"Brian Anderson" <brian@advancedcomputernetworking.com> wrote in message
news:%23FX75CRIGHA.3728@tk2msftngp13.phx.gbl...
> Anyone know if it is possible to lock down the IIS 6 Manager interface? I
> need to have underprivileged users have the ability to manage IIS and
> nothing else on several servers in a web farm. Also any possibility of
> locking it down to read only access?
>
> Thanks,
>
> Brian
>

"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:OJHagHbIGHA.2628@TK2MSFTNGP15.phx.gbl...
> IIS 6 Manager interface is already locked down to only Administrators.
> There
> are unsupported ways to re-ACL the metabase to allow non-administrators
> ability to manage it.
>
> I'm not certain what "locking it down to read only access" means. Are you
> wanting to prevent anything from making changes to configuration after you
> set it, or only giving read-only access to unprivileged users.
>
> But the bottom line is that what you are asking for (ability to delegate
> control of IIS configuration) is not really natively supported in IIS6, so
> you may not have a via solution that is feasible to implement. People have
> implemented control panels and such for IIS to fill this gap.
>
> This is something we address in IIS7, where the IIS Manager UI (as well as
> the text-based distributed configuration system) natively supports
> delegation so you can easily allow underprivileged users (who don't even
> need to be real NT user accounts) to manage their own virtual web
> app/server
> while the system administrator retains control of the real web server.
> Also,
> any configuration setting can be set to "read-only" to prevent
> modification
> by delegated users.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> //
>
> "Brian Anderson" <brian@advancedcomputernetworking.com> wrote in message
> news:%23FX75CRIGHA.3728@tk2msftngp13.phx.gbl...
>> Anyone know if it is possible to lock down the IIS 6 Manager interface?
>> I
>> need to have underprivileged users have the ability to manage IIS and
>> nothing else on several servers in a web farm. Also any possibility of
>> locking it down to read only access?
>>
>> Thanks,
>>
>> Brian
>>
>
>
>

"Brian Anderson" <brian@advancedcomputernetworking.com> wrote in message
news:uAkyireIGHA.2696@TK2MSFTNGP14.phx.gbl...
> Thanks for your reply.
>
> I am happy to hear this will be addressed in IIS7.
>
> It would be useful to be able to lock the IIS configuration so nothing can
> change the config.
> It would also be useful if I could give read only permissions to
> underprivileged users.
>
> Is it possible to do either in IIS6?
>
> How about using the metabase explorer to provide read only permissions?
>
> Thanks,
>
> Brian
>
> "David Wang [Msft]" <someone@online.microsoft.com> wrote in message
> news:OJHagHbIGHA.2628@TK2MSFTNGP15.phx.gbl...
>> IIS 6 Manager interface is already locked down to only Administrators.
>> There
>> are unsupported ways to re-ACL the metabase to allow non-administrators
>> ability to manage it.
>>
>> I'm not certain what "locking it down to read only access" means. Are you
>> wanting to prevent anything from making changes to configuration after
>> you
>> set it, or only giving read-only access to unprivileged users.
>>
>> But the bottom line is that what you are asking for (ability to delegate
>> control of IIS configuration) is not really natively supported in IIS6,
>> so
>> you may not have a via solution that is feasible to implement. People
>> have
>> implemented control panels and such for IIS to fill this gap.
>>
>> This is something we address in IIS7, where the IIS Manager UI (as well
>> as
>> the text-based distributed configuration system) natively supports
>> delegation so you can easily allow underprivileged users (who don't even
>> need to be real NT user accounts) to manage their own virtual web
>> app/server
>> while the system administrator retains control of the real web server.
>> Also,
>> any configuration setting can be set to "read-only" to prevent
>> modification
>> by delegated users.
>>
>> --
>> //David
>> IIS
>> http://blogs.msdn.com/David.Wang
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>> //
>>
>> "Brian Anderson" <brian@advancedcomputernetworking.com> wrote in message
>> news:%23FX75CRIGHA.3728@tk2msftngp13.phx.gbl...
>>> Anyone know if it is possible to lock down the IIS 6 Manager interface?
>>> I
>>> need to have underprivileged users have the ability to manage IIS and
>>> nothing else on several servers in a web farm. Also any possibility of
>>> locking it down to read only access?
>>>
>>> Thanks,
>>>
>>> Brian
>>>
>>
>>
>>
>
>