I can't seem to find a good hint on accessing the root web.config, currently in C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config. In my situation, I want to apply a few security settings to cascade down to apps (ex: disable sessionstate/compression) where ideally I'd do this in PowerShell DSC using xWebConfigProperty, or possibly raw PowerShell. If anyone has a means to retrieve this (have to use the older WebAdministration module), I'd appreciate it (or just verifying I need something more organic like gci path into xml for manipulation).
Changes applied to root web.config using 'MACHINE/WEBROOT'.
You can test with something like:
Get-WebConfigurationProperty -pspath 'MACHINE/WEBROOT' -name "mode" -filter "system.web/sessionState"
Related
I need the ability to have users run a script that requires the ActiveDirectory module. I copied over the following:
"C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory", "Microsoft.ActiveDirectory.Management.resources.dll", "Microsoft.ActiveDirectory.Management.dll".
The script runs two Get-ADUser commands, 1 without the -Server parameter and the other with. The issue is that the former is working but the latter is not.
Is there another module that I need to copy over?
I don't like the idea of installing administrative tools for non-admins. Even if you could get away with copying files and not doing the full-blown RSAT installation. Not the least of reasons is you are dramatically increasing the attack surface for malicious actors. The better solution is (Just Enough Administration) JEA, or a philosophically similar approach.
JEA / Contrained endpoints can get complicated, but a summary of what you can do looks something like this:
New-PSSessionConfigurationFile -Path 'C:\PSSessionConfigs\DemoPSEndpointConfig.pssc' -ModulesToImport ActiveDirectory -VisibleCmdlets "Get-ADUser"
Register-PSSessionConfiguration -Path 'C:\PSSessionConfigs\DemoPSEndpointConfig.pssc' -ShowSecurityDescriptorUI -Name DemoPSEndPoint
Run these commands on a system that has the ActiveDirectory module (likely the whole RSAT component) installed, it doesn't need to be a Domain Controller. It will create a new PowerShell remoting endpoint configuration that exposes only the commands you wish. The Register-PSSessionConfiguration command will display a security dialog where you can permission which users you want to allow to connect, you want to grant them read & execute permission. Once that's done, you can get the results with an Invoke-Command command like this:
Invoke-Command -ComputerName <ServerName> -ConfigurationName DemoPSEndPoint -ScriptBlock { Get-ADUser <UserName> }
You can add the -Server parameter in the command without issue. You can expand the cmdlets you are allowing in the New-PSSessionConfiguration command.
Again this is very much a summary of a more complex topic but should be enough to get what you want.
Personally, I don't use configuration files as much as I use startup scripts. I think the latter is more flexible. You can get some information about that here. If you really want to dig into this there are references at the end of the article including a link to the PowerShell JEA documentation. There's also a link to some of the MVP articles I used to develop my own endpoints.
The ActiveDirectory module is dependent on the RSAT (remote server administration tool). This is avalible to install/activate through powershell: https://mikefrobbins.com/2018/10/03/use-powershell-to-install-the-remote-server-administration-tools-rsat-on-windows-10-version-1809/
With this installed you automatically also get the Activedirectory module installed.
In a DSC configuration script for IIS, I am trying to remove the defaultPath lock from the httpErrors section but the way in which the feature delegation works does not apply to this section. Hence to do the following:
appcmd set config /section:httpErrors /lockAttributes:
I've tried using the xWebConfigProperty as follows:
xWebConfigProperty httpErrors_lockAttributes
{
WebsitePath = "MACHINE/WEBROOT/APPHOST"
Filter = "system.webServer/httpErrors"
PropertyName = "lockAttributes"
Value = ""
Ensure = "Absent"
}
However this fails with an error saying the lockAttributes attributes does not exist. And yet it is definitely in the ApplicationHost.config
My only remaining workaround is to run the appcmd as Script in the DSC (a little ugly). Any ideas?
You could use below PowerShell command to remove lock from the default path:
Remove-WebConfigurationLock -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.webServer/httpErrors/#defaultPath"
I know this is old as all heck. But what I've found is a lot of these modules and resources were built for specific tasks and are less modular than other DSC tools. You may have to create a custom resource that handles Remove-WebConfigurationLock in its set/get/test functions if you want a "pure" DSC solution. If not, a DSC script resource will do what you need.
On Windows Server 2016/IIS 10, I can do the following in the IIS Manager GUI with the Log File Format set to W3C:
[Web Server Name] → Logging → Select Fields → W3C Logging Fields (Standard Fields) → Check or uncheck the boxes next to Standard Fields like "User Name (cs-username)"
I would really like to be able to check or uncheck fields like cs-username from a PowerShell script. To that end, I'm trying to discover the path to these standard fields, so I can then set them:
Import-Module IISAdministration
$prop = Get-WebConfigurationProperty -PSPath 'MACHINE/WEBROOT/APPHOST" -Filter /system.applicationHost/sites/sitedefaults" -Recurse
When I run this PowerShell script, it asks me to "Supply values for the following parameters: Name[0].
I think it's a bit funny that it's asking me for a name when I'm trying to discover the next path element or name. If I type in something like cs-username, it comes back with nothing, suggesting I'm in the wrong directory (assuming recurse is actually looking around).
Any thoughts?
This is what ended up working for me for IIS 10:
Set-WebConfigurationProperty `
-filter "/*/*/site/logfile" `
-name "logExtFileFlags" `
-value "Date, Time, ClientIp, etc.."
of course replacing "etc.." with all the desired fields.
I am writing a PowerShell 3.0 installer for our web applications and web services and am getting tripped up when attempting to set physical path credentials.
My code looks like this:
# >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
# >>>>>> Path credentials
# >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
# Set the physical path credentials of the web application (on Basic Settings screen) to Connect As...
$filter="/system.applicationHost/sites/site[#name='{0}' and #id='1']/application[#path='/{1}']/VirtualDirectory[#path='/']" -f $script:WebSiteName,$appName
Set-WebConfiguration $filter -Value #{userName="$physicalPathCredentialUserID";password="$physicalPathCredentialPassword"}
When executing, I get an error in PowerShell stating "This configuration section cannot be used at this path. This happens when the section is locked at a parent level". I tried the PSPath and location tags that work when Authentication sections are locked, but those don't seem to have any effect. I thought maybe the -Force option would work, but although no error was thrown, the physical path credentials didn't seem to take.
Without the -Force option, the error is thrown but PowerShell cuts off the message so I can't tell exactly what section it is complaining about, or what parent level is locked. I have to assume it is the Sites section since I am attempting to configure: /configuration/system.applicationHost/sites/application/virtualDirectory
I'm a bit confused about the difference between unlocking and allowing override to get the values to stick. PowerShell WebAdministration is pretty confusing in this area. I don't know why it has to be so confusing to set the values that are corollaries to what can be set in the IIS adminstration UI. Some values use Set-WebConfiguration with an ugly string as shown above, others use Set-WebConfigurationProperty. If locking is a known issue, why isn't unlocking better documented?
I don't want to unlock all sites or all applications. I just want to unlock what I have to in order to set the configuration values on each web application I am installing under Default Web Site.
What is the definitive solution to unlocking or overriding configuration sections as of 2014 and PowerShell 3.0? And which settings accept PSPath and location?
By the way, I have tried variants of the following:
$filter="/system.applicationHost/sites/site[#name='{0}' and #id='1']/application[#path='/{1}']/VirtualDirectory[#path='/']" -f $script:WebSiteName,$appName
Set-WebConfiguration $filter machine/webroot/appHost -metadata overrideMode -value Allow
but continued to get the locked section message until the filter was backed off to the sites level.
I also tried setting the virtualDirectoryDefaults.userName and virtualDirectoryDefaults.password, which didn't seem to take initially, but after an IISReset I noticed they were indeed added at the bottom of the applicationHost.config file. I don't really want them set as defaults because our apps shouldn't affect other apps on the server.
I appreciate any assistance you can provide. I must be missing something because it shouldn't be so difficult to set these and other web application configuration values.
Regards
The sections you are trying to change are set in the IIS machine config. You have to unlock the sections in order to set them per-site.
See: Programmatically unlocking IIS configuration sections in Powershell
Your Filter does not look right. You can think of the filter as basically an XPath query. So if you use a filter of //authentication/* then that will get all of your configuration under an authentication node. It's not exactly the same as XPath, but it's pretty close. Just remember that you can't select metadata sections like sectionGroup or location tags using just the Filter parameter alone.
I had an issue where I needed to have Windows authentication unlocked at the server level that way I could set Windows auth to different values at the application level. So I had to do something like this:
Set-WebConfiguration -Metadata OverrideMode -Value Allow -Filter //windowsAuthentication
Set-WebConfigurationProperty -PSPath IIS:\Sites\$WebsiteName\$AppName -Filter //windowsAuthentication -Name Enabled -Value $true
What this did was create a section in the applicationHost.config file that looked like this:
<location path="" overrideMode="Allow">
<system.webServer>
<security>
<authentication>
<windowsAuthentication>
</windowsAuthentication>
</authentication>
</security>
</system.webServer>
</location>
Whatever configuration you place with that location tag will be considered unlocked according to IIS I believe.
And this is what was added to the Web.config file in the web application itself:
<authentication>
<windowsAuthentication enabled="true" />
</authentication>
Hopefully this helps.
What's the easiest way to copy many folders between 2 servers with different credentials having the servers in different domains.
As far as I know, the -credentials parameter came up in Powershell 3.0,
so how to achieve it using Powershell 2?
If possible I want to keep it easy using the copy-item cmdlet.
I already created the function to select my folder, but I am unable to copy them through network.
You would need to use Copy-Item and -Credential not -Credentials