As a follow up to our previous IIS infrastructure articles, this is the first of a three part series on scripting a solution. In this entry, we are going to tackle many of the IIS configuration basics using PowerShell ranging from firewall rules, time zone, windows features, user management, installers and certificates. If you have not been following our previous articles please go back and check them out!

Administrative Access

The top of any PowerShell script which requires elevated permissions should include Powershell #Requires -RunAsAdministrator. This comment will prevent a script from executing under an unprivileged context. If this was not included and the script was run with a normal account, then the script would partially succeed and leave the system in an inconsistent state.

Firewall rules

Security is the basis of any successful infrastructure and should always be a first-class citizen during and after the architecture phase. I am a firm believer that a perfect application is a complete failure if the host system is compromised.

$fwRule = New-NetFirewallRule -DisplayName 'IIS (HealthCheck) Inbound' -Profile @('Domain', 'Private') -Direction Inbound -Action Allow -Protocol TCP -LocalPort @('8090') 

Time Zone

Applications typically localize time when displayed to the user, but Windows event logs are inserted using the system time. I prefer to set the time zone on my web servers to a consistent value so that there is less math in my head. For one reason or another your web applications may not localize time and use the system time directly, so be sure to understand the consequences of changing a web servers time zone.

Set-TimeZone "Central Standard Time" 

Windows Role and Features

If you already have a system that has been manually configured with roles and features you can export that configuration to an XML file and import it into a new server. This saves time and removes the possibility of human error. Once you have a valid xml template, you will use that to provision IIS servers in your web tier.

#Requires -RunAsAdministrator
Import-Module Servermanager

function Export-WindowsFeature {
    [Parameter(Mandatory=$true)]  
    Param([string] $path)

    $features = Get-WindowsFeature | ? { $_.Installed -AND $_.SubFeatures.Count -eq 0 } | Export-Clixml $path
}

function Import-WindowsFeature {
    [Parameter(Mandatory=$true)]  
    Param([string] $path)
    
    if(test-path $path){
        Write-Output "Importing server features"
        $imported = Import-Clixml $path | Add-WindowsFeature -Source "c:\path\to\WinSxS"
    }else{
        Write-Output "Unable to import features, the supplied file path does not exist" -ForegroundColor Red
    }
}

Export Powershell Export-WindowsFeature -path “c:\path\to\features.xml”
Import Powershell Import-WindowsFeature -path “c:\path\to\features.xml”

features.xml is a pre configured features export which you can use to get started. You can import it and then add/remove any features to fit your needs and then perform a new export.

Local Account Management

Depending on your environment you may need to add a domain user to the local administrators group.

Add-DomainUserToLocalGroup "some.domain/deployadmin" "Administrators" 

Installers

Many times you also need to install 3rd party software dependencies.
IIS Rewrite Module

Start-Process msiexec.exe -Wait -ArgumentList '/I "c:\path\installers\rewrite_amd64_en-US.msi" /quiet ACCEPT=YES' 

Notepad++

Start-Process -FilePath "c:\path\installers\npp.installer.exe" -ArgumentList "/S /v/qn" -Wait -PassThru 

Import Certificates

Without the correct certificates, the https bindings on websites will fail and cause the site to not work properly. Always ensure that all IIS servers share the same set of ssl certificates.

Import-PfxCertificate -FilePath "c:\path\certificates\2018-some.domain.pfx" -CertStoreLocation "Cert:\LocalMachine\My"