Freshly installed IIS7.x basic tuning

We saw yesterday the different ways to install IIS7.x with PowerShell.
“When I’m paid, I always follow my job through. You know that.”
A promise is a promise, so here’s the basic tuning operations that can be done after each fresh IIS7.x installation.

Import-Module WebAdministration -ErrorAction Stop

# Creating default directories
Write-Host "Creating default directories" -foregroundcolor Yellow
"D:\INETPUB","D:\LOGS\http\FRT" | ForEach-Object {New-Item -Path $_ -Type Directory}

# Activating extended logs
Write-Host "Activating extended logs" -ForegroundColor Yellow
Set-WebConfigurationProperty /system.applicationHost/sites/siteDefaults/logFile -name logExtFileFlags -value "Date,Time,ClientIP,UserName,SiteName,ComputerName,Method,UriStem,UriQuery,HttpStatus,HttpSubStatus,Win32Status,BytesRecv,BytesSent,Host,UserAgent,Referer,ServerIP,ServerPort,TimeTaken,ProtocolVersion,Cookie"

# Moving default logging location
Write-Host "Moving default logging location" -ForegroundColor Yellow
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config -section:system.applicationHost/sites -siteDefaults.traceFailedRequestsLogging.directory:D:\LOGS\http\FRT"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config -section:system.applicationHost/sites -siteDefaults.logfile.directory:D:\LOGS\http"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config -section:system.applicationHost/log -centralBinaryLogFile.directory:D:\LOGS\http"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config -section:system.applicationHost/log -centralW3CLogFile.directory:D:\LOGS\http"

# Configuring compression modules
Write-Host "Configuring compression modules" -ForegroundColor Yellow
Set-WebConfigurationProperty /system.webServer/httpCompression -Name staticCompressionDisableCpuUsage -value 90
Set-WebConfigurationProperty /system.webServer/httpCompression -Name dynamicCompressionDisableCpuUsage -value 80

# Configure ApplicationPools recycling options
Write-Host "Changing ApplicationPools recycling options" -ForegroundColor Yellow
Set-WebConfigurationProperty '/system.applicationHost/applicationPools/applicationPoolDefaults/recycling' -Name logEventOnRecycle -value "Time, Requests, Schedule, Memory, IsapiUnhealthy, OnDemand, ConfigChange, PrivateMemory"
Set-WebConfigurationProperty '/system.applicationHost/applicationPools/applicationPoolDefaults/recycling/periodicRestart' -Name privateMemory -value 1500000

# Configuring default NTFS permissions
$acl=Get-Acl D:\INETPUB
$acl.SetAccessRuleProtection($True, $False)
$rule=New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
$rule=New-Object System.Security.AccessControl.FileSystemAccessRule("SYSTEM","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
$rule=New-Object System.Security.AccessControl.FileSystemAccessRule("Authenticated Users","ReadAndExecute", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
$rule=New-Object System.Security.AccessControl.FileSystemAccessRule("NETWORK SERVICE","ReadAndExecute", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
Set-Acl D:\INETPUB $acl

# Configuring request filtering
Write-Host "Applying Request Filtering rules" -ForegroundColor Yellow
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /allowhighbitcharacters:false"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /allowdoubleescaping:false"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /fileExtensions.allowunlisted:true"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /fileExtensions.applyToWebDAV:true"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.back',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.bak',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.bat',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.bas',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.bs',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.cer',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.cfg',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.cfm',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.cfml',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.cgi',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.cmd',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.cobalt',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.com',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.config',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.dat',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.dll',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.do',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.dot',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.exe',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.fcgi',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.ftl',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.fts',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.htr',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.htw',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.idc',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.idx',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.inc',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.ini',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.jsp',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.jspa',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.kspx',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.log',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.mdb',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.mscgi',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.msi',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.nasl',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.nsf',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.old',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.pfx',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.php',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.php3',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.pl',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.plx',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.pol',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.printer',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.ps1',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.pst',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.secars',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.sh',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.shtm',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.shtml',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.sql',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.ssi',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.stm',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.swp',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.tmp',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.vbe',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.vbs',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.vtl',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.vts',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.wdm',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+fileExtensions.[fileextension='.x',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /verbs.allowunlisted:true"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /verbs.applyToWebDAV:true"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+verbs.[verb='PROPPATCH',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+verbs.[verb='MKCOL',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+verbs.[verb='DELETE',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+verbs.[verb='PUT',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+verbs.[verb='COPY',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+verbs.[verb='MOVE',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+verbs.[verb='LOCK',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+verbs.[verb='TRACE',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+verbs.[verb='UNLOCK',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+verbs.[verb='OPTIONS',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+verbs.[verb='SEARCH',allowed='false']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+denyurlsequences.[sequence='..']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+denyurlsequences.[sequence='./']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+denyurlsequences.[sequence='\']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+denyurlsequences.[sequence=';:']"
cmd /c "%windir%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /+denyurlsequences.[sequence=`"';&'`"]"

# Removing standard websites and application pools
Write-Host "Removing standard websites and application pools" -ForegroundColor Yellow
ForEach ($site in Get-Website) { Remove-Website $site.Name }
$appPoolsSections=Get-WebConfiguration '/system.applicationHost/applicationPools' 
ForEach ($appPool in $appPoolsSections) { Remove-WebAppPool $appPool.Name }

For those who are struggling to assemble it all, they can rest assured I’ll post soon the full version of the script (silent installation and tuning)

Leave a Reply

Scroll to Top