IIS7 - Things to remember when using Web Management Service

  • Article

IIS7 introduces the "Web Management Service" which lets the computer and the domain administrators to manage a web server remotely by using the IIS manager. This is also used when there are some users delegated to manage certain sites or applications on the server. You can also connect to an IIS7 server from your Windows XP machine or Vista desktop. You need to download the IIS manager from here.

Read more about the "Web Management Service" here.

Now, the administrators's responsibilities can be delegated to the website administrators very easily. It was also possible in IIS6 by the Metabase ACL's and all that, but now it is very simple to understand and very simple to configure.

So, what is the main thing you got to remember before starting using this service? See the below:

image

There are two things to be noted. First one is, the service start-up type is set to "Manual" . You know what it means. And, why this would be a problem? Think of a situation when the server is rebooted for some reason, this service won't start automatically, so your website administrators won't be able to connect to the website to administer them. So, make sure to start this service whenever you reboot the server, or simply change the service start-up type to be "Automatic" .

Second thing to be noted is the account in which this service runs. It runs under "Local Service" with a reduced permission set.

If you are using IIS manager users(non-windows users), then the "NT Service\WMSVC" account should have full control on the website content directory or at least the web.config, so that it would be able to read and write the configurations. Also make sure this account has READ permission for the applicationHost.config file.

For windows users, make sure that the specific user account has full control on the content folder, or at least the web.config.

Here is an article on the iis.net which would explain the Remote administration for IIS manager. The communication between the client and this management service running on the server would be over HTTPS and this service listens on the port 8172.

image

As you see in the configuration, you can choose the certificate (but, a new certificate is automatically created for you when you install this feature). You can also add IP restrictions and can configure to use Windows users and non-windows users. This has a seperate logging. By default it logs to %SystemDrive%\Inetpub\logs\WMSvc.

To wrap up the main idea of this post, below are 2 things you need to remember:

  1. Service start-up type is manual, so change it to Automatic or start the service after you reboot the machine.
  2. You got to give "NT Service\WMSVC" full permission on the web.config for the website which would be administered by non-windows users (IIS Manager users). In case of windows users, that specific user should be given permission.

Hope this helps! Happy Learning!