Recently while talking to one of my colleage from another department, he wanted help on PowerShell scripts to automate few IIS Webserver (Internet Information Services) advanced configuration where he was struggling setting few IIS settings of manyToOneMappings for hardning purpose, other settings where easier to create new local user and install IIS with certain features. Below is the screenshot of the scripts it takes input and configures remote system with IIS, New User and other configuration settings.
Once Internet Information Services role with feature is installed on the Internet Information Services (IIS) Manager my friend was stuck on the below configuration of SSL Settings and Configuration Editor settings with PowerShell.
First configuration was SSL Settings automation with PowerShell. It needs to be configured and enable Require SSL, Default Web Site should accept SSL connection even though site does not have a secure binding (HTTPs).
Another settings is on Configuration Editor section system.webServer / security / authentication / iisClientCertificateMappingAuthentication / manyToOneMappings. Enable it and it should have count=1 information added.
Inside the manyToOneMappings, rules should be configure as hardening step.
Below is the complete script, It uses Install-WindowsFeature and Invoke-Command to install and configure IIS (Internet Information Services), On remote IIS webserver it uses IIS PowerShell module with cmdlets Set-WebConfiguration, Add-WebConfigurationProperty, Set-WebConfigurationProperty, other non IIS commands New-LocalUser, Add-LocalGroupMember to achieve the task.
Download this script here or it is also available on github.com.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
#Created by vCloud-lab.com $username = Read-Host -Prompt 'Type UserName' $password = Read-Host -Prompt 'Type Password' $websiteName = Read-Host -Prompt 'Type WebSite Name' $matchCriteria = Read-Host -Prompt 'Type matchCriteria' $serverListPath = Read-Host -Prompt 'Type Server file list Path' $servers = Get-Content $serverListPath ########################## foreach ($server in $servers) { Write-Host "Connecting to $server" -BackgroundColor DarkRed $session = New-PSSession -ComputerName $server Write-Host 'IIS installation initiated' -BackgroundColor DarkGreen Install-WindowsFeature -Name Web-Server, Web-WebServer, Web-Common-Http, Web-Default-Doc, Web-Dir-Browsing, Web-Http-Errors, Web-Static-Content, Web-Health, Web-Http-Logging, Web-Performance, Web-Stat-Compression, Web-Security, Web-Filtering, Web-CertProvider, Web-Client-Auth, Web-Cert-Auth, Web-Mgmt-Tools, Web-Mgmt-Console -IncludeManagementTools -ComputerName $server ########################### Invoke-Command -Session $session -ScriptBlock { param( [string]$username, [string]$password, [string]$websiteName, [string]$matchCriteria ) Write-Host 'New local user is getting created and added to Administrators group' -BackgroundColor DarkGreen New-LocalUser -FullName $username -AccountNeverExpires -Name $username -Description 'IIS User' -PasswordNeverExpires -UserMayNotChangePassword -Password ($password | ConvertTo-SecureString -Force -AsPlainText) Start-Sleep -Seconds 5 Add-LocalGroupMember -Group Administrators -Member $username ########################## Write-Host "Enable SSL settings" -BackgroundColor DarkGreen Set-WebConfiguration -Location $websiteName -Filter "system.webserver/security/access" -Value "Ssl,SslNegotiateCert, SslRequireCert" Start-Sleep -Seconds 5 Write-Host "Enable many to one mapping" -BackgroundColor DarkGreen Set-WebConfigurationProperty -location $websiteName -filter "system.webServer/security/authentication/iisClientCertificateMappingAuthentication" -name enabled -value true Start-Sleep -Seconds 5 ########################## Write-Host "Add many to one mapping info" -BackgroundColor DarkGreen Add-WebConfigurationProperty -location $websiteName -filter "system.webServer/security/authentication/iisClientCertificateMappingAuthentication/manyToOneMappings" -name "." -value @{name='FirstUser';description='many-to-one';userName="$env:COMPUTERNAME\$username";password=$password} Start-Sleep -Seconds 5 Write-Host "Add many to one mapping rule" -BackgroundColor DarkGreen Add-WebConfigurationProperty -location $websiteName -filter "system.webServer/security/authentication/iisClientCertificateMappingAuthentication/manyToOneMappings/add[@name='FirstUser']/rules" -name "." -value @{certificateField='Subject';certificateSubField='CN';matchCriteria=$matchCriteria; compareCaseSensitive='true'} ########################## } -ArgumentList $username, $password, $websiteName, $matchCriteria <# Invoke-Command -Session $session -ScriptBlock { Write-Host "netsh reports" -BackgroundColor DarkGreen $sshcertResult = netsh http show sslcert ($sshCertResult | Select-String 'IP:Port')[1] ($sshCertResult | Select-String 'Certificate Hash')[1] $ipAddress = Get-NetIPAddress -AddressFamily IPv4 | Where-Object {$_.InterfaceIndex -ne 1} | Select-Object -ExpandProperty IPAddress netsh http delete sslcert ipport=$ipAddress:443 netsh http add sslcert ipport=$ipAddress:443 certhash=< } Disconnect-PSSession -Session $session #> } |
Useful Articles
POWERSHELL: INSTALLING AND CONFIGURING ACTIVE DIRECTORY
POWERSHELL ACTIVE DIRECTORY: ADD OR UPDATE (CHANGE) MANAGER NAME IN ORGANIZATION TAB OF USER
POWERSHELL ACTIVE DIRECTORY: ADD OR UPDATE PROXYADDRESSES IN USER PROPERTIES ATTRIBUTE EDITOR
Add multiple proxy addresses with Microsoft PowerShell in Active Directory Groups
Creating a password reset tool with PowerShell GUI
Powershell one liner: Create multiple user accounts
Active Directory Powershell: Create bulk users from CSV file
Active Directory Powershell: Aduser A value for the attribute was not in the acceptable range of values
Powershell Active Directory: ADGroup Managedby - Checkbox Manager can update membership list