In this article, we will only show simple tutorial about how to enable and serve HTTP Strict Transport Security (HSTS) response header in IIS.

Definition HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (HSTS) is a web security policy mechanism which is necessary to protect secure HTTPS websites against downgrade attacks, and which greatly simplifies protection against cookie hijacking.

HSTS improves security and prevents man-in-the-middle attacks, downgrade attacks, and cookie-hijacking.

It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797.

The HSTS Policy is communicated by the server to the user agent via an HTTP response header field named Strict-Transport-Security. HSTS Policy specifies a period of time during which the user agent should only access the server in a secure fashion.

Therefore, adding a HSTS header is important after you’ve added SSL to your WordPress website, so browsers automatically request your HTTPS address.

All you need to add to your web.configconfiguration file is an Outbound Rule, to rewrite request responses and sending the HTTP Strict Transport Security response header:

<outboundRules>
  <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
    <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
    <conditions>
      <add input="{HTTPS}" pattern="on" ignoreCase="true" />
    </conditions>
    <action type="Rewrite" value="max-age=31536000" />
  </rule>
</outboundRules>

HSTS and includeSubdomains #

Do you have your SSL (TLS) certificate on your www. subdomain? Then you need to include it using includeSubdomains. The outboundRules rule then becomes:

<rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
  <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
  <conditions>
    <add input="{HTTPS}" pattern="on" ignoreCase="true" />
  </conditions>
  <action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
</rule>

HSTS header in WordPress functions.php #

You can set a HSTS header through your functions.php theme file as well. For this to happen, you can hook into the send_headers action.

Use the following code in your functions.php to send a HSTS header:

<?php
add_action( 'send_headers', 'saotn_add_hsts_header' );
function saotn_add_hsts_header() {
  header( 'Strict-Transport-Security: max-age=31536000; includeSubDomains; preload' );
}

This Script will help in checking the below basic functionalities of the Bulk Servers. It will do so during Migration, Patch and Monthly Restart activities
This Script is added with the below functionalities,

• IP Capture -- >Collects the DNSHostName,Description,DHCPEnabled,IPAddress,IpSubnet,DefaultIPGateway,MACAddress,DNSServerSearchOrder for all Enabled and IP Discovered NICs
• Services Status -- >It checks all the Services Automatic set and not Stopped services and provides the output.
• Server Status –- >Checks the Servers reachability and provides the output on screen
• Server Shutdown/Reboot -- >Checks the server status and perform Bulk Shutdown / Restart at once with Event Description Keyed.

  

Output Samples

European IIS 10 Hosting

We may get the following error after publishing a website on IIS.

Parser Error Message
"Unrecognized attribute 'targetFramework'. Note that attribute names are case-sensitive."

To fix it, we need to follow the below troubleshooting steps.

1. Check on which .NET version the application is developed. Let's assume, it's .NET 4.0.
   
2. Open IIS Manager and find the Application Pool, on which your website is hosted.
   
3. Go to that Application Pool and check the .NET version and change it to 4.0 accordingly by clicking on Basic\Advanced Settings.
   If .NET 4.0 is not listed, go ahead and install it.
   
4. If it still won't show up, go to command prompt and fire the below command to find a list of ASP.NET versions installed:
   C:\Windows\Microsoft.NET\Framework\v4.0.30319>aspnet_regiis.exe -lv
   In the output, if .NET 4.0 is not listed, register it by firing the below command:
   C:\Windows\Microsoft.NET\Framework\v4.0.30319>aspnet_regiis.exe -I.
   
5. It should show up as .NET 4.0 in the .NET Framework Version dropdown for the application pool.

   

Here, we are going to connect with the Docker engine remotely using PowerShell. For this, we can either use our local machine or a VM. Before we proceed further, make sure that your Nano Server is up and running.

Step 1 Downloading the Docker Daemon and extracting them
Create a variable that references the zip file which is in the official docker website. This zip file will have the Docker engine data that is required to create the client and server. Open the PowerShell with administrator privileges and run the below given command.

This will assign the link to that variable named,

$package = "https://download.docker.com/components/engine/windows-server/cs-1.12/docker.zip"

The next step is to invoke a web request to get the link that has been referenced in the variable called. Then, the file will be stored in a temporary storage by getting downloaded from the Docker site. For this, we have to run the following command.
Invoke-WebRequest $package ` -OutFile "$env:TEMP\docker.zip" ` -UseBasicParsing

Now, we shall expand the downloaded zip file to the programming files of our machine. For this, run -
Expand-Archive -Path "$env:TEMP\docker.zip" `
-DestinationPath $env:ProgramFiles

The final step is to create an environment variable that will add the Docker directory to the path daemon. Run the command
[Environment]::SetEnvironmentVariable("Path", $env:Path + ";$($env:ProgramFiles)\Docker", [EnvironmentVariableTarget]::Machine)

Nano Server
Now, we have finished installing the Docker (client) and Dcokerd (engine) in "Program Files" folder. Check for these inside the Docker folder.

Step 2 Creating Environment variable to connect Docker easily
Here, Docker is client and Dockerd is engine. Now, we are going to configure an environment variable that will store the DNS name of our Nano Server and connect with it. For this, run the below command.
[Environment]::SetEnvironmentVariable("DOCKER_HOST","nanoserver007.southindia.cloudapp.azure.com",[EnvironmentVariableTarget]::Machine)

Note - Replace the DNS name with your Nano Server DNS or IP.

Now, open the new PowerShell console and run the command "docker version" . This will show you the client (Docker) and engine (Dockerd). This means we have created a connection in between these two services which we have actually downloaded from the Docker website.

In this article, we will learn the most useful and powerful command line tool, AppCmd, for publishing or hosting a website on IIS. Using the AppCmd tool, we can host static as well as a dynamic website (ASP.NET Webform, MVC, Dot Net Core etc) easily.

Description
I assume you are aware of (or have knowledge of) how to Host or Publish Website in IIS using inetmgr. This will help you understand AppCmd.exe.
AppCmd.exe is the command line tool for managing IIS 7 and above. It provides an easy way to manage a website without Graphical User Interface.

Some of the things you can do with AppCmd,

• Create and configure sites, apps, application pools, and virtual directories
• Start and stop sites, and recycle application pools
• Search, manipulate, export, and import IIS and ASP.NET configuration

How to Use AppCmd.exe
The AppCmd.exe command line is built on top of a set of top-level server management objects, such as Site and Application. These objects expose methods that can be used to perform various actions on those objects, and object instances expose properties that can be inspected and manipulated.

AppCmd.exe is located in the %systemroot%\system32\inetsrv\ directory. Because it is not a path of the PATH automatically, you need to use the full path to the executable when executing commands like in %systemroot%\system32\inetsrv\AppCmd.exe list sites. Alternatively, you can manually add the inetsrv directory to the path on your machine so that you can access AppCmd.exe directly from any location.

Note
Run Command Prompt as Administrator to using AppCmd.
In this article, we learn basic command to host websites.

List all available commands and actions in AppCmd
AppCmd
AppCmd /?

From the above screenshot, it is clear that Command Prompt is run as administrator and run AppCmd which return list of supported Command.
List all hosted or published websites in IIS.
    AppCmd List Site

In the above screenshot, I have run List Site command which returns all published site with bindings and state of site e.g. Started or Stop.

Create the website using AppCMD
    APPCMD add site /name:WebByAppCMD /bindings:"http/*:94:" /physicalPath:"C:\Users\Mepani\Desktop\2018 Article\Kendo Grid" -virtualDirectoryDefaults.userName:USERNAME -virtualDirectoryDefaults.password:PASSWORD

For any website hosting we require information as above like Site Name, Bindings (Protocal, hostname), Physical Path, Credential for access or permission to folder path.
Sometimes, if you don't provide access/permission to a physical path then you might be getting Access denied error.
View Newly Hosted or published website
    appcmd.exe list site "WEbByAppCMD"

Start and stop hosted or publish a website
    appcmd.exe start site "WEbByAppCMD"
    appcmd.exe stop site "WEbByAppCMD"

Delete or remove published or hosted website from IIS
    appcmd.exe delete site "WEbByAppCMD"

App CMD Create website
In the above screenshot, we have covered all the above site commands except delete. Possible issue or challenges might be faced during command line website hosting niclude,

• Site name already created
• Port is already in use
• Bad Request -Invalid hostname

Hope you enjoyed this and learned a new way to host or publish a website using AppCmd.

HTTPS is a secure communications channel that is used to exchange information between a client computer and a server. It uses Secure Sockets Layer (SSL). This article describes how to configure the SSL/HTTPS service in Internet Information Services (IIS) and compares this process to the similar process in Apache.

Configuring Your Web Server for SSL
To enable SSL in IIS, you must first obtain a certificate that is used to encrypt and decrypt the information that is transferred over the network. IIS includes its own certificate request tool that you can use to send a certificate request to a certification authority. This tool simplifies the process of obtaining a certificate. If you use Apache, you must obtain the certificate manually.

In both IIS and Apache, you receive a certificate file from the certification authority, which you must configure on the computer. Apache reads the certificate from its source file by using the SSLCACertificateFile directive. However, in IIS, you can configure and manage certificates by using the Directory Security tab of the Web site or folder properties.

You can migrate certificates from Apache to IIS; however, Microsoft recommends that you re-create or obtain a new certificate for IIS.

Configure Folder or Web Site to Use SSL/HTTPS
This procedure assumes that your site has already has a certificate assigned to it.

1. Log on to the Web server computer as an administrator.
2. Click Start, point to Settings, and then click Control Panel.
3. Double-click Administrative Tools, and then double click Internet Services Manager.
4. Select the Web site from the list of different served sites in the left pane.
5. Right-click the Web site, folder, or file for which you want to configure SSL communication, and then click Properties.
6. Click the Directory Security tab.
7. Click Edit.
8. Click Require secure-channel (SSL) if you want the Web site, folder, or file to require SSL communications.
9. Click Require 128-bit encryption to configure 128-bit (instead of 40-bit) encryption support.
10. To allow users to connect without supplying their own certificate, click Ignore client certificates. Alternatively, to allow a user to supply their own certificate, use Accept client certificates.
11. To configure client mapping, click Enable client certificate mapping, and then click Edit to map client certificates to users. If you configure this functionality, you can map client certificates to individual users in Active Directory. You can use this functionality to automatically identify a user according to the certificate they supplied when they access the Web site. You can map users to certificates on a one-to-one basis (one certificate identifies one user) or you can map many certificates to one user (a list of certificates is matched against a specific user according to specific rules. The first valid match becomes the mapping).
12. Click OK.

This article explains how to enable reverse Domain Name System (DNS) lookup for all versions of Internet Information Services (IIS).

When reverse DNS lookups are enabled on the web server, the IP address of each web client that connects to the IIS server is resolved to a DNS name, and the DNS name instead of the web client IP address is placed in the IIS log files.  Enabling reverse DNS also affects what CGI and ISAPI extensions see as a value of the Remote_Host variable.

Microsoft KB article 297795 gives a step-by-step demonstration how to enable RDNS for IIS4, IIS5 and IIS6, but all you need to do is run the following in a command prompt from the ADScripts folder:

For IIS4 run:

adsutil set w3svc/EnableReverseDNS TRUE

For IIS5 and IIS6 run:

cscript adsutil.vbs set /wesvc/EnableReverseDNS "TRUE"

In IIS7, you must install the IP and Domain Restrictions role service for the Web Server (IIS) role.  You can do this in Server Manager or from the command line using the following command:

ServerManagerCMD -install Web-IP-Security

In Windows Server 2008 R2, the ServerManagerCMD.exe program is deprecated and has been replaced with the ServerManager Powershell cmdlets.  The following two cmdlets are used to install the IP and Domain Restrictions role service:

Import-Module ServerManager
Add-WindowsFeature Web-IP-Security

Now that the role service is installed, you can configure reverse DNS lookups, as follows:

• Open Internet Information Services (IIS) Manager.
• Navigate to the Server Name in the Connections pane.  If you only want to enable reverse lookups on a particular website, navigate to that website.
• Double-click IP Address and Domain Restrictions in the center pane and click Edit Feature Settings in the Actions pane.
• Put a checkmark in Enable domain name restrictions and click OK.

You will see the following warning:

Restricting access by domain name requires a DNS reverse lookup on each connection. This is a very expensive operation and will dramatically affect server performance. Are you sure you want to enable restrictions based on domains?

Clicking Yes will enable reverse lookups for all clients connecting to the web server.  I have not noticed any more than a 1-2% increase in CPU performance and the websites are just as performant as before.

Each of these changes go into effect immediately.  There is no need to restart IIS.