stackoom
  简体   繁体   中英

Grant IUSR Rights to Use PowerShell Stop-Process Command?

 原文  2015-11-11 17:03:27       windows/ powershell/ windows-server-2012/ windows-server

Question

I have a PHP script that runs a Powershell Stop-Process command through shell_exec() . PHP runs as IUSR. When I run the script, I receive an access denied error message. If I run the command in PowerShell using my Administrator account, it works as expected.

How do I grant IUSR the ability to execute Stop-Process in Powershell?

2 answers

solution1
 1 ACCPTED  2015-11-11 19:30:10

I wasn't able to find a solution to grant IUSR the specific privileges to execute Stop-Process , but I was able to get around this by changing the "Anonymous Authentication" user associated with the kill script from IUSR to Administrator .

In IIS 8.5, go to Sites->My Site->Folder Name . On the main panel, click on Authentication under IIS . Right click on Anonymous Authentication and then click on Edit .

You can set the "Anonymous Authentication" value at any level of your IIS app; from the site level to the sub-directory level. I recommend only changing the value from IUSR to Administrator on the directory that actually hosts your kill script. Changing it for the whole site might create problems for other parts of the application.

solution2
 0  2015-11-11 17:12:12

I've seen some information that suggests if you add a limited user to the Performance Monitor Users group and grant it debug privileges, it will be able to terminate processes.

You might consider something a bit less risky though, like running another web app as a user with those rights, that can only be accessed from the local machine. Then make your PHP app do a web request to the internal app to do it's killin'.

If you're trying to kill only a specific process this lets you further limit the impact because the internal app could be designed to only kill that one thing.

Other ways to achieve a similar separation is to have for example a scheduled task that looks for a file with specific content in a specific directory, when it sees it, it kills a process and deletes the file. IUSR can be given permission to create files in that directory as a way to trigger this. This method is very easy to implement but isn't synchronous.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Cannot kill process with powershell (Stop-Process) Powershell get-service piped to stop-process Stop-Process doesnt take -id or input from piped value How can I run a command in PowerShell with admin rights in the current shell? Run Powershell command on Windows 10 startup with admin rights How to use this command with PowerShell? Restricting process rights How to grant a user 'log on as a service' rights programmatically Elevate rights in current directory with PowerShell Start process with full rights and environment
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM