Powershell script to add certificate and binding to IIS - permissions problems

Question

We are trying to programmatically add a new SSL certificate and a new binding to a site on IIS. We use powershell scripts to achieve so and it is working fine with a user who is local admin on the server. The problem is, we can't have a user who is local admin on the web servers run this application in production. It would be against company policies. I want to know the minimal permission my user needs to be able to do this. Those two commands are where I am blocked right now.

## Does nothing but no error. Works fine if I use my admin user.
Import-PfxCertificate -FilePath $path  cert:\localMachine\WebHosting\ -Password $mypwd -Exportable

## Give me : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
$newbinding = Get-WebBinding -Name $site -IPAddress $ip -Port 443 -Protocol "HTTPS" -HostHeader $hostheader 
$newbinding.AddSslCertificate("$thumbprint", "WebHosting")

I'm having difficulty finding a clear and definite answer of what permissions/configurations are needed. I had the same problem that this question before Cant add bindings to IIS programatically - redirection.config permissions (with a video!) . Now it still doesn't work but not the same error.

Thank you

Answer 1

If you are saying, that you are running this remotely on the IIS server, then PoSH by design for many cmdlets requires that the user executing the commands be in the target host local admin group. There is no way around that requirement.

Now, all that being said, why do you need a specific user run this vs using a scheduled task set with the necessary privs to execute the script?

You could also consider leveraging PoSH JEA for such efforts. It does not relieve the need for admin creds, but it does only grant them temporarily.

Just Enough Administration: Windows PowerShell security controls help protect enterprise data

Just Enough Administration (JEA)—the latest update that is now included with Windows Management Framework 5.0—is a security technology that helps organizations enforce information security by restricting IT administrative rights. JEA provides a practical, role-based approach to set up and automate restrictions for IT personnel, and reduces the risks associated with providing users full administrative rights.

JEA uses the built-in capabilities of the Windows PowerShell scripting environment. Anything that you can manage with PowerShell, you can manage with JEA more securely. JEA provides standardized methods of reducing administrative access with more granularity than traditional access control models.

JEA allows specific users to perform designated administrative tasks on designated servers without giving them full administrator rights. JEA is based on Windows PowerShell-constrained run spaces, a technology used at Microsoft to help secure administrative tasks in environments like Microsoft Exchange Online.

https://msdn.microsoft.com/en-us/library/dn896648.aspx

Using JEA

This topic describes the various ways you can connect to and use a JEA endpoint.

To use JEA interactively, you will need: •The name of the computer you are connecting to (can be the local machine) •The name of the JEA endpoint registered on that computer •Credentials for the computer that have access to the JEA endpoint

https://docs.microsoft.com/en-us/powershell/jea/using-jea