Knowledge Base

Access to cmd.exe and powershell.exe: how to allow it to subscription users and deny to IIS users?

 
control panelplesk for windowsproductsecurityserver

Question

IIS users and subscription users belong to one common psacln Windows security group.

Scheduled tasks are performed on behalf of subscription users. In case of subscription user account compromising (FTP password disclosed), this can be a security problem.

How to deny use of cmd.exe and powershell.exe to IIS Users and allow Subscription user to run cmd.exe and PowerShell from scheduled tasks?

Answer

This cannot be performed by means of Plesk. A security improvement task PFSI-46000 was created. It will be implemented in future product updates.

Until it is implemented, use the following workaround to deny access to cmd.exe for the IIS users:

  1. Connect to the server via RDP.

  2. Go to Control Panel > Administrative Tools > Computer Management > Local Users and Groups > Groups > More Actions > New Group:
    article1.PNG

  3. Create a new group (called secgroup further in the example):
    article2.PNG

  4. Add the Deny rule for %SYSTEMROOT%system32cmd.exe and %SYSTEMROOT%System32WindowsPowerShellv1.0powershell.exe files for members of the newly created group:

    Right-click the file > Properties > Security tab > Advanced > Add

    article3.PNG

    Note: to edit the system utilities permissions it may be needed to change the owner to Administrator: Properties > Security tab > Advanced > change Owner, and then change it back to Trusted Installer: change Owner > type NT ServiceTrustedInstaller and click Check names.

  5. Create a script that regularly adds IIS Application pool users for all subscriptions into a specific security group

    To do it, create an empty .bat file and append the following commands to it:

    net localgroup psacln | findstr "IWPD*" > C:users.txt
     FOR /F %%A in (C:users.txt) DO net localgroup secgroup %%A /add

    Note: Substitute secgroup with the actual group name.

    This script will create a file C:users.txt with the list of IIS application pool users and add these to the group created during step 2.

  6. Log in to Plesk and navigate to Tools & Settings > Scheduled Tasks

  7. Click Add Task, select task type Run a command and specify the path to the .bat file from step 4 in the Command field. Set the necessary period to run the task (for example, daily) and click OK:
    article4.PNG

Read the full article
Related Posts
Knowledge Base

Hosting Wiki

Industry
Partners

industry-partner_ALIBABA
industry-partner_GOOGLEPARTNER
industry-partner_MICROSOFT
industry-partner_REDHAT-r2
industry-partner_ALIBABA
industry-partner_AUTOMATTIC
industry-partner_AWS
industry-partner_DIGITALOCEAN
industry-partner_SCALEWAY

Follow us:

Facebook Twitter Linkedin Youtube Github

© 2023 Plesk International GmbH. All rights reserved. Plesk and the Plesk logo are trademarks of Plesk International GmbH.

Managed with love with Plesk WP Toolkit

Plesk uses LiveChat system (3rd party).

By proceeding below, I hereby agree to use LiveChat as an external third party technology. This may involve a transfer of my personal data (e.g. IP Address) to third parties in- or outside of Europe. For more information, please see our Privacy Policy.

Search
Generic filters
Exact matches only
Search in title
Search in content
Search in excerpt