Menu

Virtual Geek

Tales from real IT system administrators world and non-production environment

Automate Many-to-One client certificate mappings for IIS hardening using PowerShell

Recently while talking to one of my colleage from another department, he wanted help on PowerShell scripts to automate few IIS Webserver (Internet Information Services) advanced configuration where he was struggling setting few IIS settings of manyToOneMappings for hardning purpose, other settings where easier to create new local user and install IIS with certain features. Below is the screenshot of the scripts it takes input and configures remote system with IIS, New User and other configuration settings.

Microsoft Windows IIS Powershell automation local user creation get-windowsfeature install-windowsadditionalfeature enable ssl many to one mapping one to many info rule certificate mapping iis.png

Once Internet Information Services role with feature is installed on the Internet Information Services (IIS) Manager my friend was stuck on the below configuration of SSL Settings and Configuration Editor settings with PowerShell.

Microsoft IIS Powershell Default web site automation SSL Settings Configuration Editor Default Document Directory Browsing Error Pages Handler Mapping devops Mime types.png

First configuration was SSL Settings automation with PowerShell. It needs to be configured and enable Require SSL, Default Web Site should accept SSL connection even though site does not have a secure binding (HTTPs).

Microsoft Powershell Internet Information Services (IIS) Manager Default Web Site Application Pools Web server securite binding HTTPs accept SSL connections web app application client certificates.png

Another settings is on Configuration Editor section system.webServer / security /  authentication / iisClientCertificateMappingAuthentication / manyToOneMappings. Enable it and it should have count=1 information added.

Microsoft Powershell Internet information services IIS manager configuration editor system.webserver security authentication iisclientcertification default web site manytoonemapping onetoonecertificatemappings enabled.png

Inside the manyToOneMappings, rules should be configure as hardening step.

Microsoft Powershell IIS internet information services web server rules permissionmode allow certificatefield matchcriteria manytoonemappings add rull iisclientcertificateMappingauthentication.png

Below is the complete script, It uses Install-WindowsFeature and Invoke-Command to install and configure IIS (Internet Information Services), On remote IIS webserver it uses IIS PowerShell module with cmdlets Set-WebConfiguration, Add-WebConfigurationProperty, Set-WebConfigurationProperty, other non IIS commands New-LocalUser,  Add-LocalGroupMember to achieve the task.

Download this script here or it is also available on github.com.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
#Created by vCloud-lab.com

$username = Read-Host -Prompt 'Type UserName'
$password = Read-Host -Prompt 'Type Password'
$websiteName = Read-Host -Prompt 'Type WebSite Name'
$matchCriteria = Read-Host -Prompt 'Type matchCriteria'
$serverListPath = Read-Host -Prompt 'Type Server file list Path'

$servers = Get-Content $serverListPath

##########################

foreach ($server in $servers) 
{
    Write-Host "Connecting to $server" -BackgroundColor DarkRed
    $session = New-PSSession -ComputerName $server
    Write-Host 'IIS installation initiated' -BackgroundColor DarkGreen
    Install-WindowsFeature -Name Web-Server, Web-WebServer, Web-Common-Http, Web-Default-Doc, Web-Dir-Browsing, Web-Http-Errors, Web-Static-Content, Web-Health, Web-Http-Logging, Web-Performance, Web-Stat-Compression, Web-Security, Web-Filtering, Web-CertProvider, Web-Client-Auth, Web-Cert-Auth, Web-Mgmt-Tools, Web-Mgmt-Console -IncludeManagementTools -ComputerName $server
    ###########################   
    Invoke-Command -Session $session -ScriptBlock {
        param(
            [string]$username,
            [string]$password,
            [string]$websiteName,
            [string]$matchCriteria
        )
        Write-Host 'New local user is getting created and added to Administrators group' -BackgroundColor DarkGreen
        New-LocalUser -FullName $username -AccountNeverExpires -Name $username -Description 'IIS User' -PasswordNeverExpires -UserMayNotChangePassword -Password ($password | ConvertTo-SecureString -Force -AsPlainText)
        Start-Sleep -Seconds 5
        Add-LocalGroupMember -Group Administrators -Member $username
        ##########################
        Write-Host "Enable SSL settings" -BackgroundColor DarkGreen
        Set-WebConfiguration -Location $websiteName -Filter "system.webserver/security/access" -Value "Ssl,SslNegotiateCert, SslRequireCert"
        Start-Sleep -Seconds 5
        Write-Host "Enable many to one mapping" -BackgroundColor DarkGreen
        Set-WebConfigurationProperty -location $websiteName -filter "system.webServer/security/authentication/iisClientCertificateMappingAuthentication" -name enabled -value true 
        Start-Sleep -Seconds 5    
        ##########################
        Write-Host "Add many to one mapping info" -BackgroundColor DarkGreen
        Add-WebConfigurationProperty -location $websiteName -filter "system.webServer/security/authentication/iisClientCertificateMappingAuthentication/manyToOneMappings" -name "." -value @{name='FirstUser';description='many-to-one';userName="$env:COMPUTERNAME\$username";password=$password}
        Start-Sleep -Seconds 5
        Write-Host "Add many to one mapping rule" -BackgroundColor DarkGreen
        Add-WebConfigurationProperty -location $websiteName -filter "system.webServer/security/authentication/iisClientCertificateMappingAuthentication/manyToOneMappings/add[@name='FirstUser']/rules" -name "." -value @{certificateField='Subject';certificateSubField='CN';matchCriteria=$matchCriteria; compareCaseSensitive='true'}
        ##########################
    } -ArgumentList $username, $password, $websiteName, $matchCriteria

<#
    Invoke-Command -Session $session -ScriptBlock {
        Write-Host "netsh reports" -BackgroundColor DarkGreen
        $sshcertResult =  netsh http show sslcert 
        ($sshCertResult | Select-String 'IP:Port')[1]
        ($sshCertResult | Select-String 'Certificate Hash')[1]
        $ipAddress = Get-NetIPAddress -AddressFamily IPv4 | Where-Object {$_.InterfaceIndex -ne 1} | Select-Object -ExpandProperty IPAddress
        netsh http delete sslcert ipport=$ipAddress:443
        netsh http add sslcert ipport=$ipAddress:443 certhash=<
    }
    Disconnect-PSSession -Session $session
#>
}

Useful Articles
POWERSHELL: INSTALLING AND CONFIGURING ACTIVE DIRECTORY 
POWERSHELL ACTIVE DIRECTORY: ADD OR UPDATE (CHANGE) MANAGER NAME IN ORGANIZATION TAB OF USER
POWERSHELL ACTIVE DIRECTORY: ADD OR UPDATE PROXYADDRESSES IN USER PROPERTIES ATTRIBUTE EDITOR
Add multiple proxy addresses with Microsoft PowerShell in Active Directory Groups
Creating a password reset tool with PowerShell GUI

Active Directory Powershell: Create bulk users from CSV filePowershell one liner: Create multiple user accounts
Active Directory Powershell: Create bulk users from CSV file
Active Directory Powershell: Aduser A value for the attribute was not in the acceptable range of values
Powershell Active Directory: ADGroup Managedby - Checkbox Manager can update membership list

Go Back

Comment

Blog Search

Page Views

5938003

Follow me on Blogarama