Running Internet Information Services (IIS) on Server Core instead of the regular Windows Server 2012 has some advantages. In today’s part of my Server Core series, I will show you how to install a web server on Server Core.

Whether they’re used to host internal websites, app websites, or your organization’s public website, web servers allow for information exchange. Misconfiguration, therefore, poses a security risk.

When I think of misconfiguration, I always get the feeling that people clicked somewhere they didn’t need to click, or they thought they clicked an option but didn’t. These two types of misconfiguration can be easily eliminated when you deploy web servers on Server Core installations of Windows Server 2012.

You can use any Server Core installation as a web server. Windows Server 2008, Windows Web Server 2008, Windows Server 2008 R2, and Windows Server 2012 all came with Internet Information Services (IIS), which is the main Server Role to turn Windows Server into a web server.

With that being said, you might not want to use Server Core installations of Windows Server 2008 or Windows Web Server 2008 as a web server, since these two Windows Server editions do not offer the ability to run ASP or ASP.NET within Internet Information Services. Thus, you cannot host dynamic .NET websites on these platforms. However, you can run dynamic websites based on PHP on Server Core installations of Windows Server 2008 or Windows Web Server 2008.

The ability to run dynamic .NET websites was first introduced in Windows Server 2008 R2, along with PowerShell support for IIS. The latter functionality allows you to configure websites through clear PowerShell cmdlets instead of appcmd.exe and the many IIS VBS scripts.

Overview of Internet Information Services (IIS) on Server Core

The IIS Server Role on Server Core is the most elaborate and modular Server Role you will find on this platform. It consists of four categories of Role Services, spanning a grand total of 44 independent Role Services:

Server Role and Role Services Display Name Role Name (to install)
Web Server (IIS) Web-Server *
- Web Server Web-WebServer *
o Common HTTP Features Web-Common-Http *
§ Default Document Web-Default-Doc *
§ Directory Browsing Web-Dir-Browsing *
§ HTTP Errors Web-Http-Errors *
§ Static Content Web-Static-Content *
§ HTTP Redirection Web-Http-Redirect
§ WebDAV Publishing Web-DAV-Publishing
o Health and Diagnostics Web-Health *
§ HTTP Logging Web-Http-Logging *
§ Custom Logging Web-Custom-Logging
§ Logging Tools Web-Log-Libraries
§ ODBC Logging Web-ODBC-Logging
§ Request Monitor Web-Request-Monitor
§ Tracing Web-Http-Tracing
o Performance Web-Performance *
§ Static Content Compression Web-Stat-Compression *
§ Dynamic Content Compression Web-Dyn-Compression
o Security Web-Security *
§ Request Filtering Web-Filtering *
§ Basic Authentication Web-Basic-Auth
§ Centralized SSL Certificate Support Web-CertProvider
§ Client Certificate Mapping Authentic… Web-Client-Auth
§ Digest Authentication Web-Digest-Auth
§ IIS Client Certificate Mapping Auth Web-Cert-Auth
§ IP and Domain Restriction Web-IP-Security
§ URL Authorization Web-Url-Auth
§ Windows Authentication Web-Windows-Auth
o Application Development Web-App-Dev
§ .NET Extensibility 3.5 Web-Net-Ext
§ .NET Extensibility 4.5 Web-Net-Ext45
§ Application Initialization Web-AppInit
§ ASP.NET 3.5 Web-ASP-Net
§ ASP.NET 4.5 Web-ASP-Net45
§ ISAPI Extensions Web-ISAPI-Ext
§ ISAPI Filters Web-ISAPI-Filter
§ Server Side Includes Web-Includes
§ WebSocket Protocol Web-WebSockets
- FTP Server Web-FTP-Server
o FTP Service Web-FTP-Service
o FTP Extensibility Web-FTP-Ext
- IIS Hostable Web Core Web-WHC
- Management Tools Web-Mgmt-Tools
o IIS Management Console Web-Mgmt-Console
o IIS 6 Management Compatibility Web-Mgmt-Compat
§ IIS 6 Metabase Compatibility Web-Mgmt-Metabase
§ IIS 6 Management Console Web-Mgmt-Lgcy-Console
§ IIS 6 Scripting Tools Web-Mgmt-Lgcy-Scripting
§ IIS 6 WMI Compatibility Web-WMI
o IIS Management Scripts and Tools Web-Scripting-Tools
o Management Service Web-Mgmt-Service

Although the FTP Server Role Service is listed above, this article does not cover installing and configuring an FTP Server on Server Core. That is the topic of the next article in this series.

Installing Internet Information Services (IIS) on Server Core

Now, installing the right Role Services for the job at this moment might look like a daunting job, but the team behind the installation of the Internet Information Services (IIS) Server Role has been kind enough to install the most commonly used Role Services when you install its main Server Role. The Role Services installed by default are denoted with asterisks in the lists above.

To install the Internet Information Services (IIS) Server Role with default options, run the following PowerShell command (type PowerShell at the command prompt if you haven’t done so):

Install-WindowsFeature Web-Server -IncludeManagementTools

Install IIS with PowerShell

Install IIS with PowerShell

If you want a web server that is perfectly suited for hosting mere static content (like .htm and .html files and .jpg, .png, and .gif pictures), you’d be done.

IIS has been installed and you can access your Server Core Web Server from your favorite browser:

Default IIS page

Default IIS page

Now, most web server applications and content management solutions are based on ASP and ASP.NET. To this purpose, you can install the ASP (Web-ASP), ASP.NET 3.5 (Web-ASP-Net), and/or ASP.NET 4.5 (Web-ASP-Net45) Role Services. When you install the latter, some of the .NET Framework 4.5 Features (NET-Framework-45-Features), ISAPI Extensions (Web-ISAPI-Ext), and ISAPI Filters (Web-ISAPI-Filter) will automatically be installed too.

If you want to use the web server to host PHP-based applications, you would need to install PHP. WordPress is a prime example, and your Server Core installation would be happy to host it for you.

For best security practices, you might want to disable the Directory Browsing Role Service to avoid visitors having access to directories on your web server(s) when they don’t have any of the default documents in them. To perform this action, type the following PowerShell command (type PowerShell at the command prompt if you haven’t done so):

Uninstall-WindowsFeature Web-Dir-Browsing

An easy way out of the madness of Internet Information Services (IIS) Role Services and extensions is a program that Microsoft offers called WebMatrix. This free program can be run on both Server with a GUI and Server Core installations and installs the Web Platform Installer (WebPI). Through this program (which starts automatically after installing), you can simply Add the most popular web applications with default settings for the virtual directories, application pools, and database(connection)s:



Managing Internet Information Services (IIS)

Internet Information Services (IIS) and its associated features can be managed both from the console of your Server Core installation and remotely.

From the console

On the console of your Server Core installation, you’d have four resources to manage your web server:

  1. The many IIS-related PowerShell cmdlets
  2. Appcmd.exe
  3. The many IIS VBS scripts
  4. The manual editing of web.config files with notepad.exe

While I won’t bore you with the typical thick-finger problems when working with notepad.exe, the antiquated interfaces of appcmd.exe, and the likes of iisvdir.vbs, iisweb.vbs, and iisext.vbs, I will dive into the wonderful world of IIS PowerShell management.

In Windows Server 2012, a total of 77 IIS-related PowerShell cmdlets are available to manage most of the Web Server Role Service.

For instance, the following line of PowerShell code will create a new website named ServerCore that is connected to TCP Port 80, only listens to the host header, and stores its files in a folder named wwwroot in the typical folder structure for a WordPress installation through the Web Platform Installer (type PowerShell at the command prompt if you haven’t done so):

New-WebSite -Name ServerCore -Port 80 -HostHeader -PhysicalPath "C:\Inetpub/wwwroot/wordpress"

And since we’d also want to allow visitors to to only type into their address bar, we would also bind the host header:

New-WebBinding -Name "ServerCore" -IPAddress "*" -Port 80 -HostHeader


Figuring out how to configure IIS on the console of your Server Core installation might become tedious at points. Luckily, you can also manage IIS remotely from a Graphical User Interface (GUI).

To this purpose, you will need to meet the following two requirements:

  1. Install the IIS Management Console on the management server.
  2. Install the IIS Management Service on your Server Core web server.

To install the IIS Management Service on your Server Core web server(s), type the following PowerShell command (type PowerShell at the command prompt if you haven’t done so):

Install-WindowsFeature Web-Mgmt-Service

By default, the Web Management Server will not accept remote connections. To allow this, we’ll have to resort to using Regedit. Open the register by typing regedit.exe at the command prompt. Then, in the left pane, navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\WebManagement\Server. Here, change the value for EnableRemoteManagement from 0x00000000 to 0x00000001. Close Regedit with Alt+F4 or by clicking the X symbol in the right top of the program.

You can control the entire Web Management Service in this part of the Registry, including the port it listens on and the IP address(es) the service responds to.

When you think you’re done, you’re mistaken. The service is not started automatically, nor is it scheduled to start automatically, so you’ll need to issue the following two commands to make that happen:

sc config WMSVC start= auto
net start WMSVC

The IIS Manager is part of the IIS Server Role on Server with a GUI installations of Windows Server 2012. You can install the IIS Management Console through Server Manager. To install the IIS Manager, click Manage in the top right corner of Server Manager. From the context menu, select Add Roles and Features. Click Next > in the Before you begin, Select installation type and Select destination server screens. In the Select server roles screen, select Web Server (IIS) from the list.

Install IIS

Install IIS

In the pop-up, click Add features, since these are exactly the features we’re looking for. Now click Next > three times to skip through to the Internet Information Services Role Services selection. In this screen, deselect the top Web Server in the list. This will result in the IIS Management Console as the only desired Role Service. Click Next > and then Install.

Unfortunately, the IIS Manager in Windows 8 is unable to connect to web servers remotely, so it can’t be used to manage your Server Core web server(s).

Now, after you’ve got the IIS Management Console installed, click Close and start the Internet Information Services (IIS) Manager from the Start Screen.

In the Internet Information Services (IIS) Manager, right-click Start Page in the Connections pane on the left. Choose Connect to a Server…. Run through the Connect to Server wizard by supplying the name or IP address of your Server Core web server and appropriate credentials. When the IIS Manager can connect successfully, you can also name the connection.

You can then manage your Server Core web server remotely, as you would with any other Windows Server 2012–based web server:

Manage IIS remotely

Manage IIS remotely


Windows Server 2012–based Server Core web servers can be used to host highly available, highly secure web servers. You don’t have to perform all the configuration and management tasks on the console to make the web server secure, but you might want to.

  1. Stevan Allen 8 years ago


    Server certificates does not appear in the IIS section of the server when you connect remotely using the IIS GUI.

    How do I manage certificates please?

  2. Edwi 8 years ago

    On server Core you create a request.inf file and use the certreq -new request.inf request.txt command to create the csr.

  3. Edwin Bakkes 8 years ago

    Create a CSR Configuration File

    The Microsoft certreq utility uses a configuration file to generate a CSR. You must create a configuration file before you can generate the request.
    Create the file and generate the CSR on the Windows 2012 Server Core that will use the certificate.

    Open a text editor and paste the following text, including the beginning and ending tags, into the file.

    ;—————– request.inf —————–


    Signature=”$Windows NT$


    Subject = “CN=View_Server_FQDN, OU=Organizational_Unit, O=Organization,
    L=City, S=State, C=Country”
    ; Replace View_Server_FQDN with the FQDN of the View server.
    ; Replace the remaining Subject attributes.
    KeySpec = 1
    KeyLength = 2048
    ; KeyLength is usually chosen from 2048, 3072, or 4096. A KeyLength
    ; of 1024 is also supported, but it is not recommended.
    Exportable = TRUE
    MachineKeySet = TRUE
    SMIME = False
    PrivateKeyArchive = FALSE
    UserProtected = FALSE
    UseExistingKeySet = FALSE
    ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
    ProviderType = 12
    RequestType = PKCS10
    KeyUsage = 0xa0


    OID= ; this is for Server Authentication

    ; SANs can be included in the Extensions section by using the following text format. Note is the OID for a SAN extension.


    Save the file as request.inf on the C:\Temp folder on the Windows 2012 Server Core.

    Generate a CSR and Request a Signed Certificate from a CA

    Navigate to the directory where you saved the request.inf file.

    Generate the CSR file.

    For example: certreq -new request.inf certreq.txt

    In a text editor, open the CSR file (such as certreq.txt) and copy the contents of the file, including the beginning and ending tags.

    For example:
    . . .
    . . .

    Use the contents of the CSR file to submit a certificate request to the CA in accordance with the CA’s enrollment process.

    After conducting some checks on your company, the CA signs your request, encrypts it with a private key, and sends you a validated certificate.

    The CA also sends you a root CA certificate and, if applicable, an intermediate CA certificate.

    Save the certificate named cert.cer on C:\Temp folder on the Windows 2012 Server Core.

    Import a Signed Certificate by Using Certreq

    Navigate to the directory where you saved the signed certificate file such as cert.cer.

    For example: cd C:\Temp

    Import the signed certificate by running the certreq -accept command.

    For example: certreq -accept cert.cer

    The certificate is imported into the Windows local computer certificate store.

  4. Eva Janakieff 4 years ago

    The Shared Configuration neither appears in IIS Management Console …

    So, how can I configure Share Configuration in Web Servers Core?


    Eva Janakieff


  5. John 1 year ago

    yeah, how do website users access this site from internet ? a site like this only the system admin has access, please tell me how to make a normal public website

Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account