Customizing Disk Security

Custom changes to disk security metadata should not be applied to the DiskSecurity.xml file itself. The disk security metadata can be contained in multiple files. All disk security metadata do not have to be contained only in the DiskSecurity.xml file. You can create any number of additional disk security metadata files. To customize disk security, you should create an additional file with the xml extension in the %plesk_dir%\etc\DiskSecurity directory and specify additional security rules in the file. This will enable you to track changes and manipulate sets of security metadata easily.

To customize disk security rules in Plesk:

  1. Log in as administrator to a Plesk-managed server over Remote Desktop.
  2. Determine the Windows objects for which you would like to set new security rules.
  3. Open the %plesk_dir%\etc\DiskSecurity folder.
  4. In the folder, create a file with the xml extension.

    You can name this file anything you want.

  5. Open and edit the file by using your favorite XML file editor to create security rule entries.

    Disk security rule entries have the same format as hosting security rule entries. For help in completing this step, see Adding New Security Rule to Hosting Security Metadata File Template. See also an explanatory example of a security rule entry following this procedure. For entry attribute descriptions and possible values, see General Security Metadata Structure.

  6. Save and close the file.
  7. Once you have made necessary modifications to the security metadata file, run the plesk repair utility with the --directory-permissions command and the -directory <path to the directory> option to apply the security rules to Windows objects. For example, to apply the disk security rules to the C:\Temp directory run the following command:

    plesk repair --directory-permissions -directory C:\Temp

For example, you have an application (say, IIS module) installed into the folder c:\Program Files\AppName. This module is used on customers' sites, but it does not work properly because Plesk's default security rules prohibit customers from accessing arbitrary folders on the disk. To resolve this, you can create a file named AppName.xml, add your security rules as described further, and place the file into the directory %plesk_dir%\etc\DiskSecurity.


<?xml version="1.0" encoding="utf-8" ?> 
<Entry AccounType="1" Account="Psacln" Path="{ProgramFiles}" SubPath="AppName" AceFlags="ThisFolderSubfoldersAndFiles" AccessMask="FullAccess" EntryFlags="0" /> 
<Entry AccounType="1" Account="Psaadm" Path="{ProgramFiles}" SubPath="AppName" AceFlags="ThisFolderSubfoldersAndFiles" AccessMask="FullAccess" EntryFlags="0" /> 

Because the names Psacln and Psaadm are not standard Windows system accounts, they have to be resolved in the system (hence, AccounType="1"). Path="{ProgramFiles}" and SubPath="AppName" specify that the security rules will be applied to the folder where your application is installed. AceFlags="ThisFolderSubfoldersAndFiles" specifies that, according to these rules, ACEs with permission defined by AccessMask="FullAccess" will be created for the specified folder, and all of its subfolders and files. EntryFlags="0" sets the ACE type to Allow.