- Local password manager with Bitwarden unified - Mon, Feb 6 2023
- Prepare AD synchronization with Azure Active Directory using IdFix - Tue, Jan 31 2023
- Manage Windows security and optimization features with Microsoft’s free PC Manager - Mon, Jan 23 2023
PowerShell makes managing roles and role services extremely easy from an automation and efficiency standpoint. It also helps take out the human error factor when configuring roles and services consistently across a number of Windows Servers.
One of the role services that has long been used with Windows Server is IIS. IIS has been around since Windows NT 4.0. However, it has received many improvements and enhancements along the way all the way up to Windows Server 2019.
Let's take a look at how we can install and manage IIS with PowerShell, including installing the role service, configuring SSL, managing bindings, and managing IIS application pools.
Installing IIS using PowerShell
Before you can configure or manage a Windows Server role, you have to get the role installed to begin with. Let's take a look at how we can do this using PowerShell in Windows Server. PowerShell contains myriads of intuitive cmdlets that let you perform the normal GUI-driven operations from the command line. You can easily install roles and features in Windows Server with the Install-WindowsFeature cmdlet. Let's see how easy it is to install the IIS role using this cmdlet.
Use the Install-WindowsFeature cmdlet to install the IIS role listed as Web-Server in Windows Features. The IncludeAllSubFeature and IncludeManagementTools directives install the subfeatures for the role as well as the management tools needed to manage IIS.
- Install-WindowsFeature -name "Web-Server" -IncludeAllSubFeature ‑IncludeManagementTools
When installing IIS with the IncludeAllSubFeature option, you need to make sure you have satisfied all the prerequisites, like installing .NET 3.5. In Windows Server 2019, you may see an error such as the following when installing IIS without having the .NET 3.5 feature enabled.
You can easily install the feature with the DISM command as well as with local Windows Server installation media mounted.
Dism /online /enable-feature /featurename:NetFX3 /All /Source:D:\sources\sxs
Managing IIS SSL and binding with PowerShell
Managing SSL certificates and bindings with PowerShell go hand in hand. The SSL certificate creates the secure channel for encrypted communication with IIS. The bindings dictate which ports and SSL certificates to use when configuring IIS to listen on a particular port for a specific website.
Let's take a look at useful PowerShell cmdlets for interacting with IIS SSL configuration and bindings.
Managing IIS bindings
The first thing you may want to do is take a look at the existing websites and bindings present for those websites. We can use the Get-WebSite cmdlet to view existing IIS websites. With this cmdlet, you see useful information such as the state of the site, physical path, and bindings.
If you want to take a closer look at bindings in particular, you can use the Get-WebBinding cmdlet to view specifics about the bindings in IIS. This cmdlet also shows sslFlags set for each website to quickly view which IIS sites are SSL enabled.
Creating a self-signed certificate to use with IIS
You can generate self-signed SSL certificates using PowerShell. In legacy versions of Windows, you had to use a utility like the IIS 6 resource kit tools to generate self-signed certificates. However, now with modern versions of Windows Servers, New-SelfSignedCertificate comes in handy.
The cmdlet below will generate a new self-signed certificate for the fully qualified domain name (FQDN) you specify with a 2048 key length. Create and place it in the Personal store of the computer certificates. With the (Get-Date).AddYears snippet, you can choose to create the self-signed certificate for the specified length of time.
New-SelfSignedCertificate -dnsname "<your server FQDN>" ‑KeyLength 2048 -CertStoreLocation cert:\LocalMachine\My ‑NotAfter (Get-Date).AddYears(20)
How do you bind this certificate to a website in IIS? To bind port 443 and the HTTPS protocol to the Default Web Site, you can use the following PowerShell cmdlet:
New-WebBinding -Name "Default Web Site" -IP "*" -Port 443 ‑Protocol https
Using the functionality of the WebAdministration PowerShell module, we can properly interact with the HTTP.SYS as documented by Microsoft here. SSL settings get stored in the HTTP.SYS configuration store. To associate the certificate with a particular website, we have to use the certificate hash.
Now you can use the certificate hash generated using the New-SelfSignedCertificate cmdlet earlier. Note the error below when using the new-item cmdlet. This indicates there is already a certificate bound. If you have no certificate already, use new-item; however, if you want to change the existing bound certificate, use the set-item cmdlet. This changes the certificate from the currently set SSL cert to the new certificate.
Setting a certificate for the HTTPS binding on an IIS website using PowerShell
After assigning the new SSL certificate to the IIS website, you can open the IIS Management console (inetmgr.exe) to verify the cmdlet set the SSL certificate correctly. We can see the SSL certificate is the newly generated self-signed certificate and the port is properly configured to 443.
Managing IIS application pools
The application pool is a modern IIS design construct that helps separate resources and worker processes in IIS between web applications. This is a much better design that helps isolate web applications for stability and security purposes; in this way, web applications have good separation from one another. If one web application has a memory leak or becomes unstable, this will not impact the other web applications by running in separate application pools.
The New-WebAppPool cmdlet in PowerShell lets you create a new application pool.
You can use PowerShell to view all the available application pools, including the newly created application pool with the Get-IISAppPool cmdlet.
You can also recycle an application pool with the following cmdlet. By recycling an app pool, the ISI worker process that handles requests for a particular application pool is terminated and a new one is started. This can be useful if a web application becomes unstable. Additionally, it is good to recycle app pools periodically.
Subscribe to 4sysops newsletter!
$AppPool = Get-IISAppPool -Name TestPool $AppPool.Recycle()
PowerShell automation is a great way to install, control, configure, and manage Windows IIS. As shown, you can script many aspects of IIS, including installing the server role and subfeatures as well as the management tools. Configuring the bindings and SSL certificate settings are also possible with PowerShell in addition to quickly creating self-signed certificates for testing. Finally, you can effectively manage Windows Server IIS application pools, including creating, listing, and recycling these as needed, all using PowerShell.