Hosted Objects Security: HostingSecurity.exe

To host different objects, particularly, domains, subdomains and web users, which we call hosted objects, Parallels Plesk Panel performs in Windows the following two operations for every object:

creates the object's root directory with the hosted content organized into files and folders; all located in %plesk_vhosts%
E.g., for a domain with physical hosting, the root directory is %plesk_vhosts%\<domain name> containing folders and files defined by a virtual host template (default are /anon-ftp, /error-docs, /httpdocs, etc.)
creates Windows user accounts mapped to Parallels Plesk Panel object-specific users
E.g., for a domain with physical hosting three Windows users are created: Parallels Plesk Panel Domain User (<COMPUTER-NAME>/<FTP/Microsoft FrontPage Login>), Parallels Plesk Panel IIS User (<COMPUTER-NAME>/<IUSR_FTP/Microsoft FrontPage Login>) and ftp_subaccounts (<COMPUTER-NAME>\ftp_subaccounts)

For proper functioning of the Parallels Plesk Panel hosted objects, such Windows users must have particular permissions on accessing objects' folders and files. This is provided using security metadata files based on security templates the following way: Each hosted object in Parallels Plesk Panel is accompanied with a specific security metadata describing what users should have which access to which file or folder of this hosted object. Parallels Plesk Panel creates a particular object security metadata basing on a security template file which contains pattern entries describing access rights.

Parallels Plesk Panel provides the following default security templates, all located in %plesk_dir%\etc\:

hosting_template.xml - pattern security entries for domains with physical hosting
frame_forwarding_template.xml - domains with frame forwarding
subdomain_template.xml - subdomains
webuser_template.xml - web users
hosting_write_template.xml, subdomain_write_template.xml, webuser_write_template.xml - additional set of pattern entries used when the Additional write/modify permissions option is enabled on domains with physical hosting, subdomains, or web users, correspondingly

The number of security templates can be extended as desired, what is important is that they must be of a proper format.

When a hosted object is created in Parallels Plesk Panel, Parallels Plesk Panel creates in Windows folders, files and users of the hosted object, then calls the HostingSecurity.exe utility which a) creates the object's security file - an XML file .Security in the object's root folder, b) writes to this file the object's security metadata - security rules from the required default template (listed above) using this object's users, c) applies these rules to Windows security settings of the object's folders and files.

The HostingSecurity.exe utility serves to manage Parallels Plesk Panel hosted objects security templates and security metadata together with Windows security settings. The utility allows performing the following operations:

Generating (restoring) default Parallels Plesk Panel security templates for hosted objects
Creating (restoring) security metadata for hosted objects
Updating security metadata by adding or removing rules from a particular template, and applying the updated security rules to Windows security settings

Location

%plesk_bin%

Usage

HostingSecurity.exe <command> [

<option1>=<param1>[

<option2>=<param2>[

<option3>=<param3>]]

Example

The following command removes access entries specified in the custom template ftp-subaccounts.xml located at %plesk_dir%\etc\ from security metadata and settings of photo.example.com:

>HostingSecurity.exe --update-subdomain-security --vhost-name=example.com --subdomain=photo --remove-template=%plesk_dir%\ftp-subaccounts.xml

Commands

Command	Description	Example
`--create-domain-template`	Creates a default domain security template. Unless file location and name are specified with the `--file-name` option, it is created in the current directory (`%plesk_bin%`) under the name `hosting_template.xml`.	To restore missing default domain security template `hosting_template.xml` at `%plesk_dir%\etc\` directory: >HostingSecurity.exe --create-domain-template --file-name="%plesk_dir%\etc\hosting_template.xml"
`--create-frame-forwarding-template`	Creates a default frame forwarding domain security template. Unless file location and name are specified with the `--file-name` option, it is created in the current directory (`%plesk_bin%`) under the name `frame_forwarding_template.xml`.	To create a default frame forwarding domain security template with default name in the current location: >HostingSecurity.exe --create-frame-forwarding-template
`--create-subdomain-template`	Creates a default subdomain security template. Unless file location and name are specified with the `--file-name` option, it is created in the current directory (`%plesk_bin%`) under the name `subdomain_template.xml`.	To restore missing default subdomain security template `subdomain_template.xml` at `%plesk_dir%\etc\` directory: >HostingSecurity.exe --create-subdomain-template --file-name="%plesk_dir%\etc\subdomain_template.xml"
`--create-webuser-template`	Creates a default web user's security template. Unless file location and name are specified with the `--file-name` option, it is created in the current directory (`%plesk_bin%`) under the name `webuser_template.xml`.	To create a default web user security template under the name `web-user-template.xml` in the `D:\temp\` directory: >HostingSecurity.exe --create-webuser-template --file-name=D:\temp\web-user-template.xml
`--create-domain-security`	Creates domain security metadata from a template. Requires `--vhost-name` option. If the `--file-name` option is not specified, a default template `%plesk_dir%\etc\hosting_template.xml` is used.	To create a security metadata file for the domain example.com basing it on the template `hosting_template3.xml` located at the `D:\security-templates\` folder: >HostingSecurity.exe --create-domain-security --vhost-name=example.com --file-name=D:\security-templates\hosting_template3.xml
`--create-frame-forwarding-security`	Creates frame forwarding domain's security metadata from a template. Requires `--vhost-name` option. If the `--file-name` option is not specified, a default template `%plesk_dir%etc\frame_forwarding_template.xml` is used.	To create a security metadata file for the frame forwarding domain sample.net basing it on the default template `frame_forwarding_template.xml` located in the `%plesk_dir%\etc\` directory: >HostingSecurity.exe --create-frame-forwarding-security --vhost-name=sample.net
`--create-subdomain-security`	Creates subdomain security metadata from a template. Requires `--vhost-name` and `--subdomain-name` options. If the `--file-name` option is not specified, a default template `%plesk_dir%etc\subdomain_template.xml` is used.	To create security metadata file for the subdomain blog.example.com basing it on a security template `blog-sub-templ.xml` located at the `D:\security-templates\` folder: >HostingSecurity.exe --create-subdomain-security --vhost-name=example.com --subdomain-name=blog --file-name=D:\security-templates\blog-sub-templ.xml
`--create-webuser-security`	Creates web user's security metadata from a template. Requires `--vhost-name` and `--web-user` options. If the `--file-name` option is not specified, a default template `%plesk_dir%etc\webuser_template.xml` is used.	To restore a missing security metadata file for the web user example.com/~Terry basing it on a Parallels Plesk Panel default template `webuser-template.xml` currently located in the `%plesk_bin%` directory: >HostingSecurity.exe --create-webuser-security --vhost-name=example.com --web-user=Terry --file-name="%plesk_bin%\webuser-template.xml"
`--update-domain-security`	Updates domain security metadata by applying or removing templates, and updates Windows security settings of the domain's files and folders. Requires `--vhost-name` option. If no template is specified with an option `--add-template` or `--remove-template`, a default template `%plesk_dir%\etc\hosting_template.xml` is used.	To add access entries from the Parallels Plesk Panel template `hosting_write_template.xml` to the security metadata, and apply the security rules to Windows security settings of the domain example.com: >HostingSecurity.exe --update-domain-security --vhost-name=example.com --add-template="%plesk_dir%\etc\hosting_write_template.xml"
`--update-subdomain-security`	Updates subdomain security metadata by applying or removing templates, and updates Windows security settings of the subdomain's files and folders. Requires the `--vhost-name` and `--subdomain` options. If no template is specified with an option `--add-template` or `--remove-template`, a default template `%plesk_dir%\etc\subdomain_template.xml` is used.	To remove access entries specified by the custom template `ftp-subaccounts.xml` located at `%plesk_dir%\etc\` from security metadata and settings of photo.example.com: >HostingSecurity.exe --update-subdomain-security --vhost-name=example.com --subdomain=photo --remove-template=%plesk_dir%\ftp-subaccounts.xml
`--update-webuser-security`	Updates web user's security metadata by applying or removing templates, and updates Windows security settings of the web user's files and folders. Requires `--vhost-name` and `--web-user` options. If no template is specified with an option `--add-template` or `--remove-template`, a default template `%plesk_dir%\etc\webuser_template.xml` is used.	To apply Parallels Plesk Panel default security template to security metadata and Windows settings of web user example.com/~MaryJane: >HostingSecurity.exe --update-webuser-security --vhost-name=example.com --web-user=MaryJane

Options

Option	Parameter	Description	Example
`--file-name`	`<fully_qualified_file_name>`	Specifies the fully qualified name of a security template (absolute path to the file starting from disk name + file name).	To create a default web user security template under the name `web-user-template.xml` in the `D:\Security Templates\` directory: >HostingSecurity.exe --create-webuser-template --file-name="D:\Security Templates\web-user-template.xml"
`--vhost-name`	`<domain name>`	Specifies name of a domain to be affected. Required with all commands except the `--create-...-template`.	To create a security metadata file for the frame forwarding domain sample.net basing it on the default template `frame_forwarding_template.xml` located in the `%plesk_dir%\etc\` directory: >HostingSecurity.exe --create-frame-forwarding-security --vhost-name=sample.net
`--subdomain`	`<subdomain name>`	Specifies name of a subdomain to be affected. Required with all the `--...-subdomain-security` commands.	To update security metadata and Windows settings of the subdomain blogs.sample.net using Parallels Plesk Panel default subdomain security template: >HostingSecurity.exe --update-subdomain-security --vhost-name=sample.net --subdomain=blogs
`--web-user`	`<web_user_name>`	Specifies name of a web user to be affected. Required with all the `--...-webuser-security` commands.	To restore a missing security metadata file for the web user example.com/~Terry basing it on a Plesk default template : >HostingSecurity.exe --create-webuser-security --vhost-name=example.com --web-user=Terry
`--add-template`	`<fully_qualified_file_name>`	Specifies a security template containing security rules that should be added to an object's security metadata and applied to Windows security settings of the object's files and folders. Used only with the `--update-...-security` commands.	To add additional access entries specified by the custom template `extended-ftp-subaccounts.xml` located at `%plesk_dir%\Security Templates\` to the security metadata and settings of the example.com domain: >HostingSecurity.exe --update-domain-security --vhost-name=example.com --add-template="%plesk_dir%\Security Templates\extended-ftp-subaccounts.xml"
`--remove-template`	`<fully_qualified_file_name>`	Specifies a security template containing security rules that should be removed from an object's security metadata and from Windows security settings of the object's files and folders. Used only with the `--update-...-security` commands.	To remove access entries specified in the template `hosting_write_template.xml` located in `%plesk_dir%\etc\` from security metadata and settings of example.com domain: >HostingSecurity.exe --update-domain-security --vhost-name=example.com --remove-template="%plesk_dir%\etc\hosting_write_template.xml"