Question
IIS users and subscription users belong to one common psacln
Windows security group.
Scheduled tasks are performed on behalf of subscription users. In case of subscription user account compromising (FTP password disclosed), this can be a security problem.
How to deny use of cmd.exe
and powershell.exe
to IIS Users and allow Subscription user to run cmd.exe
and PowerShell from scheduled tasks?
Answer
This cannot be performed by means of Plesk. A security improvement task PFSI-46000 was created. It will be implemented in future product updates.
Until it is implemented, use the following workaround to deny access to cmd.exe
for the IIS users:
-
Connect to the server via RDP.
-
Go to Control Panel > Administrative Tools > Computer Management > Local Users and Groups > Groups > More Actions > New Group:
- Create a new group (called
secgroup
further in the example): -
Add the Deny rule for
%SYSTEMROOT%system32cmd.exe
and%SYSTEMROOT%System32WindowsPowerShellv1.0powershell.exe
files for members of the newly created group:Right-click the file > Properties > Security tab > Advanced > Add
Note: to edit the system utilities permissions it may be needed to change the owner to Administrator: Properties > Security tab > Advanced > change Owner, and then change it back to Trusted Installer: change Owner > type NT ServiceTrustedInstaller and click Check names.
-
Create a script that regularly adds IIS Application pool users for all subscriptions into a specific security group
To do it, create an empty .bat file and append the following commands to it:
net localgroup psacln | findstr "IWPD*" > C:users.txt
FOR /F %%A in (C:users.txt) DO net localgroup secgroup %%A /addNote: Substitute
secgroup
with the actual group name.This script will create a file
C:users.txt
with the list of IIS application pool users and add these to the group created during step 2. -
Log in to Plesk and navigate to Tools & Settings > Scheduled Tasks
-
Click Add Task, select task type Run a command and specify the path to the
.bat
file from step 4 in the Command field. Set the necessary period to run the task (for example, daily) and click OK: