Access to cmd.exe and powershell.exe: how to allow it to subscription users and deny to IIS users?

Question

IIS users and subscription users belong to one common psacln Windows security group.

Scheduled tasks are performed on behalf of subscription users. In case of subscription user account compromising (FTP password disclosed), this can be a security problem.

How to deny use of cmd.exe and powershell.exe to IIS Users and allow Subscription user to run cmd.exe and PowerShell from scheduled tasks?

Answer

This cannot be performed by means of Plesk. A security improvement task PFSI-46000 was created. It will be implemented in future product updates.

Until it is implemented, use the following workaround to deny access to cmd.exe for the IIS users:

1. Connect to the server via RDP.

2. Go to Control Panel > Administrative Tools > Computer Management > Local Users and Groups > Groups > More Actions > New Group:
   
   

3. Create a new group (called secgroup further in the example):
   

4. Add the Deny rule for %SYSTEMROOT%system32cmd.exe and %SYSTEMROOT%System32WindowsPowerShellv1.0powershell.exe files for members of the newly created group:

   Right-click the file > Properties > Security tab > Advanced > Add

   

   Note: to edit the system utilities permissions it may be needed to change the owner to Administrator: Properties > Security tab > Advanced > change Owner, and then change it back to Trusted Installer: change Owner > type NT ServiceTrustedInstaller and click Check names.

5. Create a script that regularly adds IIS Application pool users for all subscriptions into a specific security group

   To do it, create an empty .bat file and append the following commands to it:

   net localgroup psacln | findstr "IWPD*" > C:users.txt
    FOR /F %%A in (C:users.txt) DO net localgroup secgroup %%A /add

   Note: Substitute secgroup with the actual group name.

   This script will create a file C:users.txt with the list of IIS application pool users and add these to the group created during step 2.

6. Log in to Plesk and navigate to Tools & Settings > Scheduled Tasks

7. Click Add Task, select task type Run a command and specify the path to the .bat file from step 4 in the Command field. Set the necessary period to run the task (for example, daily) and click OK: