Forever Breathes The Lonely Word - My Tech Blog

March 20th 2015 - I moved Blog Software again, actually rather than using some dedicated Blog software, I'm now using my own CMS for the blog. This means a single system for all content.
There are currently no feeds available for new posts, but then again I don't have that many new posts anyways.

July 11th 2015 - I have enabled comments on certain posts, just to experience with Disqus a bit, looks good so far.


IIS - Nested comments in config files

Published: 27 August 2015

One nice feature of XML based configuration is that you can add comments anywhere to explain why a certain configuration value has been set this way.

For IIS I use this most often to comment on the IP addresses I use to allow for certain sites, like:

<system.webServer>
    <security>
        <ipSecurity allowUnlisted="false">
            <!-- Susan's laptop -->
            <add ipAddress="25.88.25.25" allowed="true"/>
            <!-- public IP at work -->
            <add ipAddress="165.25.26.25" allowed="true" />
            <!-- local home network -->
            <add ipAddress="192.168.50.0" subnetMask="255.255.255.0" allowed="true" />
            <!-- explicit deny Mark's network -->
            <add ipAddress="58.57.56.0" subnetMask="255.255.255.0" allowed="false" /> 
        </ipSecurity>
    </security>
</system.webServer>

without these comments I would sometime come back to the configuration and would not know what these addresses are and whether I would still need them.

The other day I had to allow access to a site from everywhere, I could not just change the 'allowUnlisted' value because I have both 'allow' and 'deny' entries in the list.

Normally I would just comment out the whole 'ipSecurity' node, but this isn't possible because XML does not allow nested comments.

My first fix was to move the specific comments out of the node into its own comment section, that works but it's a pain if you have many comments and you are loosing the direct association with the add node.

<!-- ipSecurity info:
     5.88.25.25 = Susan's laptop
     165.25.26.25 = public IP at work
     ...
-->

A cleaner solution is to extend the IIS schema to allow a comment directly on the 'add' node.

To do that I created a new file:
%systemroot%\System32\inetsrv\config\schema\my_schema.xml
with the following content:
<configSchema> 
    <sectionSchema name="system.webServer/security/ipSecurity"> 
        <collection addElement="add" >
           <attribute name="remark" type="string" defaultValue=""  />
        </collection>
    </sectionSchema>     
</configSchema> 
I'm adding a new attribute to the 'add' node, which allows me to add my comment directly on the node like this:
<system.webServer>
    <security>
        <ipSecurity allowUnlisted="false">
            <add ipAddress="25.88.25.25" allowed="true" remark="Susan's laptop" />
            <add ipAddress="165.25.26.25" allowed="true" remark="public IP at work" />
            <add ipAddress="192.168.50.0" subnetMask="255.255.255.0" allowed="true" remark="local home network" />
            <add ipAddress="58.57.56.0" subnetMask="255.255.255.0" allowed="false" remark="explicit deny Mark's network" /> 
        </ipSecurity>
    </security>
</system.webServer>

This doesn't show up in the IIS Manager UI, but in the configuration editor:

config editor

This means I can edit my comments in the GUI and don't have to edit the config file directly anymore.

If you use that web.config on a different server you have to remember to copy the 'my_schema.xml' file as well, otherwise you will get a '500.19' configuration error complaining:

Unrecognized attribute 'remark'

New features in IIS 10

Published: 15 July 2015

In all the news about Windows 10 and Windows Server 2016, I haven't read anything about new features in IIS except for the support of HTTP/2.

Maybe there is something else?

I'm looking at Server 2016 Technical Preview 2 (Build 10074), and Windows 10 (Build 10240) which seems to be no different in respect of IIS.

Support for HTTP/2

In Server 2016 TP2 and current builds of Windows 10, HTTP/2 is enabled by default, no need to set the DuoEnabled value in the registry, no need for a reboot.

To verify that your are now using HTTP/2, open Chrome and connect to your secure site hosted on IIS 10. In a second tab, type the following:

chrome://net-internals/#spdy

You may have to refresh your page, but you should see your request listed with a Protocol Negotiated value of h2

In Firefox 39, using the F12 tools, the Headers on the Network tab show: Version: HTTP/2.0

firefox

IE 11 or Edge don't seem to show any difference in their F12 tools.

Support for Wildcard host header

A feature many people asked about for a long time is the support of wildcard host headers. In older versions of IIS up to 8.5 you could only specify a full host name in the bindings for a web site.

In IIS 10 you can now do:

New-WebBinding -Name "Default Web Site" -IPAddress "*" -Port 80 -HostHeader "*.foo.bar"

and your bindings are:

ls iis:\sites
Name             ID   State      Physical Path                  Bindings
----             --   -----      -------------                  --------
Default Web Site 1    Started    %SystemDrive%\inetpub\wwwroot  http *:80:
                                                                https *:443: sslFlags=0
                                                                http *:80:*.foo.bar

This means you can easily point multiple host names to the same site.

I never needed this, but for some people it's a big deal. There is a long thread on forums.iis.net about this.

You can now use site1.foo.bar and site2.foo.bar and as long as you have your DNS server or hosts file set up, they both go to the same site.

What about server1.department.foo.bar? - Doesn't work, the wildcard * stands for a single "word", using a binding of *.*.foo.bar is invalid, same for foo.*.bar. The wildcard has to be the leftmost character. An No: *.bar doesn't work.

To make this work you have to add a binding:

New-WebBinding -Name "Default Web Site" -IPAddress "*" -Port 80 -HostHeader "*.department.foo.bar"

But I think that is fair enough.

More information on IIS.net

New IISAdministration PowerShell module

While the existing PowerShell module (WebAdministration) has hardly changed, the IIS team added a second module with direct access to the underlaying 'Microsoft.Web.Administration.ServerManager' object.

The big thing here is much better support for the PowerShell pipeline.

Get-command -Module IISAdministration | Select Name
Clear-IISConfigCollection
Get-IISAppPool
Get-IISConfigAttributeValue
Get-IISConfigCollection
Get-IISConfigCollectionElement
Get-IISConfigElement
Get-IISConfigSection
Get-IISServerManager
Get-IISSite
New-IISConfigCollectionElement
New-IISSite
Remove-IISConfigAttribute
Remove-IISConfigCollectionElement
Remove-IISConfigElement
Remove-IISSite
Reset-IISServerManager
Set-IISConfigAttributeValue
Start-IISCommitDelay
Start-IISSite
Stop-IISCommitDelay
Stop-IISSite

You can read more about it in Baris Caglar's Blog, a list of all new cmdlets is on TechNet

Environment Variables for Applications Pools

We can set specific environment variables per app pool. There is not UI for this yet.

Add-WebConfigurationProperty -value @{name='TestVar';value='42'} -filter "system.applicationHost/applicationPools/add[@name='DefaultAppPool']/environmentVariables" -pspath 'MACHINE/WEBROOT/APPHOST' -name "." 

Looking at the Worker Process in Process Explorer:

AppPool EnvVar

Support for HTTP status code 308

Used in the HTTP Redirect module, make sure you have that:

Install-WindowsFeature Web-Http-Redirect

then set a new redirect using PermRedirect:

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site'  -filter "system.webServer/httpRedirect" -name "enabled" -value "True"
Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site'  -filter "system.webServer/httpRedirect" -name "destination" -value "http://foo.bar"
Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site'  -filter "system.webServer/httpRedirect" -name "httpResponseStatus" -value "PermRedirect"

you now get:

308

Removal of server header

No UI for this yet, use:

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site'  -filter "system.webServer/security/requestFiltering" -name "removeServerHeader" -value "True"

or one the server level:

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST'  -filter "system.webServer/security/requestFiltering" -name "removeServerHeader" -value "True"

now the header

Server: "Microsoft-IIS/10.0" 
is no longer sent.

Failed Request Tracing

A new failure definition: traceAllAfterTimeout, I'm not sure what this does exactly.

New cipher suites

Windows 10 supports at least two additional cipher suites:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE-RSA-WITH_AES_256-GCM-SHA384

The first one is an important one, because it is very high on the list of cipher suites that Google's Chrome browser is using.

Cipher suites for TLS 1.2 in Windows 10 (as as July 15th 2015):

Preferred:
          ECDHE-RSA-AES256-GCM-SHA384   ECDH-256 bits  256 bits      HTTP 200 OK
Accepted:
          ECDHE-RSA-AES256-SHA384       ECDH-256 bits  256 bits      HTTP 200 OK
          ECDHE-RSA-AES256-SHA          ECDH-256 bits  256 bits      HTTP 200 OK
          ECDHE-RSA-AES256-GCM-SHA384   ECDH-256 bits  256 bits      HTTP 200 OK
          AES256-SHA256                 -              256 bits      HTTP 200 OK
          AES256-SHA                    -              256 bits      HTTP 200 OK
          AES256-GCM-SHA384             -              256 bits      HTTP 200 OK
          ECDHE-RSA-AES128-SHA256       ECDH-256 bits  128 bits      HTTP 200 OK
          ECDHE-RSA-AES128-SHA          ECDH-256 bits  128 bits      HTTP 200 OK
          ECDHE-RSA-AES128-GCM-SHA256   ECDH-256 bits  128 bits      HTTP 200 OK
          RC4-SHA                       -              128 bits      HTTP 200 OK
          RC4-MD5                       -              128 bits      HTTP 200 OK
          AES128-SHA256                 -              128 bits      HTTP 200 OK
          AES128-SHA                    -              128 bits      HTTP 200 OK
          AES128-GCM-SHA256             -              128 bits      HTTP 200 OK
          DES-CBC3-SHA                  -              112 bits      HTTP 200 OK

To get such a list download sslyze, unblock and extract the zip, then run:

 .\sslyze.exe --regular www.mysite.com

as a standard user

Stopping and removing IIS

Published: 11 July 2015
Stopping IIS
If you temporarily don't use IIS, you can 'turn it off'.
Optionally, stop all web sites, ftp sites and application pools:
ls iis:\sites | stop-website -ErrorAction SilentlyContinue
ls iis:\sites | % {$_.ftpserver.stop()}
ls IIS:\AppPools | Stop-WebAppPool
Stop all related services. Please note that WMSVC and ftpsvc may not be installed on your machine.
Stop-Service WMSVC 
Stop-Service AppHostSvc
Stop-Service W3SVC
Stop-Service ftpsvc
Stop-Service WAS
Disable the services
Set-Service -Name AppHostSvc -StartupType disabled
Set-Service -Name w3svc -StartupType disabled
Set-Service -Name ftpsvc -StartupType disabled
Set-Service -Name WAS -StartupType disabled
Set-Service -Name WMSVC -StartupType disabled
You should see that nobody is listening to any web ports anymore:
netstat -an
To Enable IIS again:
Set-Service -Name AppHostSvc -StartupType Automatic
Set-Service -Name w3svc -StartupType Automatic
Set-Service -Name ftpsvc -StartupType Automatic
Set-Service -Name WAS -StartupType Automatic
Set-Service -Name WMSVC -StartupType Automatic

Start-Service WAS
Start-Service W3SVC
Start-Service ftpsvc
Start-Service AppHostSvc
Start-Service WMSVC

ls iis:\sites | start-website -ErrorAction SilentlyContinue
ls iis:\sites | % {$_.ftpserver.start()}
Removing IIS
Close IIS Manager if you have it running.
Uninstall any IIS Extensions, it's better to do that before uninstalling IIS.
$app = get-WmiObject -Class Win32_Product -namespace "root\cimv2" | Where-object{$_.Name -match "IIS URL Rewrite Module 2"}
$app.Uninstall()
We can remove most IIS components with the following command:
Uninstall-WindowsFeature -Name Web-Server -restart
Uninstall-WindowsFeature -Name Was
or on older Windows versions:
dism.exe -online -Disable-Feature -FeatureName:IIS-WebServer
dism.exe -online -Disable-Feature -FeatureName:WAS-WindowsActivationService
There are still some files in "C:\Windows\System32\inetsrv","C:\inetpub" and your content directories. Leave "inetsrv" alone, but you can delete the others.

I often answer questions about IIS on serverfault.com, stackoverflow.com or forums.iis.com and often people provide very little information about their problem. Nearly always it would be helpful to know the sub-status code and people should try a few common troubleshooting things before asking a questions on these forums.

So I decided to write a PowerShell script to be run on the server to perform some tests and even offer to fix certain common problems.

This is work in progress but I have a first working version on GitHub

To install a certain Windows feature on the command line there are many options, which one should I use?
  • Enable-WindowsOptionalFeature
  • Install-WindowsFeature
  • Add-WindowsFeature
  • dism.exe
  • pkgmgr.exe
Platform Support

Vista+2008 Win7 2008 R2 Win8.* 2012 R* Win10 2016 Nano Source
Enable-WindowsOptionalFeature * * * * * Dism module
Get-WindowsOptionalFeature * * * * * Dism module
Install-WindowsFeature * * ServerManager module
Get-WindowsFeature * * * ServerManager module
Add-WindowsFeature * A A ServerManager module
dism.exe * * * * * * * %SystemRoot%\System32
pkgmgr.exe * * * * * * * * %SystemRoot%\System32
A = An alias for Install-WindowsFeature

So the Server-Manager cmdlets are only available on servers or maybe if you install the remote administration tools on a workstation. If you need to support client computers as well use the Dism cmdlets, to be completely on the safe side, use dism.exe. And if you still support Vista/Server 2008 look into pkgmgr.exe

Why are there two different sets of PowerShell cmdlets?

Good questions, my guess is that there were two distinct teams at Microsoft. The Server-Manager team created cmdlets to support features in Server-Manager. The dism team (?) wanted to replicate the functionality of dism.exe. By the time they found out about each other, nobody wanted to give up their code.

Different Features

Lets look at the commands in details:

 Install-WindowsFeature [-Name] <Feature[]> [-ComputerName <String>] [-Credential <PSCredential>]
 [-IncludeAllSubFeature] [-IncludeManagementTools] [-LogPath <String>] [-Restart] [-Source <String[]>] [-Confirm]
 [-WhatIf] [<CommonParameters>]

 Install-WindowsFeature [-ComputerName <String>] [-Credential <PSCredential>] [-LogPath <String>] [-Restart]
 [-Source <String[]>] [-Vhd <String>] -ConfigurationFilePath <String> [-Confirm] [-WhatIf] [<CommonParameters>]

 Install-WindowsFeature [-Name] <Feature[]> [-ComputerName <String>] [-Credential <PSCredential>]
 [-IncludeAllSubFeature] [-IncludeManagementTools] [-LogPath <String>] [-Source <String[]>] -Vhd <String>
 [-Confirm] [-WhatIf] [<CommonParameters>]
compared to:
 Enable-WindowsOptionalFeature [-All] [-LimitAccess] [-LogLevel <LogLevel>] [-LogPath <String>] [-NoRestart]
 [-PackageName <String>] [-ScratchDirectory <String>] [-Source <String[]>] [-SystemDrive <String>]
 [-WindowsDirectory <String>] -FeatureName <String[]> -Online [<CommonParameters>]

 Enable-WindowsOptionalFeature [-All] [-LimitAccess] [-LogLevel <LogLevel>] [-LogPath <String>] [-NoRestart]
 [-PackageName <String>] [-ScratchDirectory <String>] [-Source <String[]>] [-SystemDrive <String>]
 [-WindowsDirectory <String>] -FeatureName <String[]> -Path <String> [<CommonParameters>]

One big difference is that the Server-Manager cmdlets can work against remote computers as well, while dism works only locally but can target offline Windows installations.

Install-WindowsFeature supports a nice trick, if you want to know what other features are installed, use the '-whatif' switch. This works when using -IncludeAllSubFeature but also when installing roles, it just lists all sub-features it would install. The same works for UnInstall-WindowsFeature, try

UnInstall-WindowsFeature -Name NET-Framework-45-Features -whatif
and you can see that you better not remove the dot.NET framework.

Different Windows feature names
Both sets of cmdlets use their own feature names :-(. The dism module cmdlets use the same names as dism.exe, so if you have used those before, just keep using them. The Server Manager uses different names. The following tests were done on a Server 2012 R2
get-windowsfeature | select Name | sort name
returns 267 features.
Get-WindowsOptionalFeature -Online | Select FeatureName | Sort FeatureName
returns 311 features, exactly the same as:
dism.exe -online -get-features
List of Windows feature names
*-OptionalWindowsFeature
(Dism)
*-WindowsFeature
(Server-Manager)
ActiveDirectory-PowerShell 
ADCertificateServicesManagementTools 
ADCertificateServicesRole 
AdminUI 
Application-Server 
Application-Server-HTTP-Activation 
Application-Server-MSMQ-Activation 
Application-Server-Pipe-Activation 
Application-Server-TCP-Activation 
Application-Server-TCP-Port-Sharing 
Application-Server-WAS-Support 
Application-Server-WebServer-Support 
AppServer 
AS-Dist-Transaction 
AS-Ent-Services 
AS-Incoming-Trans 
AS-NET-Framework 
AS-Outgoing-Trans 
AS-WS-Atomic 
AuthManager 
BdeAducExtTool 
BiometricFramework 
BitLocker 
BitLocker-NetworkUnlock 
BitLocker-RemoteAdminTool 
Bitlocker-Utilities 
BITS 
BITSExtensions-AdminPack 
BITSExtensions-Upload 
BusScan-ScanServer 
CCFFilter 
CertificateEnrollmentPolicyServer 
CertificateEnrollmentServer 
CertificateServices 
CertificateServicesManagementTools 
ClientForNFS-Infrastructure 
CoreFileServer 
CoreFileServer-RSAT 
DamgmtTools 
DataCenterBridging 
Dedup-Core 
DesktopExperience 
DfsMgmt 
DFSN-Server 
DFSR-Infrastructure-ServerEdition 
DHCPServer 
DHCPServer-Tools 
DirectoryServices-ADAM 
DirectoryServices-ADAM-Tools 
DirectoryServices-AdministrativeCenter 
DirectoryServices-DomainController 
DirectoryServices-DomainController-Tools 
DirectoryServices-ISM-Smtp 
DirectPlay 
DNS-Server-Full-Role 
DNS-Server-Tools 
DSC-Service 
EnhancedStorage 
FailoverCluster-AdminPak 
FailoverCluster-AutomationServer 
FailoverCluster-CmdInterface 
FailoverCluster-FullServer 
FailoverCluster-Mgmt 
FailoverCluster-PowerShell 
FaxServiceConfigRole 
FaxServiceRole 
FileAndStorage-Services 
FileServerVSSAgent 
File-Services 
File-Services-Search-Service 
FRS-Infrastructure 
FSRM-Infrastructure 
FSRM-Infrastructure-Services 
FSRM-Management 
Gateway 
Gateway-UI 
HCAP-Server 
HCSRuntime 
HCSUI 
IAS NT Service 
IdentityServer-SecurityTokenService 
IIS-ApplicationDevelopment 
IIS-ApplicationInit 
IIS-ASP 
IIS-ASPNET 
IIS-ASPNET45 
IIS-BasicAuthentication 
IIS-CertProvider 
IIS-CGI 
IIS-ClientCertificateMappingAuthentication 
IIS-CommonHttpFeatures 
IIS-CustomLogging 
IIS-DefaultDocument 
IIS-DigestAuthentication 
IIS-DirectoryBrowsing 
IIS-FTPExtensibility 
IIS-FTPServer 
IIS-FTPSvc 
IIS-HealthAndDiagnostics 
IIS-HostableWebCore 
IIS-HttpCompressionDynamic 
IIS-HttpCompressionStatic 
IIS-HttpErrors 
IIS-HttpLogging 
IIS-HttpRedirect 
IIS-HttpTracing 
IIS-IIS6ManagementCompatibility 
IIS-IISCertificateMappingAuthentication 
IIS-IPSecurity 
IIS-ISAPIExtensions 
IIS-ISAPIFilter 
IIS-LegacyScripts 
IIS-LegacySnapIn 
IIS-LoggingLibraries 
IIS-ManagementConsole 
IIS-ManagementScriptingTools 
IIS-ManagementService 
IIS-Metabase 
IIS-NetFxExtensibility 
IIS-NetFxExtensibility45 
IIS-ODBCLogging 
IIS-Performance 
IIS-RequestFiltering 
IIS-RequestMonitor 
IIS-Security 
IIS-ServerSideIncludes 
IIS-StaticContent 
IIS-URLAuthorization 
IIS-WebDAV 
IIS-WebServer 
IIS-WebServerManagementTools 
IIS-WebServerRole 
IIS-WebSockets 
IIS-WindowsAuthentication 
IIS-WMICompatibility 
InkAndHandwritingServices 
Internet-Explorer-Optional-amd64 
IPAMClientFeature 
IPAMServerFeature 
iSCSITargetServer 
iSCSITargetServer-PowerShell 
iSCSITargetStorageProviders 
iSNS_Service 
KeyDistributionService-PSH-Cmdlets 
LegacyComponents 
Licensing 
Licensing-Diagnosis-UI 
Licensing-UI 
LightweightServer 
ManagementOdata 
MediaPlayback 
Microsoft-Hyper-V 
Microsoft-Hyper-V-Management-Clients 
Microsoft-Hyper-V-Management-PowerShell 
Microsoft-Hyper-V-Offline 
Microsoft-Hyper-V-Online 
Microsoft-Windows-Deployment-Services 
Microsoft-Windows-Deployment-Services-Admin-Pack 
Microsoft-Windows-Deployment-Services-Deployment-Server 
Microsoft-Windows-Deployment-Services-Legacy-SIS 
Microsoft-Windows-Deployment-Services-Transport-Server 
Microsoft-Windows-FCI-Client-Package 
Microsoft-Windows-GroupPolicy-ServerAdminTools-Update 
MicrosoftWindowsPowerShell 
MicrosoftWindowsPowerShellISE 
MicrosoftWindowsPowerShellRoot 
MicrosoftWindowsPowerShellV2 
Microsoft-Windows-ServerEssentials-ServerSetup 
Microsoft-Windows-Web-Services-for-Management-IIS-Extension 
MSMQ 
MSMQ-ADIntegration 
MSMQ-DCOMProxy 
MSMQ-HTTP 
MSMQ-Multicast 
MSMQ-RoutingServer 
MSMQ-Server 
MSMQ-Services 
MSMQ-Triggers 
MSRDC-Infrastructure 
MultipathIo 
NetFx3 
NetFx3ServerFeatures 
NetFx4 
NetFx4Extended-ASPNET45 
NetFx4ServerFeatures 
NetworkDeviceEnrollmentServices 
NetworkLoadBalancingFullServer 
NetworkLoadBalancingManagementClient 
NFS-Administration 
NIS 
NPAS-Role 
NPSManagementTools 
OEM-Appliance-OOBE 
OnlineRevocationServices 
OnlineRevocationServicesManagementTools 
P2P-PnrpOnly 
PeerDist 
PKIClient-PSH-Cmdlets 
Printing-AdminTools-Collection 
Printing-Client 
Printing-Client-Gui 
Printing-InternetPrinting-Client 
Printing-InternetPrinting-Server 
Printing-LPDPrintService 
Printing-LPRPortMonitor 
Printing-Server-Foundation-Features 
Printing-Server-Role 
Printing-XPSServices-Features 
PSync 
QWAVE 
RasCMAK 
RasRoutingProtocols 
RasServerAdminTools 
RemoteAccess 
RemoteAccessMgmtTools 
RemoteAccessPowerShell 
RemoteAccessServer 
RemoteAssistance 
Remote-Desktop-Services 
ResumeKeyFilter 
RightsManagementServices 
RightsManagementServices-AdminTools 
RightsManagementServicesManagementTools 
RightsManagementServices-Role 
RMS-Federation 
RPC-HTTP_Proxy 
RSAT 
RSAT-ADDS-Tools-Feature 
RSAT-AD-Tools-Feature 
RSAT-Hyper-V-Tools-Feature 
RSAT-NIS 
RSAT-RDS-Tools-Feature 
SBMgr-UI 
SearchEngine-Server-Package 
Security-SPP-Vmw 
ServerCore-Drivers-General 
ServerCore-EA-IME 
ServerCore-EA-IME-WOW64 
ServerCore-FullServer 
ServerCore-WOW64 
Server-Drivers-General 
Server-Drivers-Printers 
ServerForNFS-Infrastructure 
Server-Gui-Mgmt 
Server-Gui-Shell 
ServerManager-Core-RSAT 
ServerManager-Core-RSAT-Feature-Tools 
ServerManager-Core-RSAT-Role-Tools 
Server-Manager-RSAT-File-Services 
ServerMediaFoundation 
ServerMigration 
Server-Psh-Cmdlets 
Server-RSAT-SNMP 
ServicesForNFS-ServerAndClient 
SessionDirectory 
SimpleTCP 
SIS-Limited 
SMB1Protocol 
SMBBW 
SmbDirect 
SMBHashGeneration 
SmbWitness 
Smtpsvc-Admin-Update-Name 
Smtpsvc-Service-Update-Name 
SNMP 
Storage-Services 
TelnetClient 
TelnetServer 
TFTP 
TIFFIFilter 
TlsSessionTicketKey-PSH-Cmdlets 
UpdateServices 
UpdateServices-API 
UpdateServices-Database 
UpdateServices-RSAT 
UpdateServices-Services 
UpdateServices-UI 
UpdateServices-WidDatabase 
User-Interfaces-Infra 
VmHostAgent 
VolumeActivation-Full-Role 
WAS-ConfigurationAPI 
WAS-NetFxEnvironment 
WAS-ProcessModel 
WAS-WindowsActivationService 
WCF-HTTP-Activation 
WCF-HTTP-Activation45 
WCF-MSMQ-Activation45 
WCF-NonHTTP-Activation 
WCF-Pipe-Activation45 
WCF-Services45 
WCF-TCP-Activation45 
WCF-TCP-PortSharing45 
WebAccess 
Web-Application-Proxy 
WebEnrollmentServices 
WindowsFeedbackForwarder 
Windows-Identity-Foundation 
Windows-Internal-Database 
WindowsMediaPlayer 
WindowsPowerShellWebAccess 
WindowsServerBackup 
WindowsServerBackupSnapin 
WindowsStorageManagementService 
WINSRuntime 
WINS-Server-Tools 
WirelessNetworking 
WMISnmpProvider 
WorkFolders-Server 
WSS-Product-Package 
Xps-Foundation-Xps-Viewer


AD-Certificate 
ADCS-Cert-Authority 
ADCS-Device-Enrollment 
ADCS-Enroll-Web-Pol 
ADCS-Enroll-Web-Svc 
ADCS-Online-Cert 
ADCS-Web-Enrollment 
AD-Domain-Services 
ADFS-Federation 
ADLDS 
ADRMS 
ADRMS-Identity 
ADRMS-Server 
Application-Server 
AS-Dist-Transaction 
AS-Ent-Services 
AS-HTTP-Activation 
AS-Incoming-Trans 
AS-MSMQ-Activation 
AS-Named-Pipes 
AS-NET-Framework 
AS-Outgoing-Trans 
AS-TCP-Activation 
AS-TCP-Port-Sharing 
AS-WAS-Support 
AS-Web-Support 
AS-WS-Atomic 
Biometric-Framework 
BitLocker 
BitLocker-NetworkUnlock 
BITS 
BITS-Compact-Server 
BITS-IIS-Ext 
BranchCache 
CMAK 
Data-Center-Bridging 
Desktop-Experience 
DHCP 
DirectAccess-VPN 
Direct-Play 
DNS 
DSC-Service 
EnhancedStorage 
Failover-Clustering 
Fax 
FileAndStorage-Services 
File-Services 
FS-BranchCache 
FS-Data-Deduplication 
FS-DFS-Namespace 
FS-DFS-Replication 
FS-FileServer 
FS-iSCSITarget-Server 
FS-NFS-Service 
FS-Resource-Manager 
FS-SMB1 
FS-SMBBW 
FS-SyncShareService 
FS-VSS-Agent 
GPMC 
Hyper-V 
Hyper-V-PowerShell 
Hyper-V-Tools 
InkAndHandwritingServices 
Internet-Print-Client 
IPAM 
IPAM-Client-Feature 
iSCSITarget-VSS-VDS 
ISNS 
LPR-Port-Monitor 
ManagementOdata 
Migration 
MSMQ 
MSMQ-DCOM 
MSMQ-Directory 
MSMQ-HTTP-Support 
MSMQ-Multicasting 
MSMQ-Routing 
MSMQ-Server 
MSMQ-Services 
MSMQ-Triggers 
Multipath-IO 
NET-Framework-45-ASPNET 
NET-Framework-45-Core 
NET-Framework-45-Features 
NET-Framework-Core 
NET-Framework-Features 
NET-HTTP-Activation 
NET-Non-HTTP-Activ 
NET-WCF-HTTP-Activation45 
NET-WCF-MSMQ-Activation45 
NET-WCF-Pipe-Activation45 
NET-WCF-Services45 
NET-WCF-TCP-Activation45 
NET-WCF-TCP-PortSharing45 
NFS-Client 
NLB 
NPAS 
NPAS-Health 
NPAS-Host-Cred 
NPAS-Policy-Server 
PNRP 
PowerShell 
PowerShell-ISE 
PowerShellRoot 
PowerShell-V2 
Print-Internet 
Print-LPD-Service 
Print-Scan-Server 
Print-Server 
Print-Services 
qWave 
RDC 
RDS-Connection-Broker 
RDS-Gateway 
RDS-Licensing 
RDS-Licensing-UI 
RDS-RD-Server 
RDS-Virtualization 
RDS-Web-Access 
RemoteAccess 
Remote-Assistance 
Remote-Desktop-Services 
Routing 
RPC-over-HTTP-Proxy 
RSAT 
RSAT-AD-AdminCenter 
RSAT-ADCS 
RSAT-ADCS-Mgmt 
RSAT-ADDS 
RSAT-ADDS-Tools 
RSAT-ADLDS 
RSAT-AD-PowerShell 
RSAT-ADRMS 
RSAT-AD-Tools 
RSAT-Bits-Server 
RSAT-Clustering 
RSAT-Clustering-AutomationServer 
RSAT-Clustering-CmdInterface 
RSAT-Clustering-Mgmt 
RSAT-Clustering-PowerShell 
RSAT-CoreFile-Mgmt 
RSAT-DFS-Mgmt-Con 
RSAT-DHCP 
RSAT-DNS-Server 
RSAT-Fax 
RSAT-Feature-Tools 
RSAT-Feature-Tools-BitLocker 
RSAT-Feature-Tools-BitLocker-BdeAducExt 
RSAT-Feature-Tools-BitLocker-RemoteAdminTool 
RSAT-File-Services 
RSAT-FSRM-Mgmt 
RSAT-Hyper-V-Tools 
RSAT-NFS-Admin 
RSAT-NIS 
RSAT-NLB 
RSAT-NPAS 
RSAT-Online-Responder 
RSAT-Print-Services 
RSAT-RDS-Gateway 
RSAT-RDS-Licensing-Diagnosis-UI 
RSAT-RDS-Tools 
RSAT-RemoteAccess 
RSAT-RemoteAccess-Mgmt 
RSAT-RemoteAccess-PowerShell 
RSAT-Role-Tools 
RSAT-SMTP 
RSAT-SNMP 
RSAT-VA-Tools 
RSAT-WINS 
Search-Service 
ServerEssentialsRole 
Server-Gui-Mgmt-Infra 
Server-Gui-Shell 
Server-Media-Foundation 
Simple-TCPIP 
SMTP-Server 
SNMP-Service 
SNMP-WMI-Provider 
Storage-Services 
Telnet-Client 
Telnet-Server 
TFTP-Client 
UpdateServices 
UpdateServices-API 
UpdateServices-DB 
UpdateServices-RSAT 
UpdateServices-Services 
UpdateServices-UI 
UpdateServices-WidDB 
User-Interfaces-Infra 
VolumeActivation 
WAS 
WAS-Config-APIs 
WAS-NET-Environment 
WAS-Process-Model 
WDS 
WDS-AdminPack 
WDS-Deployment 
WDS-Transport 
Web-App-Dev 
Web-AppInit 
Web-Application-Proxy 
Web-ASP 
Web-Asp-Net 
Web-Asp-Net45 
Web-Basic-Auth 
Web-Cert-Auth 
Web-CertProvider 
Web-CGI 
Web-Client-Auth 
Web-Common-Http 
Web-Custom-Logging 
Web-DAV-Publishing 
Web-Default-Doc 
Web-Digest-Auth 
Web-Dir-Browsing 
Web-Dyn-Compression 
Web-Filtering 
Web-Ftp-Ext 
Web-Ftp-Server 
Web-Ftp-Service 
Web-Health 
Web-Http-Errors 
Web-Http-Logging 
Web-Http-Redirect 
Web-Http-Tracing 
Web-Includes 
Web-IP-Security 
Web-ISAPI-Ext 
Web-ISAPI-Filter 
Web-Lgcy-Mgmt-Console 
Web-Lgcy-Scripting 
Web-Log-Libraries 
Web-Metabase 
Web-Mgmt-Compat 
Web-Mgmt-Console 
Web-Mgmt-Service 
Web-Mgmt-Tools 
Web-Net-Ext 
Web-Net-Ext45 
Web-ODBC-Logging 
Web-Performance 
Web-Request-Monitor 
Web-Scripting-Tools 
Web-Security 
Web-Server 
Web-Stat-Compression 
Web-Static-Content 
Web-Url-Auth 
Web-WebServer 
Web-WebSockets 
Web-WHC 
Web-Windows-Auth 
Web-WMI 
WFF 
Windows-Identity-Foundation 
Windows-Internal-Database 
WindowsPowerShellWebAccess 
Windows-Server-Backup 
WindowsStorageManagementService 
Windows-TIFF-IFilter 
WinRM-IIS-Ext 
WINS 
Wireless-Networking 
WoW64-Support 
XPS-Viewer 
dism.exe and PowerShell
When you decided to support older Windows versions without support for the PowerShell cmdlets, you will use dism.exe to install optional features. Here's a bit of PowerShell code check whether a feature is installed:
$tempFile = "$env:temp\tempName.log"
& dism.exe /online /get-features /format:table | out-file $tempFile -Force       
$WinFeatures = (Import-CSV -Delim '|' -Path $tempFile -Header Name,state | Where-Object {$_.State -eq "Enabled "}) | Select Name
Remove-Item -Path $tempFile 
You now have a list of all installed feature-names, you can check:
if(($WinFeatures | Where-Object {$_.Name.Trim() -eq "WirelessNetworking"}) -eq $null) {...}
Managing FTP sites in IIS 7+ with PowerShell doesn't work quite as nicely as one would expect.
While there is a cmdlet to create a new site:
New-WebFtpSite -Name "MyFTPSite" -Port 21 -PhysicalPath C:\inetpub
to list it
ls iis:\sites
and remove it:
Remove-Website -name myftpsite
In the GUI we have an option Add FTP publishing... to an existing web site
How can we do that in PowerShell?
All we need to do is add an FTP binding to the site:
New-WebBinding "MyWebSite"-Port 23 -Protocol ftp -IPAddress *
we can then change settings directly:
Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST'  -filter "system.applicationHost/sites/site[@name='MyWebSite']/ftpServer/security/ssl" -name "controlChannelPolicy" -value "SslRequireCredentialsOnly"
To find out what settings are available, set them once through the GUI or the Configuration Editor and have a look at the generated PowerShell script.

Starting or stopping it the usual way doesn't work:
stop-website myftpsite
stop-website : The object identifier does not represent a valid object.
what works is the following:
(get-Website -Name "myftpsite").ftpserver.stop()
and of course:
(get-Website -Name "myftpsite").ftpserver.start()
What about listing all FTP sites:
ls IIS:\sites | where Bindings -match "ftp"
doesn't return anything, because bindings is not just a string but a "Microsoft.IIs.PowerShell.Framework.ConfigurationElement" use the following:
Get-ChildItem iis:\sites | ForEach-Object {
  if((Get-WebBinding -Name $_.Name | Where-Object protocol -eq ftp).count -gt 0)
  {
    $_
  }
}
Adding a new IIS Manager user to give her FTP access:
$username = "susan"
$password = "imGluck"
$siteName = "ftp"
$access = "Read,Write"

[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.Web.Management")  
[Microsoft.Web.Management.Server.ManagementAuthentication]::CreateUser($username, $password) 
[Microsoft.Web.Management.Server.ManagementAuthorization]::Grant($username, $siteName, $FALSE)

Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -location "$siteName" -filter "system.ftpServer/security/authorization" -name "." -value @{accessType='Allow';users="$username";permissions="$access"}

2015
27-Aug - IIS - Nested comments in config files
15-Jul - New features in IIS 10
11-Jul - Stopping and removing IIS
11-Jul - Test-WebSite PowerShell script to test an IIS site
02-Jul - Different ways for installing Windows features on the command line
26-Jun - IIS - Managing FTP sites with PowerShell
24-May - Enable Telegram portable without a phone.
22-May - Disable the floppy drive on Windows VMs
19-May - Windows Server Operational Modes
17-May - Fixing PowerShell profile to work in Nano Server
25-Mar - IIS Hardening - Miscellaneous
23-Mar - IIS - Troubleshooting using logs
23-Mar - IIS Hardening - File Permissions
22-Mar - IIS Hardening - File Extensions
22-Mar - IIS Hardening - Handler Mappings, Modules and ISAPI Filters
20-Feb - Clone a KeePass database with new credentials in PowerShell
14-Jan - Some stats based on the Sysinternals sysmon service.

older posts

Pages in this section

Categories

ASP.Net | Community | Development | IIS | IT Pro | Security | SQL (Server) | Tools | Web | Work on the road