I am trying to find the configuration settings for this hardening on Windows 2019:
Block IIS sites configuration change from the IIS GUI, even for administrators.
The sites web.config change should be possible using a text editor.
I have this hardening on a previous server but can't find the relevant settings.
It doesn't seem to be from the applicationhost.config or IIS feature delegation.
When this hardening is configured and the admin tries to change a site settings, this should be the error:
Please don't tell me to try some other hardening.
I need to configure this exactly.
Asked
Active
Viewed 56 times
0
jwalker
- 98
- 7
-
1Any hardening you do on your server can be undone by any administrator. So unless you have administrators who don't know what they are doing, what's the point? – Peter Hahndorf Apr 27 '21 at 18:38
-
I understand your point and logic. It makes it harder to make mistakes while using the IIS GUI. However, it is a requirement and therefore I need to know how to configure it. – jwalker Apr 28 '21 at 20:40
1 Answers
0
I don't know what was done to your previous server to get this behaviour.
You can remove the IIS GUI from the server.
You can restrict certain settings to not be available on a site level, but that means you can also not set them in web.config files.
You can't change NTFS permissions on web.config because you still want them to be editable via text-editor.
As far as I know there is no builtin setting that prevents administrators from changing any IIS settings in the GUI.
If you still to have access to your previous server, use Process Monitor to find out what happens when you see the popup you posted.
This seems to be a popup for the IIS Rewrite module which is not part of IIS. Does the old server also prevent changes to other settings?
Peter Hahndorf
- 13,763
- 3
- 37
- 58
-
I need to check. I couldn't find the hardening in the applicationhost.config of the previous server. It seems to be unrelated to secpol.msc too. – jwalker Apr 30 '21 at 16:44