Administrators mostly use a local or domain account that has local admin rights to manage IIS. How about non-administrator accounts? Can a non-administrator account use IIS Manager?
The answer is Y...
Updated Sep 04, 2020
Version 2.0
Blog Post
Hi rvmishra ,
I have recently updated this post as there have been changes in this topic. There is currently no convenient way for non-admins to manage application pools. This is on purpose. We think it’s a security risk to allow non-admins to stop websites.
Using manage.iis.net was a workaround but this website has been recently retired (Even when it was active, it required admin intervention for setup and every time browser cache is cleared).
We have a tool called Windows Admin Center. This tool is developed to help admins manage servers remotely (Not just IIS but it can manage other components as well). If you set up this tool with admin credentials, non-admin users can later continue using it to manage sites. However, I don’t recommend this tool for this scenario because of the following reasons.
- Admin credentials should be used to set it up for every user/machine (We are simply using browser to save password)
- Every time the machine is restarted, the credentials should be entered again
- The non-admin user will have more permissions than just managing IIS. They can manage users/groups, storage, etc.
In summary; it’s not recommended to use non-admin accounts to manage application pools.
Sorry to drag this up from the dead, but this is the whole point of delegation and least privilege.
In our use case, we have some developers who need to be able to operate some aspects of IIS administration (e.g. managing application pools) but where we don't want to give them full access to IIS or the web server because we don't trust them not to make unauthorised changes.
Your argument for not using full admin accounts for specific tasks which could be delegated is nonsense and also contrary to Microsoft's drive towards more granular management and control.
I realise that I'm shouting into the void on this one but this really is worthy of a fresh look...
