In this article, we will learn the most useful and powerful command line tool, AppCmd, for publishing or hosting a website on IIS. Using the AppCmd tool, we can host static as well as a dynamic website (ASP.NET Webform, MVC, Dot Net Core etc) easily.

Description
I assume you are aware of (or have knowledge of) how to Host or Publish Website in IIS using inetmgr. This will help you understand AppCmd.exe.
AppCmd.exe is the command line tool for managing IIS 7 and above. It provides an easy way to manage a website without Graphical User Interface.

Some of the things you can do with AppCmd,

• Create and configure sites, apps, application pools, and virtual directories
• Start and stop sites, and recycle application pools
• Search, manipulate, export, and import IIS and ASP.NET configuration

How to Use AppCmd.exe
The AppCmd.exe command line is built on top of a set of top-level server management objects, such as Site and Application. These objects expose methods that can be used to perform various actions on those objects, and object instances expose properties that can be inspected and manipulated.

AppCmd.exe is located in the %systemroot%\system32\inetsrv\ directory. Because it is not a path of the PATH automatically, you need to use the full path to the executable when executing commands like in %systemroot%\system32\inetsrv\AppCmd.exe list sites. Alternatively, you can manually add the inetsrv directory to the path on your machine so that you can access AppCmd.exe directly from any location.

Note
Run Command Prompt as Administrator to using AppCmd.
In this article, we learn basic command to host websites.

List all available commands and actions in AppCmd
AppCmd
AppCmd /?

From the above screenshot, it is clear that Command Prompt is run as administrator and run AppCmd which return list of supported Command.
List all hosted or published websites in IIS.
    AppCmd List Site

In the above screenshot, I have run List Site command which returns all published site with bindings and state of site e.g. Started or Stop.

Create the website using AppCMD
    APPCMD add site /name:WebByAppCMD /bindings:"http/*:94:" /physicalPath:"C:\Users\Mepani\Desktop\2018 Article\Kendo Grid" -virtualDirectoryDefaults.userName:USERNAME -virtualDirectoryDefaults.password:PASSWORD

For any website hosting we require information as above like Site Name, Bindings (Protocal, hostname), Physical Path, Credential for access or permission to folder path.
Sometimes, if you don't provide access/permission to a physical path then you might be getting Access denied error.
View Newly Hosted or published website
    appcmd.exe list site "WEbByAppCMD"

Start and stop hosted or publish a website
    appcmd.exe start site "WEbByAppCMD"
    appcmd.exe stop site "WEbByAppCMD"

Delete or remove published or hosted website from IIS
    appcmd.exe delete site "WEbByAppCMD"

App CMD Create website
In the above screenshot, we have covered all the above site commands except delete. Possible issue or challenges might be faced during command line website hosting niclude,

• Site name already created
• Port is already in use
• Bad Request -Invalid hostname

Hope you enjoyed this and learned a new way to host or publish a website using AppCmd.

HTTPS is a secure communications channel that is used to exchange information between a client computer and a server. It uses Secure Sockets Layer (SSL). This article describes how to configure the SSL/HTTPS service in Internet Information Services (IIS) and compares this process to the similar process in Apache.

Configuring Your Web Server for SSL
To enable SSL in IIS, you must first obtain a certificate that is used to encrypt and decrypt the information that is transferred over the network. IIS includes its own certificate request tool that you can use to send a certificate request to a certification authority. This tool simplifies the process of obtaining a certificate. If you use Apache, you must obtain the certificate manually.

In both IIS and Apache, you receive a certificate file from the certification authority, which you must configure on the computer. Apache reads the certificate from its source file by using the SSLCACertificateFile directive. However, in IIS, you can configure and manage certificates by using the Directory Security tab of the Web site or folder properties.

You can migrate certificates from Apache to IIS; however, Microsoft recommends that you re-create or obtain a new certificate for IIS.

Configure Folder or Web Site to Use SSL/HTTPS
This procedure assumes that your site has already has a certificate assigned to it.

1. Log on to the Web server computer as an administrator.
2. Click Start, point to Settings, and then click Control Panel.
3. Double-click Administrative Tools, and then double click Internet Services Manager.
4. Select the Web site from the list of different served sites in the left pane.
5. Right-click the Web site, folder, or file for which you want to configure SSL communication, and then click Properties.
6. Click the Directory Security tab.
7. Click Edit.
8. Click Require secure-channel (SSL) if you want the Web site, folder, or file to require SSL communications.
9. Click Require 128-bit encryption to configure 128-bit (instead of 40-bit) encryption support.
10. To allow users to connect without supplying their own certificate, click Ignore client certificates. Alternatively, to allow a user to supply their own certificate, use Accept client certificates.
11. To configure client mapping, click Enable client certificate mapping, and then click Edit to map client certificates to users. If you configure this functionality, you can map client certificates to individual users in Active Directory. You can use this functionality to automatically identify a user according to the certificate they supplied when they access the Web site. You can map users to certificates on a one-to-one basis (one certificate identifies one user) or you can map many certificates to one user (a list of certificates is matched against a specific user according to specific rules. The first valid match becomes the mapping).
12. Click OK.

This article explains how to enable reverse Domain Name System (DNS) lookup for all versions of Internet Information Services (IIS).

When reverse DNS lookups are enabled on the web server, the IP address of each web client that connects to the IIS server is resolved to a DNS name, and the DNS name instead of the web client IP address is placed in the IIS log files.  Enabling reverse DNS also affects what CGI and ISAPI extensions see as a value of the Remote_Host variable.

Microsoft KB article 297795 gives a step-by-step demonstration how to enable RDNS for IIS4, IIS5 and IIS6, but all you need to do is run the following in a command prompt from the ADScripts folder:

For IIS4 run:

adsutil set w3svc/EnableReverseDNS TRUE

For IIS5 and IIS6 run:

cscript adsutil.vbs set /wesvc/EnableReverseDNS "TRUE"

In IIS7, you must install the IP and Domain Restrictions role service for the Web Server (IIS) role.  You can do this in Server Manager or from the command line using the following command:

ServerManagerCMD -install Web-IP-Security

In Windows Server 2008 R2, the ServerManagerCMD.exe program is deprecated and has been replaced with the ServerManager Powershell cmdlets.  The following two cmdlets are used to install the IP and Domain Restrictions role service:

Import-Module ServerManager
Add-WindowsFeature Web-IP-Security

Now that the role service is installed, you can configure reverse DNS lookups, as follows:

• Open Internet Information Services (IIS) Manager.
• Navigate to the Server Name in the Connections pane.  If you only want to enable reverse lookups on a particular website, navigate to that website.
• Double-click IP Address and Domain Restrictions in the center pane and click Edit Feature Settings in the Actions pane.
• Put a checkmark in Enable domain name restrictions and click OK.

You will see the following warning:

Restricting access by domain name requires a DNS reverse lookup on each connection. This is a very expensive operation and will dramatically affect server performance. Are you sure you want to enable restrictions based on domains?

Clicking Yes will enable reverse lookups for all clients connecting to the web server.  I have not noticed any more than a 1-2% increase in CPU performance and the websites are just as performant as before.

Each of these changes go into effect immediately.  There is no need to restart IIS.

The discussion is specific to IIS 7 and later versions. Let's start with version IIS 7.0. It has a built-in feature that is able to filter HTTP requests. If a request is found to have contents which are unacceptable to process the request, then it will block such request there, before proceeding to process a request by a web application. This feature is useful as a mitigation technique, for such SQL Injection vulnerabilities.

Prerequisite
At first, verify the IIS version that you are using currently. If you are using earlier than IIS 7.0, then update with the latest version before applying the following configuration.

Configuring the Request Filter
To create a global filtering rule for SQL Injection, we should follow the below steps:

Step 1
Open the run window by pressing keyboard key Windows key + R and copy and paste the following code
%systemroot%\system32\inetsrv\config\applicationhost.config
 
It will open the applicationhost.config file.

Step 2
In the applicationhost.config file, identify <requestFiltering> section. Under this section, configure for the reserve keywords or reserved special characters, like DELETE, CREATE, UPDATE, INSERT, --,',/* etc. in <denyStrings> section.
Configure the file extensions for which IIS server needs to be validated. The sample code is shown below:

Step 3

Now, to save the file, go to the File menu and choose Save option.

How  does the above configuration behave in the IIS server?

With the above configuration settings, first of all, IIS will look at each incoming request for pages with .html, .aspx, or .asp extensions, to search for specific strings in the request's Query String. If the IIS server finds the specified strings, then IIS will block the request and return a 404: Not Found page to the client.
 
If you want to add a new file extension or change the existing file extensions in applicationhost.config file, you can add/remove the required file extensions in file Extension tags which lies in the <appliesTo> section. Whatever strings you are placing in the <denyStrings> section, the IIS looks for those strings. If it finds those, then it will block the request and return 404 error page to the client. You can add a new string, remove the existing string,  or change the existing string, in the <denyStrings> section.

In fact, in IIS server, you may have hosted many web applications which are running in parallel.
 
Let's say, for one of the web applications, you don't want to deny any string for the incoming request. How will you handle such  a scenario?
 
It is very simple. Create a rule in your application's config file, for which, you want to allow all such strings. If you create a rule in the application's config file, it will override the applicationhost.config file's rule. For instance, if you want to allow the string "end" for only a few applications,  and for the rest of the applications, you want to deny such a string, then follow the below steps:

Step 1: Remove the <add string="end" /> entry from applicationhost.config file.

Step 2: Add the below code into the application's config file where you want to restrict the string "end":

Make a note --  the name for the filteringRule tag must and should be unique and it should not conflict with a name which is in the applicationhost.config file or/and the same name with any other web.config files in the path. And, it is also possible to limit the scope of filtering rules using location tags.

Procedure to check logs for SQL Injection attempts

You can check the SQL injection attempt logs in IIS W3SVC logs section. filteringRule rejects such SQL injection attempts and responds with a 404 status and with a substatus 19. You have to check these logs periodically to make sure that your rule is blocking such SQL Injections for the legitimate requests.

After the configuration changes made in the applicationhost file, if you give the followingURL request in your browser, the following output will show:

http://localhost/OWASP.UI/UnvalidatedRedirectsForwards/ValidatedRedirectsForwards.aspx?returnUrl=http://www.flipkart.com/--

Output

HostForLIFE.eu IIS 10 Hosting
HostForLIFE.eu is European Windows Hosting Provider which focuses on Windows Platform only. We deliver on-demand hosting solutions including Shared hosting, Reseller Hosting, Cloud Hosting, Dedicated Servers, and IT as a Service for companies of all sizes.

Some of our clients sometimes ask about how to create URL Rewrite on their site. Previously, we have written about how to redirect HTTP to HTTPS in IIS. In this tutorial, we will advise how to create multiple redirection with a URL Rewrite Map.

URL Rewrite Module with IIS 7/IIS 8

Now there’s an easier solution, and one that offers better performance.  Starting with IIS 7 one can implement different kinds of url rewriting and redirecting with ease by using the URL Rewrite Module. The various rules can be configured using the IIS 7 Manager GUI or by directly editing the web.config. To open the URL Rewrite Module simply double click the URL Rewrite icon on your site properties as shown below.

From there you will be able to maintain your existing rules or add new ones as seen in this picture.

This is a pretty easy way to create server-side rules for rewriting and redirecting, but what happens when you have 30 or 40 legacy URLs that need to be redirected to new pages? Do you have to enter each one manually? Of course not. The solution to that is to use a URL Rewrite Map.

URL Rewrite Map

By using a URL Rewrite Map it has never been easier to create and maintain multiple 301 redirects for different pages on your web site.  The rewrite rules are stored in the <system.webServer> section of your web.config so you can quickly make changes as needed.

Here is all the code you need to accomplish this:

<system.webServer>
<rewrite>
<rewriteMaps>
<rewriteMap name=”Redirects”>
<add key=”/test.aspx” value=”/test2.aspx” />
<add key=”/aboutus.aspx” value=”/about” />
</rewriteMap>
</rewriteMaps>
<rules>
<rule name=”Redirect rule1 for Redirects”>
<match url=”.*” />
<conditions>
<add input=”{Redirects:{REQUEST_URI}}” pattern=”(.+)” />
</conditions>
<action type=”Redirect” url=”{C:1}” appendQueryString=”false” />
</rule>
</rules>
</rewrite>
</system.webServer>

In the example above I’m performing a 301 redirect on the test.aspx file to test2.aspx file. There’s also a 301 redirect for the aboutus.aspx file to folder called /about, however, in this case it’s important to note that the /about folder will also need a default page or else a 404 error will result.

As you add more URLs to your Rewrite Map you’ll notice that your web.config can become a bit cluttered. The solution to this will be to store the redirect rules in an external file. Let’s call this file myrewritemaps.config. This file will now contain this code block:

<rewriteMaps>
<rewriteMap name=”Redirects”>
<add key=”/test.aspx” value=”/test2.aspx” />
<add key=”/aboutus.aspx” value=”/about” />
</rewriteMap>
</rewriteMaps>

In your web.config you add the following line of code under the <rewrite> section referencing the external config file:

<rewriteMaps configSource=”myrewritemaps.config” />

Your web.config will now look nice and clean like this:

<system.webServer>
<rewrite>
<rewriteMaps configSource=”myrewritemaps.config” />
<rules>
<rule name=”Redirect rule1 for Redirects”>
<match url=”.*” />
<conditions>
<add input=”{Redirects:{REQUEST_URI}}” pattern=”(.+)” />
</conditions>
<action type=”Redirect” url=”{C:1}” appendQueryString=”false” />
</rule>
</rules>
</rewrite>
</system.webServer>

There is no real limit on how many URLs can be configured for redirecting with the URL Rewrite Map.  You should perform regular search engine analysis to see when the new URLs have been picked up. Once the old URL is no longer indexed and traffic has dropped off you could remove it from your map.

Trace \ Track is a vulnerability that is usually identified on an IIS server when we run PCI compliance and find this vulnerability. A hacker can run a Trace attack on IIS Website and get information about the Backend server and other important information.

In latest versions on IIS (IIS 6.0, 7.5) Trace is disabled by default but still it is good idea to make sure that Trace is disabled on IIS.

Testing if Trace \ Track is Enabled on a IIS website or not

Follow these steps :

1. Go to command Prompt of your Machine.
2. Type telnet <URL of the website> 80 (this will open a telnet session of that website on port 80)
3. Type following commands on the telnet session screen in exact same order: 

    TRACE / HTTP/1.0
    Host: <hostname_you_are_testing>
    TestA: Hello
    TestB: World

4. Press enter twice. 

If Trace is enabled on your server, you should see following results:

    HTTP/1.1 200 OK
    Server: Microsoft-IIS/7.5
    Date: Tue, 05 Dec 2016 08:17:15 GMT
    Content-Type: message/http
    Content-Length: 76 

And If you receive following results on the telnet screen, then Trace is enabled :

     HTTP/1.1 501 Not Implemented
    Content-Type: text/html
    Server: Microsoft-IIS/7.5
    X-Powered-By: ASP.NET
    Date: Tue, 06 Dec 2016 09:32:58 GMT
    Content-Length: 1508

    Connection: close

Disabling Trace or Track on IIS

The easiest way to mitigate the risk of Trace \ Track on iis is  : installing URLScan from Microsoft, 
The urlscan.ini file is included as part of URLScan . This sets by default a configuration setting "UseAllowVerbs=1".  In this [AllowVerbs] section of the ini file, only http methods that are allowed are GET, HEAD, and POST so simply by installing URLScan on an IIS server , we can assume that it  protected from TRACE or TRACK.  

One of our clients receive this error message when deploying his ASP.NET application.

“System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.”. Here is how we solved that issue.

There are 3 related and important issues:

1. the remote site uses a Server Name Indication (SNI) certificate, installed on a different domain name
2. the web application was published to a IIS 6.0 (Windows Server 2003) web server
3. a System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure. This error message is caused because the process is not able to validate the certificate supplied by the server during an HTTPS (SSL) request

IIS 6.0 + Server Name Indication (SNI) certificates = System.Net.WebException #

A Server Name Indication (SNI) certificate basically means that you can install oneSSL/TLS certificate on a web server, to use on multiple domain names. The TLS part takes the negotiation, and that enables the server to select the correct virtual domain early and present the browser with the certificate containing the correct name. Therefore with clients and servers that support SNI, a single IP address can be used to serve a group of domain names for which it is impractical to get a common certificate.

Windows Server 2003 (IIS 6.0), Windows Server 2008 (IIS 7.0) and Windows Server 2008 R2 (IIS 7.5) do not support SNI-certificates.

How to Solve this Error Message

You might wonder what the solution to this error message was. Well, simple: Move the website to an IIS 8.0+ (Windows Server 2012) web server. This version supports Server Name Indication certificates. Microsoft calls this SSL Scalability in IIS 8.0. Because of SNI, or SSL-scalability, support in Windows Server 2012, the ASP.NET System.Net.WebException went away.

It’s simple, right? :)

European leading web hosting provider, HostForLIFE.eu announces the launch of Visual Studio 2017 Hosting

HostForLIFE.eu was established to cater to an underserved market in the hosting industry; web hosting for customers who want excellent service. HostForLIFE.eu - a cheap, constant uptime, excellent customer service, quality, and also reliable hosting provider in advanced Windows and ASP.NET technology. HostForLIFE.eu proudly announces the availability of the Visual Studio 2017 hosting in their entire servers environment.

The smallest install is just a few hundred megabytes, yet still contains basic code editing support for more than twenty languages along with source code control. Most users will want to install more, and so customer can add one or more 'workloads' that represent common frameworks, languages and platforms - covering everything from .NET desktop development to data science with R, Python and F#.

System administrators can now create an offline layout of Visual Studio that contains all of the content needed to install the product without requiring Internet access. To do so, run the bootstrapper executable associated with the product customer want to make available offline using the --layout [path] switch (e.g. vs_enterprise.exe --layout c:\mylayout). This will download the packages required to install offline. Optionally, customer can specify a locale code for the product languages customer want included (e.g. --lang en-us). If not specified, support for all localized languages will be downloaded.

HostForLIFE.eu hosts its servers in top class data centers that is located in Amsterdam (NL), London (UK), Paris (FR), Frankfurt(DE) and Seattle (US) to guarantee 99.9% network uptime. All data center feature redundancies in network connectivity, power, HVAC, security, and fire suppression. All hosting plans from HostForLIFE.eu include 24×7 support and 30 days money back guarantee. The customers can start hosting their Visual Studio 2017 site on their environment from as just low €3.00/month only.

HostForLIFE.eu is a popular online ASP.NET based hosting service provider catering to those people who face such issues. The company has managed to build a strong client base in a very short period of time. It is known for offering ultra-fast, fully-managed and secured services in the competitive market.

HostForLIFE.eu offers the latest European Visual Studio 2017 hosting installation to all their new and existing customers. The customers can simply deploy their Visual Studio 2017 website via their world-class Control Panel or conventional FTP tool. HostForLIFE.eu is happy to be offering the most up to date Microsoft services and always had a great appreciation for the products that Microsoft offers.

Further information and the full range of features Visual Studio 2017 Hosting can be viewed here http://hostforlife.eu/European-Visual-Studio-2017-Hosting

That has been a question we have come across frequently. Before IIS 8, you could host multiple sites needing SSL on a single IP address if the sites utilized the same SSL certificate or used a wildcard SSL certificate.  A wildcard certificate was only beneficial if you needed SSL on the subdomain level of a current site/domain. But what if you had sites with different names? Well, you could get a Subject Alternative Names (SAN) SSL certificate.  This SSL certificate would allow you to protect multiple sites with a single SSL certificate. The last available option prior to IIS 8 required setting each additional SSL site on the same IP address but with a different SSL port number. This would allow you to utilize each site’s/domain’s SSL on the same IP address as another site.  By default, SSL certificates utilize port 443 for secure communication. This port doesn’t need to be specified in the URL since this is the standard port. When you use a different port number for SSL you will be required to add the non-standard SSL port number in the URL in order for it to work.  As you can imagine, this is not the way you want to run a public site. How would a user know to enter the port number and it’s not a common step that users are familiar with doing when browsing a site.

Adding an additional IP address to host another site needing SSL is the common method used but sometimes this isn’t an option for some people. With the inception of IIS 8 on Windows Server 2012, a new feature called Server Name Identification (SNI) was added. This feature offers an easier solution to hosting multiple sites that have a different or individual SSL on a single IP address. This feature is included in IIS 8 by default and doesn’t require the installation of any additional features to begin using it. Below, we will walk through the steps involved with configuring SNI. One thing to note with implementing SNI for your SSL solution, it will not work for those users running Internet Explorer on Windows XP. If your server has multiple IP addresses, you can implement SNI for some sites in addition to assigning individual sites to a single IP address for SSL. Both methods will work along side each other on different IP addresses without issue.

Steps:

1)  One of the first things you will need to do is import the SSL certificates for each site on the server if this hasn’t been done already
2)  Next, open IIS 8 Manager and add your first site that will need SSL
  a.  If the first site is already in place, proceed to step the next step
3)  After the site is added select the site and click Bindings… under the Actions menu pane on the right

4)  Click Add
  a.  Select https for the Type
  b.  You can leave the IP address to “All Unassigned” or choose the IP address you want to use
(If you have multiple IP’s on the server you will want to specify the one you want to use for SNI)
  c.  Enter your site/domain name for Host name
  d.  Check the box for “Require Server Name Indication”
  e.  Select the SSL certificate for the site from the drop down box
  f.  Click OK

5)  Create the second site and add the SSL binding following the steps below
6)  Select Bindings and click Add
  a.  Select https for the Type
  b.  You can leave the IP address to “All Unassigned” or choose the IP address you want to use
   (If you have multiple IP’s on the server you will want to specify the one you want to use for SNI)
  c.  Enter your site/domain name for Host name
  d.  Check the box for “Require Server Name Indication”
  e.  Select the SSL certificate for the site from the drop down box

7)  Click OK to complete the setup

That’s all that needs to be done.  Test SSL for the site to make sure each site is working properly.  If you have additional sites that need SSL added, you can continue following the steps above for adding the SSL binding for each new site.

In this tutorial, I will tell you about Manage IIS with Appcmd. What is Appcmd? The appcmd.exe is a single command, used to manage IIS 7 and above. It is used to manage the Server without using a graphical administration tool. The appcmd is located in C:\Windows\System32\inetsrv (%systemroot%\system32\inetsrv\) directory. By default, it will not add into environment variable. 

Key Features 

• Creating and configuring the sites.
• To list the running worker process.
• Backup and restoring the site configuration.
• Retrieve the information about the Application pools.

Object Types

• List
• Add
• Delete
• Set
• Hide

Syntax

appcmd <objecttypes> <parameters>   

set path=%path%;%systemroot%\system32\inetsrv; //used to set the environment variable   

To list all the sites, use the command, given below:

appcmd list sites     

To get the details of a specific site binding and status (stopped/start), use the command, given below:

appcmd list site "Default web site"  

To list all the sites, which had been stopped, use the command, given below:

appcmd list sites /state:Stopped   

To add a new site, use the command, given below:

appcmd add site /name:"added using appcmd" /bindings:"http/*:81:localhost" /physicalPath:"D:\test"

To add an https binding to the site, use the command, given below:

appcmd set site /site.name:"added using appcmd" /+bindings.[protocol='https',bindingInformation='127.0.0.1:444:localhost']  

To list all the applications, use the command, given below:

Appcmd list app  

To change an application pool, use the command, given below:

appcmd set app "added using appcmd/app1" /applicationPool:appcmdpool  

To view the application pool details including the username and password of the app account, use the command, given below:

appcmd list apppool "MyAppPool" /text:*  

Backup

appcmd add backup   

appcmd add backup "locahostbkup"  

appcmd list backup   

appcmd delete backup "backup name"  

Restore

appcmd restore backup "locahostbkup "  

appcmd restored configuration from backup "locahostbkup"  

To view the list of the worker process, which will help us to attach the debugger in Visual Studio, use the command, given below:

appcmd list wps  

To view the list of the physical path, use the command, given below:

appcmd list vdirs /text:physicalPath   

To start and stop the sites, use the command, given below:

appcmd start site "Default web site"  

appcmd stop site "Default web site"

HostForLIFE.eu IIS 7.5 Hosting
HostForLIFE.eu is European Windows Hosting Provider which focuses on Windows Platform only. We deliver on-demand hosting solutions including Shared hosting, Reseller Hosting, Cloud Hosting, Dedicated Servers, and IT as a Service for companies of all sizes. We have customers from around the globe, spread across every continent. We serve the hosting needs of the business and professional, government and nonprofit, entertainment and personal use market segments.