M11: IIS & Web Services

Internet Information Services (IIS) is Microsoft's web server platform for hosting websites, web applications, and web services on Windows Server.

What You'll Learn

IIS architecture and modules
Creating and configuring websites
Application pools and isolation
SSL/TLS certificates
URL Rewrite and ARR

Prerequisites

Windows Server basics
DNS fundamentals (M08)
Basic networking
Certificate concepts (M13 helpful)

Enterprise Reality: IIS powers millions of websites and is essential for hosting ASP.NET applications, SharePoint, Exchange OWA, and custom web services.

IIS Architecture

IIS uses a modular architecture with separate worker processes for isolation.

Core Components

HTTP.sys: Kernel-mode HTTP listener
WAS: Windows Process Activation Service
W3SVC: World Wide Web Publishing Service
Worker Process (w3wp.exe): Handles requests

Module Types

Native: C++ modules (performance)
Managed: .NET modules (flexibility)
Authentication modules
Compression, caching, logging

Install the IIS web server role and management tools with PowerShell.

# Install IIS core web server with management console
PS C:\> Install-WindowsFeature -Name Web-Server -IncludeManagementTools
            

# Expected output:
# ─────────────────────────────────────────
Success Restart Needed  Exit Code  Feature Result
─────── ──────────────  ─────────  ──────────────
True    No              NoChangeNeeded  {Web-Server, Web-Mgmt-Console...}
            

Add ASP.NET support and additional modules for hosting web applications.

# Install ASP.NET 4.5, HTTP redirect, and management console
PS C:\> Install-WindowsFeature -Name Web-Asp-Net45, Web-Http-Redirect, Web-Mgmt-Console
            

Request Processing Pipeline

Understanding how IIS processes an HTTP request from arrival to response.

Request Flow

HTTP.sys receives the request in kernel mode and queues it
WAS determines which application pool handles the request
W3SVC routes the request to the correct worker process
w3wp.exe processes the request through the module pipeline
Response travels back through the pipeline and HTTP.sys sends it to the client

Integrated Pipeline

Native and managed modules unified
.NET modules can handle all requests
Default mode for IIS 7.0+
Better performance and flexibility

Classic Pipeline

Backward compatibility mode
Separate ISAPI and .NET pipelines
Required for some legacy apps
Limited .NET module scope

Key Insight: Integrated pipeline mode is strongly recommended for all new applications. Classic mode should only be used when legacy app compatibility requires it.

Websites and Bindings

A website is a container for web content, identified by bindings (IP, port, hostname).

Binding Components

IP Address - All Unassigned or specific IP
Port - 80 (HTTP) or 443 (HTTPS)
Host Header - Domain name for virtual hosting
Protocol - HTTP or HTTPS

Create a new website by specifying its name, physical path, and host header binding.

# Create a new website bound to a specific hostname on port 80
PS C:\> New-Website -Name "Corporate Portal" -PhysicalPath "C:\inetpub\portal" -HostHeader "portal.hexworth.local" -Port 80
            

# Expected output:
# ─────────────────────────────────────────
Name             ID   State      Physical Path            Bindings
Corporate Portal 2    Started    C:\inetpub\portal        http *:80:portal.hexworth.local
            

Add an HTTPS binding to the same site so it can serve encrypted traffic on port 443.

# Add an HTTPS binding to the existing site
PS C:\> New-WebBinding -Name "Corporate Portal" -Protocol https -Port 443 -HostHeader "portal.hexworth.local"
            

Website vs Web Application vs Virtual Directory

IIS organizes content in a three-level hierarchy that controls isolation and configuration scope.

Website

Top-level container with bindings
Has its own application pool
Unique combination of IP:port:hostname
Contains one or more applications

Web Application

Runs within a website at a sub-path
Can have its own application pool
Has its own web.config scope
Full isolation from parent site

Virtual Directory

Maps a URL path to a physical folder
Inherits parent application pool
No separate configuration scope
Useful for serving files from another location

When to Use Each

Website: Distinct domain or service
Application: Separate app needing isolation
Virtual Dir: Content on a different drive/share

Application Pools

Application pools isolate websites by running them in separate worker processes.

Benefits

Process isolation (crash containment)
Security boundaries (different identities)
Resource management
Independent recycling

Identity Options

ApplicationPoolIdentity (default)
NetworkService
LocalSystem
Custom account

Create a dedicated application pool for each website to ensure process isolation.

# Create a new application pool for the portal site
PS C:\> New-WebAppPool -Name "PortalAppPool"
            

# Expected output:
# ─────────────────────────────────────────
Name            State
PortalAppPool   Started
            

Set the .NET runtime version and identity type for the pool.

# Set the managed runtime to .NET 4.0
PS C:\> Set-ItemProperty "IIS:\AppPools\PortalAppPool" -Name managedRuntimeVersion -Value "v4.0"
            

# Set the pool to run under the default virtual identity
PS C:\> Set-ItemProperty "IIS:\AppPools\PortalAppPool" -Name processModel.identityType -Value ApplicationPoolIdentity
            

Best Practice: Each website should have its own application pool. Never share pools between different applications or customers.

Application Pool Recycling

Recycling restarts worker processes to recover memory and maintain stability.

Recycling Triggers

Regular Time Interval: Default 1740 minutes (29 hours)
Specific Time: Schedule at off-peak hours
Virtual Memory Limit: Threshold-based restart
Private Memory Limit: Per-process memory cap
Request Limit: After N total requests

Recycling Behavior

Overlapped Recycling: New process starts before old exits
Active requests complete in old process
New requests go to new process
Minimizes downtime during recycle
Event log entries for tracking

Disable the default 29-hour time-based recycle and set a private memory limit instead.

# Disable default time-based recycling (set to zero)
PS C:\> Set-ItemProperty "IIS:\AppPools\PortalAppPool" -Name recycling.periodicRestart.time -Value "00:00:00"
            

# Set private memory limit to 1 GB (recycle when exceeded)
PS C:\> Set-ItemProperty "IIS:\AppPools\PortalAppPool" -Name recycling.periodicRestart.privateMemory -Value 1048576
            

Schedule recycling at a specific off-peak time to avoid impacting users.

# Schedule recycling at 3:00 AM daily
PS C:\> Set-ItemProperty "IIS:\AppPools\PortalAppPool" -Name recycling.periodicRestart.schedule -Value @{value="03:00:00"}
            

Best Practice: Disable the default 29-hour time-based recycling and instead set a specific recycling schedule during off-peak hours to avoid recycling during business hours.

Virtual Directories & Applications

Extend website functionality by mapping additional paths.

Virtual Directory vs Application

Virtual Directory: Maps a URL path to a physical folder. Inherits parent's app pool.
Application: Has its own configuration and can run in a separate app pool.

A virtual directory maps a URL path to a folder on a different drive without its own app pool.

# Create a virtual directory pointing to an external docs folder
PS C:\> New-WebVirtualDirectory -Site "Corporate Portal" -Name "docs" -PhysicalPath "D:\Documentation"
            

A web application gets its own configuration scope and can run in a separate app pool for isolation.

# Create an application with its own dedicated app pool
PS C:\> New-WebApplication -Site "Corporate Portal" -Name "api" -PhysicalPath "C:\inetpub\portal\api" -ApplicationPool "APIAppPool"
            

# Expected output:
# ─────────────────────────────────────────
Path                ApplicationPool   EnabledProtocols
/api                APIAppPool        http
            

Default Documents & Directory Browsing

Control what users see when they browse to a directory without specifying a file.

Default Documents

Ordered list of files IIS looks for
Default: Default.htm, Default.asp, index.htm, index.html, iisstart.htm, default.aspx
First match is served to the client
Configurable per site or application

Directory Browsing

Disabled by default (security)
Shows file listing when no default doc
Can display time, size, extension
Enable only for file download sites

Insert a custom default document at the top of the priority list so IIS serves it first.

# Add home.html as the highest-priority default document
PS C:\> Add-WebConfiguration -Filter "/system.webServer/defaultDocument/files" -PSPath "IIS:\Sites\Corporate Portal" -AtIndex 0 -Value @{value="home.html"}
            

Enable directory browsing only on specific paths like a document library, never on the whole site.

# Enable directory browsing for the docs virtual directory only
PS C:\> Set-WebConfigurationProperty -Filter "/system.webServer/directoryBrowse" -Name "enabled" -Value "True" -PSPath "IIS:\Sites\Corporate Portal\docs"
            

Security Warning: Never enable directory browsing on production websites. It exposes your file structure and can leak sensitive information.

SSL/TLS Configuration

Secure your websites with HTTPS using SSL/TLS certificates.

Certificate Sources

Internal CA (AD CS): For intranet sites
Public CA: For internet-facing sites
Self-signed: For testing only
Let's Encrypt: Free automated certificates

Generate a self-signed certificate for testing HTTPS before purchasing a production cert.

# Create a self-signed certificate for the portal hostname
PS C:\> New-SelfSignedCertificate -DnsName "portal.hexworth.local" -CertStoreLocation "Cert:\LocalMachine\My"
            

# Expected output:
# ─────────────────────────────────────────
PSParentPath : Microsoft.PowerShell.Security\Certificate::LocalMachine\My

Thumbprint                               Subject
──────────                               ───────
A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2 CN=portal.hexworth.local
            

Bind the certificate to the HTTPS binding so IIS presents it during the TLS handshake.

# Retrieve the certificate and bind it to the HTTPS port
PS C:\> $cert = Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.Subject -like "*portal*" }
PS C:\> New-Item "IIS:\SslBindings\0.0.0.0!443!portal.hexworth.local" -Value $cert
            

SSL/TLS Best Practices

Properly configuring TLS is critical for protecting data in transit.

Protocol Configuration

Disable: SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1
Enable: TLS 1.2 and TLS 1.3
Use strong cipher suites only
Enable Perfect Forward Secrecy (PFS)

Certificate Best Practices

Use 2048-bit RSA keys minimum
Include all SANs (Subject Alternative Names)
Set up certificate renewal alerts
Use HTTP Strict Transport Security (HSTS)

Require SSL so the site rejects any plain HTTP connections.

# Require SSL for all requests to the portal site
PS C:\> Set-WebConfigurationProperty -Filter "system.webServer/security/access" -Name "sslFlags" -Value "Ssl" -PSPath "IIS:\Sites\Corporate Portal"
            

# HSTS (HTTP Strict Transport Security) via IIS Manager:
# Site > HSTS > Enable, Max-Age: 31536000, IncludeSubDomains
# Forces browsers to always use HTTPS for future visits
            

Compliance Tip: PCI DSS requires TLS 1.2 or higher. Disable all older protocols on servers handling payment data.

Authentication Methods

IIS supports multiple authentication schemes for different scenarios.

Windows Authentication

NTLM or Kerberos
Seamless SSO for domain users
Best for intranet sites

Other Methods

Basic (username/password over HTTPS)
Digest (hashed credentials)
Forms (custom login page)
Anonymous (public access)

Enable Windows Authentication so domain users get seamless SSO on the intranet.

# Turn on Windows Authentication for the portal
PS C:\> Set-WebConfigurationProperty -Filter "/system.webServer/security/authentication/windowsAuthentication" -Name "enabled" -Value "True" -PSPath "IIS:\Sites\Corporate Portal"
            

Disable anonymous access so every user must authenticate before viewing content.

# Disable anonymous access to require credentials
PS C:\> Set-WebConfigurationProperty -Filter "/system.webServer/security/authentication/anonymousAuthentication" -Name "enabled" -Value "False" -PSPath "IIS:\Sites\Corporate Portal"
            

Authentication Deep Dive

Choosing the right authentication method depends on your environment and security requirements.

Anonymous Authentication

No credentials required
Uses IUSR built-in account by default
Can be mapped to a custom account
Required for public-facing websites

Basic Authentication

Credentials sent Base64-encoded (not encrypted)
Must use with HTTPS to protect credentials
Works across all browsers and platforms
Good for REST APIs with HTTPS

Digest Authentication

Sends hashed credentials (MD5)
Requires AD domain controller
Reversible encryption must be enabled
Rarely used in modern deployments

Windows Authentication

Negotiate (Kerberos preferred, NTLM fallback)
Kerberos requires SPN registration
Seamless SSO in domain environments
Does not work well through proxies

Security Note: Never use Basic authentication without HTTPS. Credentials are trivially captured via network sniffing.

URL Authorization

Control access to specific URLs, directories, or files based on user identity and roles.

Authorization Rules

Allow rules - Grant access to users, roles, or verbs
Deny rules - Block access to users, roles, or verbs
Rules are evaluated in order; first match wins
Can be configured per site, application, or directory

Install the URL Authorization module so IIS can enforce access rules per URL path.

# Install the URL Authorization feature
PS C:\> Install-WindowsFeature -Name Web-Url-Auth
            

# Expected output:
# ─────────────────────────────────────────
Success Restart Needed  Exit Code  Feature Result
─────── ──────────────  ─────────  ──────────────
True    No              Success    {URL Authorization}
            

Define authorization rules in web.config to restrict access to a specific AD group.

<!-- In web.config: allow only WebAdmins, deny everyone else -->
<authorization>
  <remove users="*" />
  <add accessType="Allow" roles="HEXWORTH\WebAdmins" />
  <add accessType="Deny" users="*" />
</authorization>
            

Tip: URL Authorization works with any authentication method. Combine Windows Authentication with URL Authorization for granular intranet access control.

Request Filtering

Request filtering is IIS's first line of defense against malicious requests.

Filter Types

File Extension: Block .config, .cs, .mdf
URL Sequences: Block .., :, backslash
HTTP Verbs: Allow only GET, POST, HEAD
Hidden Segments: Block App_Code, bin
Request Limits: Max URL, query string, content

Request Limits

maxAllowedContentLength: 30 MB default
maxUrl: 4096 bytes default
maxQueryString: 2048 bytes default
Prevents buffer overflow attacks
Configurable per site

Block dangerous file extensions so users cannot download backup or source files.

# Block .bak files from being served to clients
PS C:\> Add-WebConfigurationProperty -PSPath "MACHINE/WEBROOT/APPHOST" -Filter "system.webServer/security/requestFiltering/fileExtensions" -Name "." -Value @{fileExtension='.bak';allowed='False'}
            

Set a maximum upload size to prevent oversized requests from consuming server resources.

# Set maximum content length to 50 MB for the portal
PS C:\> Set-WebConfigurationProperty -Filter "system.webServer/security/requestFiltering/requestLimits" -Name "maxAllowedContentLength" -Value 52428800 -PSPath "IIS:\Sites\Corporate Portal"
            

Request Handling

Configure how IIS processes and optimizes web requests.

Key Features

Static Compression: Compress CSS, JS, HTML files
Dynamic Compression: Compress generated content
Output Caching: Cache frequently accessed content
Request Filtering: Block malicious requests

Enable static compression to gzip CSS, JS, and HTML files for faster page loads.

# Enable static content compression (CSS, JS, HTML)
PS C:\> Enable-WindowsOptionalFeature -Online -FeatureName IIS-HttpCompressionStatic
            

Enable dynamic compression for server-generated responses like API output.

# Enable dynamic content compression (ASPX, API responses)
PS C:\> Enable-WindowsOptionalFeature -Online -FeatureName IIS-HttpCompressionDynamic
            

Block .config files from being downloaded to prevent sensitive configuration leaks.

# Block .config files from being served via request filtering
PS C:\> Set-WebConfigurationProperty -PSPath "MACHINE/WEBROOT/APPHOST" -Filter "system.webServer/security/requestFiltering/fileExtensions" -Name "." -Value @{fileExtension='.config';allowed='False'}
            

HTTP Logging

IIS logging captures detailed information about every request for troubleshooting and auditing.

Log Formats

W3C Extended: Default, customizable fields
IIS: Fixed ASCII format
NCSA: Common log format
Custom: User-defined fields

Common Log Fields

Date, Time, Client IP
HTTP method, URI stem, query string
Status code, substatus code
Time taken, bytes sent/received
User agent, referer

Set the logging format to W3C Extended, which provides the most customizable field selection.

# Set the log format to W3C Extended for the portal site
PS C:\> Set-WebConfigurationProperty -Filter "system.applicationHost/sites/site[@name='Corporate Portal']/logFile" -Name "logFormat" -Value "W3C" -PSPath "MACHINE/WEBROOT/APPHOST"
            

Move log files to a dedicated drive to keep the system volume from filling up.

# Redirect IIS logs to a separate drive
PS C:\> Set-ItemProperty "IIS:\Sites\Corporate Portal" -Name logFile.directory -Value "D:\IISLogs"
            

Storage Note: IIS logs can grow rapidly on busy servers. Implement log rotation and archival. Consider centralized logging with tools like ELK Stack.

IIS Manager Navigation

The IIS Manager console provides a graphical interface for all configuration tasks.

Connection Pane (Left)

Server level: Global settings
Sites: All hosted websites
Application Pools: Worker process config
Expand sites to see applications and virtual dirs

Feature View (Center)

IIS section: Authentication, compression, SSL
ASP.NET section: .NET settings
Management section: Delegation, remote mgmt
Double-click icons to configure features

Launch IIS Manager directly from the command line or Run dialog.

# Open IIS Manager from the command line
PS C:\> inetmgr.exe
            

If the management console is not installed, add it as a Windows feature.

# Install the IIS Management Console feature
PS C:\> Install-WindowsFeature -Name Web-Mgmt-Console
            

Remote Management: Install the Web-Mgmt-Service feature and start the WMSVC service to allow remote IIS Manager connections over HTTPS (port 8172).

web.config Basics

The web.config file is an XML configuration file that controls IIS behavior for a specific site or directory.

Configuration Hierarchy

applicationHost.config - Server-level settings (locked by default)
machine.config / root web.config - .NET framework settings
Site web.config - Per-site overrides
App/Directory web.config - Most specific, wins conflicts

<!-- Example web.config -->
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <defaultDocument>
      <files><add value="home.html" /></files>
    </defaultDocument>
    <httpErrors errorMode="Custom">
      <remove statusCode="404" />
      <error statusCode="404" path="/errors/404.html" responseMode="ExecuteURL" />
    </httpErrors>
  </system.webServer>
</configuration>
            

Security: IIS automatically blocks web.config from being downloaded by clients. Never rename or move the request filtering rules that protect this file.

FTP Server Setup

IIS includes a built-in FTP server for file transfer services.

FTP Features

FTP over SSL (FTPS) support
User isolation (home directories)
Virtual host names
Firewall-compatible passive mode
Integration with IIS authentication

User Isolation Modes

Do not isolate: Shared root directory
Isolate by user name: User-specific folders
Isolate by AD: Home directory from AD
Prevents users from seeing other directories

Install the FTP Server role with all sub-features including FTP extensibility.

# Install FTP Server with all sub-features
PS C:\> Install-WindowsFeature -Name Web-Ftp-Server -IncludeAllSubFeature
            

Create an FTP site pointing to a dedicated file share directory.

# Create a new FTP site on the standard port 21
PS C:\> New-WebFtpSite -Name "Corporate FTP" -Port 21 -PhysicalPath "D:\FTPRoot"
            

# Expected output:
# ─────────────────────────────────────────
Name            ID   State      Physical Path    Bindings
Corporate FTP   3    Started    D:\FTPRoot       ftp *:21:
            

Enable basic authentication so FTP users can log in with AD credentials.

# Enable basic (username/password) authentication for FTP
PS C:\> Set-ItemProperty "IIS:\Sites\Corporate FTP" -Name ftpServer.security.authentication.basicAuthentication.enabled -Value $true
            

WebDAV Configuration

Web Distributed Authoring and Versioning (WebDAV) allows clients to edit web content remotely over HTTP.

WebDAV Features

File management over HTTP/HTTPS
Works through firewalls (port 80/443)
Supports Windows Explorer mapping
Locking and versioning support
Alternative to FTP for content publishing

Authoring Rules

Define read/write permissions per path
Apply to users, roles, or all users
Control which content types are allowed
Combine with SSL for secure publishing

Install the WebDAV Publishing feature to enable remote file editing over HTTP.

# Install WebDAV Publishing feature
PS C:\> Install-WindowsFeature -Name Web-DAV-Publishing
            

Enable WebDAV authoring on a specific site so clients can upload and edit files.

# Enable WebDAV authoring for the portal site
PS C:\> Set-WebConfigurationProperty -Filter "system.webServer/webdav/authoring" -Name "enabled" -Value "True" -PSPath "IIS:\Sites\Corporate Portal"
            

Map the WebDAV share as a drive letter in Windows Explorer for easy file access.

# Map WebDAV share as drive Z: in Windows Explorer
PS C:\> net use Z: https://portal.hexworth.local/docs /user:HEXWORTH\admin
            

Security Note: WebDAV extends the HTTP attack surface. Only enable it when needed and always require HTTPS and strong authentication.

IIS PowerShell Module

The WebAdministration and IISAdministration modules provide comprehensive PowerShell management.

WebAdministration (Legacy)

Uses IIS: PSDrive provider
Navigate like a file system
Broad compatibility
Cmdlets: New-Website, Get-WebBinding

IISAdministration (Modern)

Pipeline-friendly objects
Better performance
Available on IIS 10+
Cmdlets: Get-IISSite, New-IISSite

IIS PowerShell Module, Configuration

Import the WebAdministration module for the IIS: PSDrive and legacy cmdlets.

# Load the legacy WebAdministration module (IIS: drive)
PS C:\> Import-Module WebAdministration
            

Use Get-Website or Get-IISSite to list all hosted sites, depending on which module you prefer.

# List all websites using the modern IISAdministration module
PS C:\> Get-IISSite
            

# Expected output:
# ─────────────────────────────────────────
Name             ID   State      Physical Path            Bindings
Default Web Site 1    Started    C:\inetpub\wwwroot       http *:80:
Corporate Portal 2    Started    C:\inetpub\portal        http *:80:portal.hexworth.local
            

Navigate the IIS: PSDrive like a file system to browse sites and app pools.

# Browse all sites and application pools via the IIS: drive
PS C:\> Get-ChildItem IIS:\Sites
PS C:\> Get-ChildItem IIS:\AppPools
            

Export a site's full configuration to XML for backup or migration to another server.

# Export the portal's web server configuration to an XML file
PS C:\> Get-WebConfiguration -Filter "system.webServer" -PSPath "IIS:\Sites\Corporate Portal" | Export-Clixml "C:\Backup\portal-config.xml"
            

Automation Tip: Use the IISAdministration module for new scripts. It provides cleaner object output and better integration with modern PowerShell practices.

Lab Preview

Practice IIS configuration through both interfaces.

GUI Lab Tasks

Create a website with bindings
Configure application pool
Set up virtual directory
Enable Windows Authentication
Configure SSL binding
Set up request filtering rules
Configure HTTP logging

PowerShell Lab Tasks

Create sites with WebAdministration
Manage app pools and recycling
Configure authentication methods
Set up request filtering
Create FTP site with SSL
Configure default documents
Export/import configurations

Start GUI Lab Start PowerShell Lab