Hello all,

Our systems group doesn't give out local admin privs on servers to anyone external
to our group, as I'm sure is the case with others. We'd like to be able
to delegate almost all of the IIS administration on a server to people
external to our group, with a few exceptions. However, it appears that
the level of delegation to IIS related administration tasks is severely
lacking. http://support.microsoft.com/default.aspx?scid=kb;EN-US;q298969
describes the limitations of a "Web Site Operator", which are so limited
that it isn't useful at all, and the article suggests that the only
alternative is to give local admin privs.

I realize that IIS runs under the system context, and that should I find a way to delegate administration of IIS it would still amount to handing the equivalent of local admin of the server to an external group, but I feel this is more acceptable, especially when MS fixes this inherent security flaw in IIS 6.

Have others run into this IIS delegation problem? What alternatives did you find?

Via MS, I've heard about a solution some folks used which amounted to setting ACLs on the IIS metabase, but MS doesn't have details nor contact info so I can get the details myself.

I appreciate any info others have, or ideas you can share. :)

Regards,

Brian Arkills
Windows Systems Group
& Windows 2000 Infrastructure Project
Computing Systems and Service/ITSS
Stanford University
brianhansolo.stanford.edu
-----------------------
"Integrity has the power to build trust. Trust is what fuels a relationship."
                                                        John Maxwell
"The intelligent man is open to new ideas. In fact, he looks for them."
                                                        Proverbs

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]