IIS Manager and Script generation

There are always questions on the forums related to scripting settings related to IIS configuration files. In IIS7 and above, there is a nifty feature called the Configuration Editor.  For reference, this blog post is written and pertains to IIS 8.5. This is important because some settings mentioned in this post are not available on any versions prior to IIS 8.5.

This feature allows you to ‘look’ at your configuration files and even update them via the GUI interface. This can be very handy since you are not manually updating one of the configuration files for either the entire IIS Server or one of your websites or applications. Since the format of the file requires specific items, using a tested script or GUI interface can aid in ensuring that you do not accidentally forget a “ or  < in the file which renders it unusable by IIS.

You access this feature by opening Internet Information Services (IIS) Manager. There is a Configuration Editor feature at the server level, the web site level, and for any folder, virtual directory or application within a website.

image.png

The location of the feature determines what configuration file will be modified by any changes made. Changes made at the server level will impact the primary configuration documents for the IIS installation. For example, if you would like to view the default settings for the application pools, you would access the Server name and double click on the Configuration Editor icon to open the feature. As you can see from the screenshot below, I have selected the section related to applicationPools. At the bottom of the screenshot, the active configuration file is listed as applicationhost.config.

image_thumb.png

The screenshot below shows the default settings for application pools as shown in both the configuration editor and the applicationhost.config file.

image.png

Making a change in the Configuration Editor updates the applicationhost.config file once you select Apply.

Let’s say for instance, you decide you would like to modify the default settings for your application pools but would like to script it so you can implement it at a later time or across multiple systems. Rather than the defaults for idleTimeout and idleTimeoutAction, you want to implement a longer timeout value and rather than terminating the process, you want to suspend it. The idleTimeoutAction item is only relative to IIS 8.5. For prior versions, you can change the idleTimeout following this same process as well. You are going to set the idleTimeout to 60 minutes rather than the default of 20. You are also going to change the idleTimeoutAction to Suspend rather than Terminate. This comes in handy when you have a website that takes a while to load but only has certain periods of time where it is active. By suspending the process, you do not have to wait for the initial spin-up which occurs after a worker process has been terminated. Any changes that are made in the editor are shown in BOLD in the GUI.

You will now notice that there are multiple actions available (Apply, Cancel, Generate Script). This is where the cool stuff happens. You are going to click Generate Script since you really want the PowerShell commands needed to make this change rather than applying the changes now. This will open a Script Dialog box that provides the auto-generated script in multiple languages including C#, AppCmd, and PowerShell.

image_thumb.png

You can now copy the script and integrate it into initial build scripts for creating a new IIS server or even as a stand alone script to simply update the settings that you have chosen.

The generated PowerShell script contains this code:

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST'  -filter "system.applicationHost/applicationPools/applicationPoolDefaults/processModel" -name "idleTimeout" -value "01:00:00"

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST'  -filter "system.applicationHost/applicationPools/applicationPoolDefaults/processModel" -name "idleTimeoutAction" -value "Suspend"

You will then open a PowerShell command window ran as Administrator. Paste the code into the window and run it. Voila, your updates were inserted into the applicationhost.config file and the default settings for new application pools are now configured the way that you want.

There are many settings that can be scripted following these same steps for websites. The Configuration Editor feature at the website level accesses the web.config file for the specified site or application. For example, if you want to change the way that customErrors are handled for your website, you can access the customErrors section of the web.config via the Configuration Editor and change the mode from the default RemoteOnly to On or Off. Once again, you can either apply the setting manually or Generate Script for your script repository or for future use.

I hope you find this blog post helpful, especially if you are just learning PowerShell and working with IIS.

Terri is a Microsoft MVP (ASP .NET/IIS), an MCSA: Windows Server 2012, and a Cloud Administrator at OrcsWeb, a hosted server company providing managed hosting solutions

IIS8 Security features

I recently wrote two blog posts for CloudServers.com around new IIS8 security features. The first was about Dynamic IP Restrictions and how they can be implemented to provide an additional layer of security for your site against brute force DDoS type attacks. The second was about the new FTP Login restrictions that can be implemented to actively block brute force FTP attacks.

Both of these new features in IIS can be easily implemented and configured to provide another layer for security to your websites and applications.

Terri is a Microsoft MVP (ASP .NET/IIS), an MCSA: Windows Server 2012, and a Support Specialist at OrcsWeb, a hosted server company providing managed hosting solutions