How to set Authentication Methods in IIS programmatically - windows

We are working on automating the deployment of some IIS applications. I've used cscript.exe inside a windows batch file to create the web app and such. There are however a few settings currently done by hand that I need to automate. Namely, if you look at the properties of an app, under Directory Structure -> Authentication and access control -> Edit, I need to uncheck Enable anonymous access and check Integrated Windows authentication.
Is there an easy way to do this from a windows batch file?
EDIT: I should clarify this is IIS 6.0, so appcmd is not available.

hope this helpes:
http://forums.iis.net/t/1159665.aspx

I answered a very similar question a wee while back. The example uses the asdutil.vbs tool which you can call from your batch file:
Setting NTAuthenticationProviders at an Application level in IIS 6 (Stack Overflow)
Updated:
Because you've already got a CScript script to create the website, you can just set the AuthFlags in the script:
'' Some values just as an example
iisNumber = 668
ipAddress = "172.16.3.200"
hostName = "myserver.com"
wwwfolder = "c:\mysites\www"
Dim serverBindings(1)
serverBindings(0) = ipAddress & ":80:www." & hostName
serverBindings(1) = ipAddress & ":80:" & hostName
'' Create server
Set w3svc = GetObject("IIS://localhost/w3svc")
Set newWebServer = w3svc.Create("IIsWebServer", iisNumber)
newWebServer.ServerBindings = serverBindings
newWebServer.ServerComment = "Server is: " & hostName
newWebServer.SetInfo
'' Create /root app
Set rootApp = newWebServer.Create("IIsWebVirtualDir", "ROOT")
rootApp.Path = wwwFolder
rootApp.AccessRead = true
rootApp.AccessScript = true
rootApp.AppCreate(True)
rootApp.AuthFlags = 4 '' <== Set AuthFlags here
rootApp.SetInfo

See Configure Windows Authentication (IIS 7):
appcmd set config /section:windowsAuthentication /enabled:true | false
For IIS 6 probably WMI is the alternative:
Creating Sites and Virtual Directories, and Setting Properties Using WMI
IIsWebServiceSetting (WMI)
AuthFlags

Dim sSitePath = "1" 'Set the site ID here
Set oSite = GetObject("IIS://localhost/" & sSitePath & "/root")
Select Case oSite.AuthFlags
Case 1
Wscript.Echo "Anonymous"
Case 2
Wscript.Echo "Basic"
Case 4
Wscript.Echo "NTLM"
Case 6
Wscript.Echo "MD5"
Case 64
Wscript.Echo "Passport"
End Select

Related

How to run WMI commands on non-domain-joined server from script running using domain admin credentials

I have a windows script running from a scheduled task, set to run with domain credentials.
It checks the disk space on all of my domain joined servers using WMI.
Set wmi = GetObject("winmgmts:\\" & hostname & "\root\cimv2")
...
Set wmiresults = wmi.ExecQuery("SELECT * FROM Win32_LogicalDisk WHERE Name = '" & _
UCase(diskletter) & ":'")
For Each wmiresult In wmiresults
ptotalspace = Round(CDbl(wmiresult.Size) / 1073741824, 2)
pfreespace = Round(CDbl(wmiresult.Freespace) / 1073741824, 2)
Next
This script works fine for all domain joined servers. But I need to include a non-domain-joined server into this checking, and it fails as the script lacks the necessary permissions on the target server.
I have tried the hacky method of creating a local user account with the same name and password as the domain admin acct, and adding it to local admins, but this didn't work.
Is there a way to allow the script permission to check the server's disks without joining it to the domain, and without having to create a duplicate or version of this script that runs using a local account with permission to perform this check?
The solution is here: Connecting to WMI Remotely with VBScript
Look at option 2 under the heading "To connect to a remote system using VBScript". You can use the SWbemLocator.ConnectServer method to pass different credentials to the connection. It looks like this:
strComputer = "Computer_B"
Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")
Set objSWbemServices = objSWbemLocator.ConnectServer(strComputer, _
"Root\CIMv2", _
"fabrikam\administrator", _
"password")
Just replace "fabrikam\administrator" and "password" with a username and password that has permission on that machine. Then you can use that objSWbemServices object the same way you were using your wmi object.
That should work if you run it from a machine inside the domain too... I think. Give it a try.

Sharing INSTALLDIR windows folder in InstallShield

I want to share my setup directory in installshield. I did some search and found a VB Script and a CMD Command:
Option Explicit
Const FILE_SHARE = 0
Const MAXIMUM_CONNECTIONS = 25
Dim objShare
'Connect to WMI
Dim objWMIService: Set objWMIService = _
GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
'Query share names for existing share
Dim colShares: Set colShares = objWMIService.ExecQuery _
("Select * from Win32_Share Where Name = 'MyShare'")
'Delete share if one exists with the same name already
For Each objShare in colShares
objShare.Delete
Next
'Create new share
Dim objNewShare: Set objNewShare = objWMIService.Get("Win32_Share")
Dim strFilePath: strFilePath = Session.Property("CustomActionData")
strFilePath = Left(strFilePath, Len(strFilePath) - 1)
objNewShare.Create strFilePath, "MyShare", _
FILE_SHARE, MAXIMUM_CONNECTIONS, "MyShare"
cmd command:
net share sharename=[INSTALLDIR]
When i run VBScript i don't see any error but I can't share my folder.
When i run cmd command, command can't share because it requires admin privilege; but I am not sure, how i can provide admin privilege to it;
can i share folder? how?
Try. You need to have access rights on location that you are trying to share.
net share Share=E:\Shared /Grant:Everyone,full
Note: You can change the share rights based on your need. This is strictly an example.
i found a very simple solution. i went in file and folders tab and right clicked on installdir an then in sharing tab i checked Share Folder check box and Finish! Very Simple Without code and Command!

compiling less to css from classic asp / vbscript

I'm trying to get classic asp / vbscript to run a less compiler (https://github.com/duncansmart/less.js-windows). Running the exact command from a real cmd prompt on the server works fine. So it's going to be one of those permissiony type things. My server is Win2003 x86 / IIS6.
<%
' foo.asp
outpath = "c:\inetpub\wwwroot\site\less"
cmd = "c:\less.js-windows-v1.6.2\lessc.cmd"
Set Shell = server.createobject("WScript.Shell")
nodeCommand = cmd & " " & outPath & "\app.less " & outPath & "\app.css"
errCode = Shell.Run(nodeCommand, 0, True)
' errcode = 1
%>
foo.asp is running somewhere on the web server, anonymously.
cmd.exe has had iusr_server added so that it has read and execute permission.
c:\less.js-windows-v1.6.2 has had iusr_server added with read/execute as well.
I've granted everyone permission to modify files in side c:\inetpub\wwwroot\site\less to make sure it's not a permission thing.
I have tried modifying my command to include CMD /C ahead of the command file name.
Use the following process:
Stop the server
Change relative paths to full paths for all files
Reconfigure the IUSR to be you
Restart the server

Running IIS Express "silent", ie without HTTP console output?

I'm testing the responsiveness of a web application, and want to isolate any slow areas (database access, javascript, etc) and want to be sure that IIS Express isn't slowing things down by all its console output.
Is there a way of running IIS Express without that output, or even without the console being visible at all?
I've tried the /trace:error option, but it still outputs lines for every request.
the following should do the trick:
Create a VBScript: IIS-Express-silent.vbs
Dim App,Site
Site = "[YOUR SITE NAME]"
If Len(Site) < 1 Then
Site = WScript.Arguments(0)
End If
App = """%PROGRAMFILES%\IIS Express\iisexpress""" & _
" /site:" & Site
If Len(Site) > 0 Then
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run App, 0
Set WshShell = Nothing
End If
If you are running IIS Express only as localhost and you don't (intend to) use SSL then you are ready. Just add [YOUR SITE NAME] from applicationhost.config located in your user profile:
<sites>
<site name="[YOUR SITE NAME]" id="1" serverAutoStart="true">
...
</sites>
If you need elevated privileges you must create a second file in the same directory (VBScripts can't be run this way directly): Run-as-Administrator.bat
#echo off
pushd %~dp0
cscript IIS-Express-silent.vbs [YOUR SITE NAME]
Please leave Site in your VBScript blank then and add the name in your batch file instead.
Right mouse button - "Run as Administrator" - and you're done :-)

Reset password for renamed Administrator account

I need to create a .VBS script to reset the Windows local administrator password on a large group of computers. My problem is that some of our sites have renamed the administrator account for security reasons. Does anyone have a script which changes the password of the administrator account based on the SID of the original Administrator account?
Using the fact that local admin's SID always ends with -500:
strComputer="." ' local computer by default
Set objUser=GetObject("WinNT://" & strComputer & "/" & GetAdminName & ",user")
objUser.SetPassword "New local admin password"
objUser.SetInfo
Function GetAdminName
'This function was written using information from Table J.1 from the Windows XP resource Kit
'http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prnc_sid_cids.asp
Set objNetwork = CreateObject("Wscript.Network") 'get the current computer name
objComputerName = objNetwork.ComputerName
Set objwmi = GetObject("winmgmts:{impersonationLevel=impersonate}!//" & objComputerName)
qry = "SELECT * FROM Win32_Account where Domain = '" & cstr(objComputerName) & "'"
'set query, making sure to only look at local computer
For Each Admin in objwmi.ExecQuery(qry)
if (left(admin.sid, 6) = "S-1-5-" and right(admin.sid,4) = "-500") then 'look for admin sid
GetAdminName = admin.name
end if
next
end Function
There's a tool floating around somewhere called LookupAccountName (with source!) that given the SID of the builtin adminitrator will give you its name.
You're probably going to end up writing C++ code to pull this one off reasonably well.
Like Joshua says, I don't think you can do this with windows scripting host only, you could use it download something and execute it:
A custom app that calls LookupAccountSid(S-1-5-domain-500 SID or enum admin group)+NetUserSetInfo to reset the password (Needs to run this as admin)
http://home.eunet.no/pnordahl/ntpasswd/ (Reset at boot)
Dump the SAM hashes and crack the password (Cain,John the Ripper,L0phtCrack etc)
#DmitryK's answer is good, and I didn't know any of that stuff. But I do know that this sort of thing is usually cleaner in PowerShell, so I ported it.
For example, the whole GetAdminName function can be written:
$adminName = (gwmi win32_account | ? { $.SID.StartsWith( 'S-1-5-' ) -and $.SID.EndsWith( '-500' ) }).Name
(Add the -ComputerName option to the gwmi call to do this on a server.)
The rest becomes:
$user = ([ADSI]"WinNT://$($env:COMPUTERNAME)/$adminName,User")
$user.SetPassword( 'xxx' )
$user.SetInfo()
(applying the appropriate computer name as needed, of course.)

Resources