IIS users and subscription users belong to one common
psacln Windows security group.
Scheduled tasks are performed on behalf of subscription users. In case of subscription user account compromising (FTP password disclosed), this can be a security problem.
How to deny use of
powershell.exe to IIS Users and allow Subscription user to run
cmd.exe and PowerShell from scheduled tasks?
This cannot be performed by means of Plesk. A security improvement task PFSI-46000 was created. It will be implemented in future product updates.
Until it is implemented, use the following workaround to deny access to
cmd.exe for the IIS users:
Connect to the server via RDP.
Go to Control Panel > Administrative Tools > Computer Management > Local Users and Groups > Groups > More Actions > New Group:
- Create a new group (called
secgroupfurther in the example):
Add the Deny rule for
%SYSTEMROOT%System32WindowsPowerShellv1.0powershell.exefiles for members of the newly created group:
Right-click the file > Properties > Security tab > Advanced > Add
Note: to edit the system utilities permissions it may be needed to change the owner to Administrator: Properties > Security tab > Advanced > change Owner, and then change it back to Trusted Installer: change Owner > type NT ServiceTrustedInstaller and click Check names.
Create a script that regularly adds IIS Application pool users for all subscriptions into a specific security group
To do it, create an empty .bat file and append the following commands to it:
net localgroup psacln | findstr "IWPD*" > C:users.txt
FOR /F %%A in (C:users.txt) DO net localgroup secgroup %%A /add
secgroupwith the actual group name.
This script will create a file
C:users.txtwith the list of IIS application pool users and add these to the group created during step 2.
Log in to Plesk and navigate to Tools & Settings > Scheduled Tasks
Click Add Task, select task type Run a command and specify the path to the
.batfile from step 4 in the Command field. Set the necessary period to run the task (for example, daily) and click OK: