotely using IIS Manager.
Windows Server 2008 Server Core does not
include managed code support, which means the Web Management Service is
not installable on that configuration.
Because
it is not part of the default IIS 7.0 install, the Web Management
Service is an optional role service that needs to be installed and its
startup type configured. To install it, you can use Server Manager or
the ServerManagerCMD command line tool. To install using Server Manager,
follow this procedure:
-
Start Server Manager. -
In Server Manager, select Roles. -
In the Web Server (IIS) role group, click the Add Role Services. -
Under Management Tools, select Management Service and then click Next. -
Click Install.
Figure 1 shows the Select Role Services window.
To install the Web Management Service by using ServerManagerCMD, run the following command line.
ServerManagerCMD -install Web-Mgmt-Service
After the Web Management Service is
installed, you need to make some configuration changes to optimize the
service for your environment. Some of the tasks that are important to
set up include:
-
Configuring the service to start automatically -
Enabling Remote connections, SSL certificate, and IP configuration -
IPv4 address restrictions -
Connection authentication options
Configuring the Service Startup Type to Automatic
When installed, the Web Management
Service is configured to start manually, which means that it will not
start automatically when the service is stopped, for example, when the
machine is restarted. This also means that to enable remote management
again, someone has to manually start the Web Management Service whenever
the service is stopped. For this reason, it is important to set up the
service to start automatically, which ensures that remote management is
enabled at all times. To do this, you can use the Services console or
the Sc.exe command line tool.
To configure the service to start automatically using the Services console, perform the following steps:
-
From the Administrative Tools program group, launch Services. -
Double-click Web Management Service. -
In the Startup Type drop-down list, select Automatic and then click OK.
Figure 2 shows the Web Management Service Properties dialog box.
To configure the service to run automatically
using the Services Configuration (Sc.exe) command line tool, run the
following command from an elevated command prompt.
sc config WMSvc start= auto
Note
WMSvc
is the name of the service in the services configuration database. Make
sure to use a white space after the = sign in the preceding command
line. Otherwise, the command will not execute correctly.
Enable Remote Connections, SSL Certificate, and IP Configuration
By default, the Web Management
Service is configured to allow only local connections to connect to the
service to perform administration tasks. This enables delegated users
(nonadministrators) to connect to and manage their sites and
applications on the local machine. However, it will not let users
connect from a remote machine. To allow that, you need to specify that
remote connections are enabled by using the IIS Manager Management
Service feature.
Also, during setup, a self-signed
certificate is created that is used for SSL registration on port 8172
with HTTP.sys. This certificate provides a simple way to set up a test
configuration. However, it is strongly recommended that you get a valid
certificate issued by a trusted certificate authority (CA) for use by
the users that will connect to this machine. With a built-in self-signed
certificate, any remote machine that connects to the server gets a
warning asking if the certificate is trusted and if the connection to
the server should go ahead, giving the user the ability to view the
certificate details. Figure 3 shows the Server Certificate Alert that users see when they use a self-signed certificate.
To avoid this warning, you need to acquire and
configure a valid certificate for server authentication from your own
trusted certificate authority or from a known certificate authority.
Such a certificate can be installed on the server by using different
tools, including the Certificates console and the IIS Manager Server
Certificates feature. After the certificate is installed on the machine,
you can configure the Web Management Service to use the certificate via
the IIS Manager Management Service feature. To do this, follow these
steps:
-
From the Administrative Tools program group, launch the Internet Information Services (IIS) Manager. -
In the Connections pane, select the IIS
computer node and then double-click the Management Service in the
Features View pane. To make changes, you need to first stop the Web
Management Service. -
At the top of the page, you can enable remote connections by checking the Enable Remote Connections check box. -
In the Connections section, you can set the IP
address and the port that you want the service to bind to. You can set
the SSL certificate by using the SSL Certificate drop-down list that
includes all the available certificates for server authentication. -
After making any necessary changes, click Apply to start the service.
Figure 4 shows the Management Service configuration settings.
Note
If the Web Management Service is
running, the Management Service options will be disabled. To change the
configuration, you need to click Stop in the Actions pane.
Note
If you change the port the service uses and if
you want to allow remote connections, you need to create a firewall
exception rule for the port; otherwise, it will fail to connect. By
default, during setup, a firewall exception rule called Web Management
Service (HTTP) is added and enabled for port 8172. Also, when remote
users enter the server name in the Connect To Server dialog box, they
need to type the port in the Server Name text box (for example,
MyServerMachine:8173).
All the settings configured by the Management Service feature are stored in the registry under the following key.
HKLM\SOFTWARE\Microsoft\WebManagement\Server
Table 1 shows the Web Management Service registry entries.
Table 1. Web Management Service Registry Entries
|
Value |
Description |
|---|
|
EnableLogging |
Specifies if logging should be enabled. The default value is 1 (enabled). | |
EnableRemoteManagement |
Specifies if the service should
enable remote connections or if only local delegated connections should
be enabled. The default value is 0 (not allowed). Set this to 1 to allow
remote connections. | |
IPAddress |
Specifies the IP address that the service is bound to. The default is All Unassigned.
Note:
Changing this value in the registry has no effect, because IIS Manager
performs the SSL configuration and the URL reservation with HTTP.sys.
| |
LoggingDirectory |
Specifies the directory where the log files should be generated. The default value for this is %SystemDrive%\Inetpub\logs\Wmsvc. | |
Port |
Specifies the port that the service should use. The default is 8172.
Note:
Changing this value in the registry has no effect, because IIS Manager
performs the SSL configuration and the URL reservation with HTTP.sys.
| |
RemoteRestrictions |
Provides a serialized value of the list of IP
address restrictions that are configured. This value should not be
edited directly. | |
RequiresWindowsCredentials |
Specifies if only Windows credentials
are allowed when connecting remotely or if the IIS Manager credentials
are supported. The default value is 1, which specifies that only Windows
credentials are allowed. Set this to 0 to allow both credentials. | |
SelfSignedSslCertificateHash |
Contains the certificate hash of the self-signed certificate generated during setup. | |
SslCertificateHash |
Specifies the certificate hash to use for SSL.
Note:
Changing this value in the registry has no effect, because IIS Manager
performs the SSL configuration and the URL reservation with HTTP.sys.
|
As mentioned previously, changing some of the values such as IPAddress, Port, or SslCertificateHash
directly in the registry does not cause the service to use them
automatically, because they are set only by the UI in the HTTP.sys URL
registration and SSL configuration. Therefore, if you
want to automatically configure those settings, you need to update the
registry as well as perform the registration with HTTP.sys manually
using the network configuration command line tool Netsh.exe. Then
restart Web Management Service.
IPv4 Address Restrictions
When the Web Management Service is running
and remote connections are enabled, all IP addresses can connect. The
Management Service enables you to enhance security by configuring a
specific IP address or a range of IP addresses that you want to either
allow or deny access to. You can also specify the access that is granted
for any client that is not listed in the list. The configuration for
this is better understood through examples:
-
Allow a specific set of clients. To configure
this, you need to set the Access For Unspecified Clients drop-down list
to Deny so that only the clients listed in the restriction list are
allowed. You also need to add each of the clients or IP ranges by using
the Allow button. Figure 5 shows an example of this configuration. -
Deny access to a specific set of clients.
To configure this, you need to choose Allow from the Access For
Unspecified Clients drop-down list. By selecting Allow, everyone is
allowed, and only the clients listed in the restriction list are denied
access. Next, you need to use the Deny button to add each of the clients
or IP ranges you want to deny. Figure 6 shows an example of this configuration.
Note
These settings apply only to IPv4 addresses. To change them, remote connections must be enabled.
Note
The IPv4 restriction list that Web
Management Service uses is different from the IPv4 Address and Domain
Restrictions configured in IIS for the Web Server. In addition, each of
them applies only to the correspondent service independently.
Connection Authentication Options
One
of the most powerful features of the delegated configuration support in
IIS 7.0 is that it enables users without administrative privileges to
configure their site and application settings in their own Web.config
files. The Web Management Service takes it to the next level by not only
providing them the UI for doing that, but also enabling users to change
settings in their own Web.config files even without having a Windows
user account. These users are called IIS Manager users and can be
configured using IIS Manager. Having a clear understanding of the
differences between these authentication models can help you choose the
best strategy for your environment.
Using Windows credentials is the
recommended setting for enabling remote management, because Windows
provides you with a robust solution for managing users and groups and
establishing policies such as password account policies. In addition,
Windows provides several tools to simplify management of these tools.
When using Windows credentials, every action the remote user performs is
performed via their identity on the server. This means you can use the
security mechanisms in Windows, such as access control lists (ACLs), to
offer increased protection of the resources on the server. You also gain
more granular control over them. This, of course, means that you need
to specifically grant the user access to all the resources that he will
manage. In particular, you will need to grant write access for at least
Web.config files that the user manages.
Windows administrators are the
only users that can connect to a server and manage it entirely, and they
are always allowed to connect to the server in addition to any site or
application. Windows users that do not have administrative privileges
will be allowed to connect only to their own sites and applications, and
only when the administrator has granted them access.
IIS Manager credentials provide an
alternative for scenarios in which creating Windows accounts for all the
remote users is not an option, or when the users that are allowed to
connect are already stored in a different authentication system, such as
a customer
database, and you want to keep them in a single store. IIS Manager
users use a combination of user name and password only, and they do not
have any correspondence with Windows principals. As such, their requests
always run as the process identity, which is configured in the Log On
setting of the Web Management Service. By default, the Web Management
Service is configured to use Local Service, but thanks to the Service
Isolation feature in Windows Server 2008, you can use the
service-specific SID NT Service\WMSvc to protect access to content and
resources.
One drawback of using IIS Manager
credentials is that, for every resource that needs to be used, you need
to grant access to it by using the same identity (NT Service\WMSvc),
independent of the site, application, or user that will be connecting.
This provides no isolation at the operating system level. The IIS
Manager built-in features are designed to carefully protect against
enabling users to perform actions outside their scope, which means this
shouldn’t be a concern. However, IIS Manager functionality is
extensible, and it is important that you install IIS Manager
administration features only from trusted sources because they run
inside WMSvc.
One interesting characteristic of using IIS
Manager users is that this functionality is built using an extensible
architecture that you can replace. This gives you the ability to
authenticate and authorize against your own Users store, whether it is
an existing database, an LDAP provider, or anything else.
The built-in implementation of the
authentication provider uses our configuration APIs to store the user’s
credentials in a file called Administration.config located in the %SystemRoot%\System32\Inetsrv\Config
directory. Credentials are stored inside that file, including the user
name and the SHA256 hash of the password on it. This proves to be really
useful when enabling the IIS Shared Configuration feature and provides a
simple, convenient way to have a centralized list of users for a set of
machines.
Another consideration when using IIS Manager
credentials is to consider if the content of your sites or applications
is stored in a universal naming convention (UNC) path on a remote
machine. Given that the operations performed by IIS Manager Users are
executed as the process identity, and that by default the Web Management
Service runs as Local Service, IIS Manager users will not be able to
manage any resources outside the local machine unless you change the
service logon identity of the Web Management Service.
Table 2 summarizes the types of users and their characteristics.
Table 2. User Types and Their Characteristics
|
Type of User |
Connection Scope |
Execution Identity |
|---|
|
Windows Administrators |
Windows administrators are always allowed to connect to the server or to any site or application in the machine. |
Every action in the server is performed as the Windows administrator caller identity. | |
Windows Users |
Windows users are allowed to connect only to
sites or applications if they have been granted access to them via IIS
Manager Permissions. In other words, regular Windows users are never
allowed to connect to manage the entire server, only sites or
applications. |
Every action in the server is performed as the Windows user caller identity. | |
IIS Manager Users |
IIS Manager users are allowed to connect to
sites or applications only if IIS Manager users are allowed in the
Management Service feature and only if they have been granted access to
them via the IIS Manager Permissions feature. They are never allowed to
connect to manage the entire server, only sites or applications. |
Every action in the server is performed as
the process identity, which is configured in the service logon identity.
For simplicity, you can always assume NT Service\WMSvc. |
|
