IIS Administration Using Ansible and Windows Powershell

Introduction

IIS (Internet Information services) is a web server that runs on Windows systems to serve websites. Let us see how to automate IIS installation and deployment of websites using Ansible.

Installation of IIS using Ansible

To install IIS on a windows server, we need to turn on some of the windows features using the win_feature module. Below is the ansible code for the same.

   - win_feature:
       name: 
          - Web-Server
          - Web-Mgmt-Console
       state: present
       restart: yes
       include_sub_features: yes
       include_management_tools: yes

If you face any issues during installation, refer Forum

Create IIS site using Ansible

To create a site in IIS, we need to first create physical path, log path and an apppool. Below are the steps in detail.

1.Create physical path

win_file:
    path: C:\sites\site1
    state: directory

2. Create log file directory.

win_file:
    path: C:\sites\logs
    state: directory

3. Create apppool

- win_iis_webapppool:
    name: site1_apppool
    state: started
Additional attributes for IIS apppool.
- win_iis_webapppool:
    name: site1_apppool
    state: started
    attributes:
      managedRuntimeVersion: v4.0
      managedPipelineMode: Integrated
      enable32BitAppOnWin64: true
      autoStart: no

4. Create site

 - win_iis_website:
    name: site1
    state: started
    port: 8080
    site_id: 1
    ip: 12.34.56.78
    hostname: site1.domain.com
    application_pool: site1_apppool
    physical_path: C:\sites\site1
    parameters: logfile.directory:C:\sites\logs
  

If site_id and port is not provided, then these values will be assigned automatically in a sequential manner.

Enable or Disable IIS Authentication in IIS using Ansible or Powershell

Anonymous authentication gives everyone access to the website.

We can enable or disable Anonymous authentication using Powershell using the below command.

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -location 'site1' -filter "system.webServer/security/authentication/anonymousAuthentication" -name "enabled" -value "False"

Use win_shell module with the above command to run it using Ansible.

win_shell: |
 Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -location 'site1' -filter "system.webServer/security/authentication/anonymousAuthentication" -name "enabled" -value "False"

To enable, provide the value as "True".

In this case, the user will be the default user IUSR. If this needs to be changed to specific user, below are the commands for the same.

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -location 'site1' -filter "system.webServer/security/authentication/anonymousAuthentication" -name "enabled" -value "True"
Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -location 'site1' -filter "system.webServer/security/authentication/anonymousAuthentication" -name "userName" -value "myuser"
Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -location 'site1' -filter "system.webServer/security/authentication/anonymousAuthentication" -name "password" -value "mypass"

Make sure to add the password in Vault. Refer the Ansible Vault guide for more details.

Similarly for Windows authentication, use the below powershell command.

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -location 'site1' -filter "system.webServer/security/authentication/windowsAuthentication" -name "enabled" -value "True"

Create Default document in IIS using Powershell and Ansible

When a request arrives on the site, the response is sent based on the files defined in the default document. It is possible to change the default settings and add new default document.

Powershell:

Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/site1'  -filter "system.webServer/defaultDocument/files" -name "." -value @{value='newfile.htm'}

Ansible:

win_shell: |
 Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/site1'  -filter "system.webServer/defaultDocument/files" -name "." -value @{value='newfile.htm'}

Create or Enable MIME type in IIS using Powershell and Ansible

Multipurpose Internet Mail Extensions is referred to as MIME. It represents the format of the file.

Use the below powershell command to enable the MIME type.

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/site1'  -filter "system.webServer/staticContent" -name "enableDocFooter" -value "True"

Use the below powershell command to add a new MIME type with type app/ext and extension as .xyz

Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/site1'  -filter "system.webServer/staticContent" -name "." -value @{fileExtension='.xyz';mimeType='app/ext'}

For Ansible, use the win_shell module together with the above powershell command.

Request filtering in IIS using Powershell and Ansible

Request filtering is a security feature to restrict the types of HTTP requests.

Below are few examples in Powershell for filtering verbs, URLS and file extensions. For Ansible, use the same command together with win_shell module.


Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/site1'  -filter "system.webServer/security/requestFiltering/fileExtensions" -name "." -value @{fileExtension='.exe'}

Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/site1'  -filter "system.webServer/security/requestFiltering/verbs" -name "." -value @{verb='TRACE';allowed='True'}

Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/site1'  -filter "system.webServer/security/requestFiltering/alwaysAllowedUrls" -name "." -value @{url='www.google.com'}

Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/site1'  -filter "system.webServer/security/requestFiltering/denyUrlSequences" -name "." -value @{sequence='hack'}

Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/site1'  -filter "system.webServer/security/requestFiltering/alwaysAllowedQueryStrings" -name "." -value @{queryString='.asa'}

Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/site1'  -filter "system.webServer/security/requestFiltering/filteringRules" -name "." -value @{name='Test';scanUrl='True';scanQueryString='True'}

Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/site1'  -filter "system.webServer/security/requestFiltering/filteringRules/filteringRule[@name='Test']/scanHeaders" -name "." -value @{requestHeader='http'}

Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/site1'  -filter "system.webServer/security/requestFiltering/filteringRules/filteringRule[@name='Test']/appliesTo" -name "." -value @{fileExtension='.asp'}

Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/site1'  -filter "system.webServer/security/requestFiltering/filteringRules/filteringRule[@name='Test']/denyStrings" -name "." -value @{string='abc'}

Configure ISAPI in IIS using Powershell or Ansible

The virtual location of the dll file is used to map the ISAPI extension. Below is an example to create a new ISAPI filter in PowerShell. For Ansible, use win_shell module together with the PowerShell command.


Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -location 'site1' -filter "system.webServer/isapiFilters" -name "." -value @{name='ISAPI_test\asp.dll';path='C:\test';preCondition='runtimeVersion2.0'}

Restart IIS

Once all the required changes are made, the IIS site and services needs to be reset

- win_iis_website:
    name: site1
    state: restarted
- win_shell: iisreset
    
  

Conclusion

By automating the IIS administrative tasks using Ansible,  the manual errors can be reduced and 50% of time can be saved.

Vipin

Vipin

I am a dreamer. I admire the web. I admire anything about the web.