- Plesk for Windows
IIS users and subscription users belong to one common `psacln` Windows security group.
Scheduled tasks are performed on behalf of subscription users. In case of subscription user account compromising (FTP password disclosed), this can be a security problem.
How to deny use of cmd.exe and powershell.exe to IIS Users and allow Subscription user to run cmd.exe and PowerShell from scheduled tasks?
This cannot be performed by means of Plesk. A security improvement task PFSI-46000 was created. It will be implemented in future product updates.
As a workaround:
1. create a script that regularly adds IIS Application pool users for all subscriptions into a specific security group
2. add a deny rule for such group on powershell.exe and cmd.exe