IIS TIPs

*https://kamranicus.com/posts/2016-03-06-cors-multiple-origins-iis

Managing IIS Log files
https://www.iis.net/learn/manage/provisioning-and-managing-iis/managing-iis-log-file-storage

Note: When running above script as a Scheduled task make sure

1. to use cscript as the command and the actually script as the argument
2. your user has access to 'Log in as a batch Job' (set in local Security policy)
3. the user has full control of the specific log folders
4. the tasks should be run whether user is logged in or not. It does NOT require 'run highest privileges' It does NOT require to store password

* W2012R2 - Install PHP

Reference: https://technet.microsoft.com/en-us/library/hh994592(v=ws.11).aspx\\

• Download PHP - http://windows.php.net/download/ (non thread safe version for IIS - CGI)
• Enabled CGI - Configure IIS \ Application Development Features \ CGI -
  • Configure Fast CGI on IIS (See configuration_of_iis for steps).
  • for more info check here
• Download and install latest Microsoft Visual C++ Redistributable (needed for PHP)
• Download Dokuwiki - https://www.dokuwiki.org/dokuwiki#

• Copy PHP folder to C:\Program files\PHP\<version>\ (make sure it includes the Wincache file in ext) add to PATH & install VC++ (x86)
• Make sure IIS CGI enabled → IIS\Application Development\CGI
• Configure FAST CGI as per below
• Enable Write access to IIS_IUSERS to DATA and Conf folders
• Lock access to data, conf, bin and inc
• Add php “phpinfo.php” file and check all ok

phpinfo.php

<?php phpinfo(); ?>

• Open IIS Manager, select the hostname of your computer in the Connections panel, and then double-click Handler Mappings.
• In the Action panel/ Handler Mapping , click Add Module Mapping.
• In Request path, type *.php.
• From the Module menu, select FastCgiModule.
• In the Executable box, type the full path to Php-cgi.exe, for example C:\PHP\Php-cgi.exe.
• In Name, type a name for the module mapping, for example FastCGI.
• Click OK.
• Select the hostname of your computer in the Connections panel, and double-click Default Document.
• In the Action panel, click Add. Type Index.php in the Name box, and then click OK.
• Click Add again. Type Default.php in the Name box, and then click OK.
• Write access to Data and Conf Folders to the local account: IIS_IUSERS
• Also add write access to /lib/tpl and /lib/plugins/ if you want to use the Configuration Manager

• select “IIS Request Filtering”
• go to the “URL” tab
• click on “Deny Sequence…” for the following folders:

	/data/
	/conf/
        /bin/
        /inc/

• Rename the “C:\Program Files\PHP\v7.2\php.ini-production” to “php.ini”
• uncomment the line

  extension_dir = "ext"

• Add the line

  extension=php_openssl.dll 

• https://www.hanselman.com/blog/ConditionallyServeFilesStaticallyOrDynamicallyWithHttpHandlers.aspx

Below is the powershell script which Cisco CCE uses to install IIS

import-module ServerManager
Install-WindowsFeature Web-Server,Web-Net-Ext45, Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Request-Monitor,Web-Basic-Auth,Web-Mgmt-Console,Web-Mgmt-Compat,Web-Metabase,Web-Lgcy-Mgmt-Console,Web-Lgcy-Scripting,Web-WMI 

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <httpProtocol>
            <customHeaders>
                <add name="Access-Control-Allow-Origin" value="https://*.mydomain.com" />
                <add name="Access-Control-Allow-Methods" value="GET, POST, OPTIONS, PUT, DELETE" />
                <add name="Access-Control-Allow-Headers" value="Content-Type, Authorization" />
                <add name="Access-Control-Allow-Credentials" value="true" />
            </customHeaders>
        </httpProtocol>
        <staticContent>
            <clientCache cacheControlMaxAge="00:30:00" cacheControlMode="UseMaxAge" />
        </staticContent>
    </system.webServer>
</configuration>

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <outboundRules>
                <rule name="Set CORS for Allowed Domains" enabled="true">
                    <match serverVariable="RESPONSE_Access-Control-Allow-Origin" pattern=".*" />
                    <conditions>
                        <add input="{HTTP_ORIGIN}" pattern="^(https://([a-z0-9-]+\.)?mydomain\.com|https://example\.com)$" />
                    </conditions>
                    <action type="Rewrite" value="{HTTP_ORIGIN}" />
                </rule>
            </outboundRules>
        </rewrite>
        <httpProtocol>
            <customHeaders>
                <add name="Access-Control-Allow-Methods" value="GET, POST, OPTIONS, PUT, DELETE" />
                <add name="Access-Control-Allow-Headers" value="Content-Type, Authorization" />
                <add name="Access-Control-Allow-Credentials" value="true" />
            </customHeaders>
        </httpProtocol>
        <staticContent>
            <clientCache cacheControlMaxAge="00:30:00" cacheControlMode="UseMaxAge" />
        </staticContent>
    </system.webServer>
</configuration>

%systemroot%\system32\inetsrv\appcmd.exe set config -section:system.webServer/security/requestFiltering /removeServerHeader:true /commit:apphost  

To validate the changes, execute the below curl command, and you should not see server details as part of the header.

curl -I https://your-domain.com