Configuring IIS 7+ for Server 2008

If you had a Windows Server 2003 with IIS 6 and used a few older non scripting directives you will find that some of those directives do not work after Configuring IIS 7+ for Server 2008+.

One of the more notable directives that is NOT a security risk is the #include, if a web site gets hacked then no matter what scripting language you use is vulnerable, be it java, ASP, or one of the myriad of other scripting languages.

Before getting to the reason the includes do not work even with SSI (Server Side Includes) installed there are a few things that you should do for your Configuring IIS 7+ that does not take a script to work out,  complete those then:

NOTE: Before you begin any modifications to your server install make a backup image of the installation, I usually do some minor modifications including name, domain [if needed], and then Activate the installation. Then I make my first image, once your installation of Roles and Features you will need is done and configured do another image. I make images in steps, you never know when you make a change that it will cause problems and the only cure is a complete OS install... (For those that know this a small reminder.)

Configuring IIS 7+ - when you select the role IIS from the Server Manager Console  under ROLES [note: only select IIS 7, add any other roles after you move the location of IIS 7] the install puts the IIS folder (directory) and associated files and PATH in the registry along with the IIS configuration file to the Operating System installed drive. This could be a direct link to the internet and is an extreme security risk because you may need anonymous access connections: a hackers dream come true... (Note: Even on a Intranetwork this is a security risk especially if the web site will have confidential information, make it as secure as possible!)

To mitigate the security risk you need to do a few things before the move of the IIS directory and registry entries to a more secure storage, such as a single drive with a single volume or a separate volume with access to the following groups remove from the root of the drive/volume: Guests, Users, and any other non Administrator group or users. This INCLUDES the TRUSTED INSTALLER id.

So how do you move the registry entries? With a script, you can use a command prompt or the Power Shell , here is the link to the Windows help page: https://blogs.iis.net/thomad/moving-the-iis7-inetpub-directory-to-a-different-drive

Read the: PLEASE BE AWARE OF THE FOLLOWING at the bottom of the page.

Note: You may want to put a "pause" after each command to see if the command was completed successfully, if it fails then you need to either correct the syntax of the command or find a fix for the failure. I ran this the first time as it is written, however it failed, after doing a reimage I put in the "pause" after each command, fixed my two syntax errors, and then completed the move. Also, any added Roles not included under the IIS role  tree will NOT be moved, install the other roles after the move.

Copy the script and save it. Once you have the script and the drive and volume or just the volume setup with all access removed for security you need to modify the script, you need to change the path in the scrip to match your new location for IIS, such as e:\inetpub from c:\inetpub other wise your script will fail and cause problems with IIS.

Configuring IIS 7+ - once the script is complete copy the directory from your OS system location to your new location, if you copy the files before running the script you may get errors or failures for certain functions of the script, I copied the files first then ran the script, I still get an error about dynamic storage that I am still working on figuring out what to do.

Before you restart the computer or start IIS you need to go to the folder on the system drive and remove the old IIS directory completely, the first time I ran the script I restarted the computer thinking the script would move all instances of the old path, not true. I had a mess so I put the pre script image on the system drive and learned from my mistake, remove the old files first!

By now you are ready to begin your Configuring IIS 7+, if you have a lot of experience with IIS then most steps will be self evident, however those that are converting from IIS 6 there will be a learning curve, how steep that is depends on your knowledge of Server 2008+, those that are not familiar with the 2008+ Server Manager Console will find things have changed/moved and some steps have to be completed before others.

Configuring IIS 7+ - now you may need to add more Roles, then  you can access this through the Server Manager Console, when selecting a role pay attention to the installation progress, there will be instances that you will get notices about things that will be changed or a failure because a different role needs to be installed first. Notably some roles need access through the firewall, if the firewall is disabled then the install will fail.

Note: Something I found out when rebuilding my business domain that under Server 2003 if a workstation/server firewall was enabled the net logon service would fail even if you gave the service a rule for access in/out of the firewall, therefore all domain workstation/server firewall services were disabled through the Domain Group Policy. With Server 2008+ what ever was the cause of the failure (I never found a work around or information for this on Windows TechNet) was fixed in Server 2008+ you must have the firewall enabled for IIS 7+ to install some roles...

Configuring IIS 7+ -there is a Catch 22 with moving your IIS installation to a non default drive/volume: Once moved some Roles when installed will fail to operate properly, the two I had problems with were ASP and CGI, there are modifications you need to do to the configuration file that is located on the system drive. To modify this file your ID has to have the rights to access to the folders and to write the changes. You will need to go to Microsoft's support site and search for the topic such as "configuring ASP" also search for and download the "Installing IIS 7.pdf". The pdf is helpful for those not familiar with the changes in the GUI from IIS 6 to IIS 7+ and a few other things but not the scripts you need to modify the configuration files.

Now why did the #include fail? Because SSI (Server Side Includes) have been deemed a security risk, that is if a hacker could inject a command into your web page they could conceivably gain control of your web site server. Well DUH! if a hacker can inject text into a web page they have some control over the web server with write access, no?

So how did I get the #include to work? Look at the extension of this web page in your address bar, it is not HTML but .SHTML, after setting up all the required roles and finding the scripts to configure the Roles I moved my web site from my old IIS 6 to the new server. I use a lot of #include statement in my pages to do the mundane things for formatting, normal every web page information, when I tested the site these were missing, no menu, no information in the right hand column, ect... The #include would not run as it should, the SSI function would not inject the called #include data into the page.

By using my old IIS 6 installation I went through the steps to configuring IIS 7+, some of the changes I need to make took some research to find where I would make the changes, this link was very useful: https://docs.microsoft.com/en-us/iis/install/installing-iis-7/installing-iis-7-and-above-on-windows-server-2008-or-windows-server-2008-r2 or download this zip file.

Having an operational older version that woks helped me understand the changes that IIS had gone through in it's evolution, this may not be the same or ideally your situation. Even with the above link and the operational IIS 6 I could not figure out what was stopping the SSI from formatting the page on IIS 7.5.

After a lot of time searching for an answer, trying different "techniques" other people said worked, but didn't for me because most of the solutions required moving from the #include with SSI to another scripting language such as java or ASP. I came across a obscure reference that in it's infinite wisdom Microsoft had deemed the #include statement a security risk and the only way to get the command to work was to tell SSI that the entire  page was an include by naming the extension .SHTML... Why have the SSI as a Role if you have to do this?

Once I found out why the SSI was not working I had a large task on my hands to change every page extension to .SHTML and every link on that page from the original .HTML to .SHTML also. I looked at using a new editor to write my pages with about three years ago however I am very happy I didn't because the old MS Office 2003 has the application "Front Page" that handled the search and replace very easily, after about two hours the deed was done, all pages and links renamed, the site was some what operational with a few things to clean up.

Next saga: The powers that be have deemed that all web sites and their pages will contain security, that is the old h t t p:// is no longer indexable by the search engines. Only https:// will be indexed, that opens a whole new can of worms for the independent hosting such as myself. I am not using a Linux based server nor do I pay rent for my web site to be on a host. So I have to figure out how the security works for IIS 7+ (that is the web server on Windows Server 2008 and 2008 R2) my other choice is to upgrade (again) to Windows Server 2016, 2012 has the same problems Server 2008 has when it comes to the mandated cyber suits.... So I need to step up and upgrade the OS and IIS for this web site, Windows Server 2016 is on order.

Thus ends the saga of how to make an old dog do new tricks... SSI will work if you can find the answer.