I regularly go onsite with enterprise customers of Microsoft and do Microsoft Internet Information Services (IIS) health checks. Recently, I have been rewriting many of my VBScripts into PowerShell scripts to help make the health check easier. I will be writing more as I go. In the meantime, I hope that you will find these scripts useful.

General features

  • Alternate credentials: They permit the use of different credentials against remote IIS7 servers.
  • Encrypted data transfers: Use WMI remote-ing and encryption: Most of the scripts use remote WMI calls which use DCOM. I set them to always use encryption on these connections to protect sensitive data collection over the wire. Warning: Log-EphemeralPortStats.ps1 uses PsExec for remote-ing and sends the password over the network in the clear only when changing credentials. Using a domain account with admin rights will not send the credentials in the clear.
  • Useful output: Many of the scripts output to a comma separated value (csv) file or an XML file. This allows easy post analysis using Microsoft Excel or Microsoft Internet Explorer to view the collected data.

Please understand that I am publishing these scripts to the open community so that you might be able to self-help yourself and have an even better experience with Microsoft products. These script are provided “as-is” as sample code and are not supported. For more information on Microsoft Internet Information Services and how to automate it, go to http://learn.iis.net.

Get-NtfsPermissionsOfIisContentToCsv.ps1

This script gets the discretionary access control lists (DACLs) from the physical paths of IIS7 web sites and virtual directories and writes them to a comma separated file (CSV) for post-analysis such as auto-filter in Microsoft Excel. This script requires remote WMI connectivity to all of the servers specified. WMI uses Remote Procedure Calls (RPC) which uses random network ports. The WMI connections are encrypted when possible.

Get-NtfsPermissionsOfIisFoldersToCsv.ps1

Gets the discretionary access control lists (DACLs) from the physical paths of IIS7 operational folders and writes them to a comma separated file (CSV) for post-analysis such as auto-filter in Microsoft Excel. This script requires remote WMI connectivity to all of the servers specified. WMI uses Remote Procedure Calls (RPC) which uses random network ports. The WMI connections are encrypted when possible.

Get-WebAdministrationToXml.ps1

Gets all of the WMI data of one or more IIS7 servers and writes it to a single XML document. This data comes from the root\WebAdministration WMI namespace. Requires administrator rights on the target server(s). The WMI connections are encrypted when possible. This is probably the most powerful of all of the scripts simply because it gets everything related to IIS from each IIS server.

Get-ParentPaths.ps1

Gets the ASP Parent Path setting for all web sites for all IIS7 servers. This scripts uses the root\WebAdministration WMI namespace. Requires administrator rights on the target server(s). The WMI connections are encrypted when possible.

Get-SecurityGroupMembership.ps1

This script is not specific to IIS7, but helps with checking operating system security health. This script gets the membership of security groups from one or more computers and writes them to a comma separated file (CSV) for post-analysis such as auto-filter in Microsoft Excel. This script requires remote WMI connectivity to all of the servers specified. WMI uses Remote Procedure Calls (RPC) which uses random network ports. The WMI connections are encrypted when possible.

Set-EnableAllW3cFields.ps1

Enables all of the W3C logging fields on all web sites of one or more IIS7 servers. This scripts uses the root\WebAdministration WMI namespace. Requires administrator rights on the target server(s). The WMI connections are encrypted when possible. This script is helpful to prepare IIS servers for intensive W3C log analysis.

Log-EphemeralPortStats.ps1

This script is not specific to IIS7, but helps with checking operating system network health. Runs in an infinite loop getting the TCP ephemeral port and listening port statistics for each local IP address and outputs the data to a text file log. The script writes the ephemeral port stats every 60 seconds by default. To get data from remote computers, this script requires PsExec.exe (SysInternals) to be in the same directory as this script. WARNING: Credentials passed into PSExec are sent over the network in clear text! Prevent this by logging in interactively with a domain account that has administrator rights on the target computers and not specifying credentials to this script. PsExec is a Sysinternals tool owned by Microsoft Corporation. PsExec can be downloaded for free at http://live.sysinternals.com/psexec.exe.

Download

These scripts are available on my SkyDrive at:
https://skydrive.live.com/?cid=e6360c54b48a891b&sc=documents&id=E6360C54B48A891B%21428#cid=E6360C54B48A891B&id=E6360C54B48A891B%21964&sc=documents

Enjoy!

Clint Huffman | Senior Premier Field Engineer | Microsoft Services | clinth@microsoft.com | TS:Windows Internals

clip_image002

Microsoft Tag: Download my contact information to your phone.

Get the free app for your phone at http://gettag.mobi

clip_image004clip_image006 clip_image008 clip_image010