Access to cmd.exe and powershell.exe: how to allow it to subscription users and deny to IIS users on a Plesk server?

Question

IIS users and subscription users belong to one common psacln Windows security group.

Scheduled tasks are performed on behalf of subscription users. In case a subscription user account is compromised (FTP password disclosed), this can become a security problem.

How to deny the use of cmd.exe and powershell.exe to IIS Users and allow Subscription users to run cmd.exe and PowerShell from scheduled tasks on a Plesk server?

Answer

This task cannot be performed by means of Plesk.

The following workaround may be applied on the server to deny access to cmd.exe for the IIS users:

1. Connect to the server via RDP.

2. Go to Control Panel > Administrative Tools > Computer Management > Local Users and Groups > Groups > More Actions > New Group:
   
   

3. Create a new group (for example, secgroup ):
   

4. Add the Deny rule for %SYSTEMROOT%\system32\cmd.exe and %SYSTEMROOT%\System32\WindowsPowerShell\v1.0\powershell.exe files for members of the newly created group. For this right-click the file > Properties > Security tab > Advanced > Add:

   Note: To edit the system utilities permissions it may be required to change the owner to Administrator in Properties > Security tab > Advanced > Owner: Change. After the Deny rule s added, do not forget to switch the Owner back to Trusted Installer: change Owner > type NT Service\TrustedInstaller and click Check names.
   

5. Create a script that regularly adds IIS Application pool users for all subscriptions to a specific security group. For this, create an empty .bat file (for example, C:\script.bat) and append the following commands to it:

   CONFIG_TEXT: net localgroup psacln | findstr "IWPD*" > C:\users.txt
   FOR /F %%A in (C:\users.txt) DO net localgroup secgroup %%A /add

   Note: Substitute secgroup with the actual group name from step 3.

   This script will create a file C:\users.txt with the list of IIS application pool users and add these users to the group created in step 2.

6. Log in to Plesk and navigate to Tools & Settings > Scheduled Tasks.

7. Click Add Task. Select task type as Run a command and specify the path to the .bat file from step 5 in the Command field. Set the necessary period to run the task (for example, daily) and click OK: