IIS users and subscription users belong to one common
psacln Windows security group.
Scheduled tasks are performed on behalf of subscription users. In case a subscription user account is compromised (FTP password disclosed), this can become a security problem.
How to deny the use of
powershell.exe to IIS Users and allow Subscription users to run
cmd.exe and PowerShell from scheduled tasks on a Plesk server?
This task cannot be performed by means of Plesk.
The following workaround may be applied on the server to deny access to
cmd.exe for the IIS users:
Connect to the server via RDP.
Go to Control Panel > Administrative Tools > Computer Management > Local Users and Groups > Groups > More Actions > New Group:
- Create a new group (for example,
%SYSTEMROOT%System32WindowsPowerShellv1.0powershell.exefiles for members of the newly created group. For this right-click the file > Properties > Security tab > Advanced > Add:
Note: To edit the system utilities permissions it may be required to change the owner to Administrator in Properties > Security tab > Advanced > Owner: Change. After the Deny rule s added, do not forget to switch the Owner back to Trusted Installer: change Owner > type NT ServiceTrustedInstaller and click Check names.
Create a script that regularly adds IIS Application pool users for all subscriptions to a specific security group. For this, create an empty
.batfile (for example,
C:script.bat) and append the following commands to it:
net localgroup psacln | findstr "IWPD*" > C:users.txt
FOR /F %%A in (C:users.txt) DO net localgroup secgroup %%A /add
secgroupwith the actual group name from step 3.
This script will create a file
C:users.txtwith the list of IIS application pool users and add these users to the group created in step 2.
Log in to Plesk and navigate to Tools & Settings > Scheduled Tasks.
Click Add Task. Select task type as Run a command and specify the path to the
.batfile from step 5 in the Command field. Set the necessary period to run the task (for example, daily) and click OK: