private void SetupWebDeployPublishingOnServer(List<string> messages) { if (IsWebDeployInstalled() == false || String.IsNullOrEmpty(ProviderSettings[WDeployEnabled])) return; // var enableFeature = Convert.ToBoolean(ProviderSettings[WDeployEnabled]); var repairFeature = Convert.ToBoolean(ProviderSettings[WDeployRepair]); // var appHostConfigWriter = "WDeployConfigWriter"; var appHostConfigWriterPassword = Guid.NewGuid().ToString(); // var appPoolConfigEditor = "WDeployAdmin"; var appPoolConfigEditorPassword = Guid.NewGuid().ToString(); // var appHostConfigFilePath = FileUtils.EvaluateSystemVariables(@"%WINDIR%\system32\inetsrv\config\applicationHost.config"); // #region Repair feature if (repairFeature == true && enableFeature == true) { // Cleanup NTFS permissions SecurityUtils.RemoveNtfsPermissions(appHostConfigFilePath, appHostConfigWriter, ServerSettings, UsersOU, GroupsOU); // Remove applicationHost.config writer account SecurityUtils.DeleteUser(appHostConfigWriter, ServerSettings, UsersOU); // Remove local admin user to recycle app pools SecurityUtils.DeleteUser(appPoolConfigEditor, ServerSettings, UsersOU); // Remove delegation rules if any var moduleService = new DelegationRulesModuleService(); // moduleService.RemoveDelegationRule("contentPath,iisApp", "{userScope}"); moduleService.RemoveDelegationRule("dbFullSql", "Data Source="); moduleService.RemoveDelegationRule("dbMySql", "Server="); moduleService.RemoveDelegationRule("createApp", "{userScope}"); moduleService.RemoveDelegationRule("setAcl", "{userScope}"); moduleService.RemoveDelegationRule("recycleApp", "{userScope}"); moduleService.RemoveDelegationRule("appPoolPipeline,appPoolNetFx", "{userScope}"); } #endregion // Create applicationHost.config writer account #region appHostConfigWriter account provisioning if (enableFeature == true) { // if (SecurityUtils.UserExists(appHostConfigWriter, ServerSettings, UsersOU) == false) { // try { SecurityUtils.CreateUser(new SystemUser { Name = appHostConfigWriter, FullName = appHostConfigWriter, Password = appHostConfigWriterPassword, PasswordCantChange = true, PasswordNeverExpires = true, MemberOf = new string[] { }, Description = "Web Deploy applicationHost.config writer account", }, ServerSettings, UsersOU, GroupsOU); // Grant appropriate NTFS permissions SecurityUtils.GrantNtfsPermissions(appHostConfigFilePath, appHostConfigWriter, NTFSPermission.Modify, true, true, ServerSettings, UsersOU, GroupsOU); } catch (Exception ex) { var errorMessage = "Could not create applicationHost.config writer account"; // Log.WriteError(errorMessage, ex); // messages.Add(errorMessage); } } } else { if (SecurityUtils.UserExists(appHostConfigWriter, ServerSettings, UsersOU) == true) { // try { // Remove NTFS permissions SecurityUtils.RemoveNtfsPermissions(appHostConfigFilePath, appHostConfigWriter, ServerSettings, UsersOU, GroupsOU); // Remove writer account SecurityUtils.DeleteUser(appHostConfigWriter, ServerSettings, UsersOU); } catch (Exception ex) { var errorMessage = "Could not remove applicationHost.config writer user account"; // Log.WriteError(errorMessage, ex); // messages.Add(errorMessage); } } } #endregion // Create local admin user to recycle app pools #region appPoolConfigEditor account provisioning if (enableFeature) { // if (SecurityUtils.UserExists(appPoolConfigEditor, ServerSettings, UsersOU) == false) { // try { SecurityUtils.CreateUser(new SystemUser { Name = appPoolConfigEditor, FullName = appPoolConfigEditor, Password = appPoolConfigEditorPassword, PasswordCantChange = true, PasswordNeverExpires = true, MemberOf = new string[] { "Administrators" }, Description = "Web Deploy AppPool configuration editor account", }, ServerSettings, UsersOU, GroupsOU); } catch (Exception ex) { var errorMessage = "Could not create application pool configuration editor account"; // Log.WriteError(errorMessage, ex); // messages.Add(errorMessage); } } } else { if (SecurityUtils.UserExists(appPoolConfigEditor, ServerSettings, UsersOU) == true) { // try { // Remove appPool config editor account SecurityUtils.DeleteUser(appPoolConfigEditor, ServerSettings, UsersOU); } catch (Exception ex) { var errorMessage = "Could not remove applicationHost.config writer user account"; // Log.WriteError(errorMessage, ex); // messages.Add(errorMessage); } } } #endregion // Add delegation rules #region Delegation rules provisioning if (enableFeature) { var moduleService = new DelegationRulesModuleService(); // if (moduleService.DelegationRuleExists("contentPath,iisApp", "{userScope}") == false) { moduleService.AddDelegationRule("contentPath,iisApp", "{userScope}", "PathPrefix", "CurrentUser", String.Empty, String.Empty); } // if (moduleService.DelegationRuleExists("dbFullSql", "Data Source=") == false) { moduleService.AddDelegationRule("dbFullSql", "Data Source=", "ConnectionString", "CurrentUser", String.Empty, String.Empty); } // if (moduleService.DelegationRuleExists("dbMySql", "Server=") == false) { moduleService.AddDelegationRule("dbMySql", "Server=", "ConnectionString", "CurrentUser", String.Empty, String.Empty); } // if (moduleService.DelegationRuleExists("createApp", "{userScope}") == false) { moduleService.AddDelegationRule("createApp", "{userScope}", "PathPrefix", "SpecificUser", appHostConfigWriter, appHostConfigWriterPassword); } // if (moduleService.DelegationRuleExists("setAcl", "{userScope}") == false) { moduleService.AddDelegationRule("setAcl", "{userScope}", "PathPrefix", "CurrentUser", String.Empty, String.Empty); } // if (moduleService.DelegationRuleExists("recycleApp", "{userScope}") == false) { moduleService.AddDelegationRule("recycleApp", "{userScope}", "PathPrefix", "SpecificUser", appPoolConfigEditor, appPoolConfigEditorPassword); } // if (moduleService.DelegationRuleExists("appPoolPipeline,appPoolNetFx", "{userScope}") == false) { moduleService.AddDelegationRule("appPoolPipeline,appPoolNetFx", "{userScope}", "PathPrefix", "SpecificUser", appHostConfigWriter, appHostConfigWriterPassword); } } else { var moduleService = new DelegationRulesModuleService(); // moduleService.RemoveDelegationRule("contentPath,iisApp", "{userScope}"); moduleService.RemoveDelegationRule("dbFullSql", "Data Source="); moduleService.RemoveDelegationRule("dbMySql", "Server="); moduleService.RemoveDelegationRule("createApp", "{userScope}"); moduleService.RemoveDelegationRule("setAcl", "{userScope}"); moduleService.RemoveDelegationRule("recycleApp", "{userScope}"); moduleService.RemoveDelegationRule("appPoolPipeline,appPoolNetFx", "{userScope}"); } #endregion }
public void EnforceDelegationRulesRestrictions(string siteName, string accountName) { var moduleService = new DelegationRulesModuleService(); // Adjust web publishing permissions to the user accordingly to deny some rules for shared app pools var webSite = webObjectsSvc.GetWebSiteFromIIS(siteName); // var fqUsername = GetFullQualifiedAccountName(accountName); // Instantiate application pool helper to retrieve the app pool mode web site is running in WebAppPoolHelper aphl = new WebAppPoolHelper(ProviderSettings); // Shared app pool is a subject restrictions to change ASP.NET version and recycle the pool if (aphl.is_shared_pool(webSite.ApplicationPool) == true) { // moduleService.RestrictRuleToUser("recycleApp", "{userScope}", fqUsername); moduleService.RestrictRuleToUser("appPoolPipeline,appPoolNetFx", "{userScope}", fqUsername); } // Dedicated app pool is not a subject for any restrictions else { // moduleService.AllowRuleToUser("recycleApp", "{userScope}", fqUsername); moduleService.AllowRuleToUser("appPoolPipeline,appPoolNetFx", "{userScope}", fqUsername); } }
private void RemoveDelegationRulesRestrictions(string siteName, string accountName) { WebSite webSite = null; using (ServerManager srvman = webObjectsSvc.GetServerManager()) { webSite = webObjectsSvc.GetWebSiteFromIIS(srvman, siteName); } var moduleService = new DelegationRulesModuleService(); // Adjust web publishing permissions to the user accordingly to deny some rules for shared app pools var fqUsername = GetFullQualifiedAccountName(accountName); // Instantiate application pool helper to retrieve the app pool mode web site is running in WebAppPoolHelper aphl = new WebAppPoolHelper(ProviderSettings); // // Shared app pool is a subject restrictions to change ASP.NET version and recycle the pool, // so we need to remove these restrictions if (aphl.is_shared_pool(webSite.ApplicationPool) == true) { // moduleService.RemoveUserFromRule("recycleApp", "{userScope}", fqUsername); moduleService.RemoveUserFromRule("appPoolPipeline,appPoolNetFx", "{userScope}", fqUsername); } }