分类: WINDOWS
2009-09-07 17:59:50
The file record some operate script and some API for dealing with IIS.
1, Create the certification
Here use open source: open SSL. It will guide you to make a new certification.
Method 1:
1.1 Make the key file.
openssl genrsa -des3 -out server.key 1024
1.2 Make the certificate signing request
openssl req -new -key server.key -out server.csr -config openssl.cnf
1.3 Make a new CA
openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf
1.4 Underwrite the server.csr, client.csr by the CA.
Openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
Method 2:
1.1 openssl req –nodes –days 3650 –subj /C=”country Name”/ST=”provinceName”/L=”localityName”/O=”organizationName”/OU=”organizationUnit”/CN=”commanName”/emailAddress=”emalAddress”/challengePassword=”keyPasswd” –passout pass:”caPasswd” –newkey rsa:1024 –keyout “keyFilePath.key” -out “crtFilePath.crt”
1.2 openssl x509 -signkey “keyFilePath.key” -out “crtFilePath.crt” -req -in “csrFilePath.csr”
2, Get the IIS port
“C:\\Inetpub\\AdminScripts\\adsutil.vbs ENUM W3SVC/
By this command you will get the http port and https port.
You should judge whether the http port is 0 by run:
“iisipsecurity.vbs http”
3, Change the http port
“c:\\adsutil.vbs set w3svc/1/serverbindings ":80:"”
If the http port set to 0, force the web interview using https,here you should call iisipsecurity.vbs.
“iisipsecurity.vbs http true”
If the http port is set to normal from 0, you should run:
“iisipsecurity.vbs http false”
4, Change the https port
“c:\\adsutil.vbs set w3svc/1/SecureBindings":443:"”
If the https port set to 0,you should run
“c:\\adsutil.vbs set w3svc/1/SecureBindings""”
If the https port is set to normal from 0, you should call the API to set the https port and bind the certification with the port.
The code is in the PA RENEW PRO.
5, Change the remote access
Here should be deal with in double way.
IIS5 IIS6:
Call this script command to get the remote access:
“iisipsecurity.vbs get”
Call these scripts to change remote access:
“iisipsecurity.vbs set true”
“iisipsecurity.vbs set false”
IIS7:
You should get the access to change IIS configuration by run:
“c:\\Windows\\System32\\inetsrv\\appcmd.exe unlock config -section:system.webServer/security/ipSecurity”
Set the remote access to true:
“c:\\Windows\\System32\\inetsrv\\appcmd.exe set config /section:ipSecurity /allowUnlisted:true”
Set the remote access to false:
“c:\\Windows\\System32\\inetsrv\\appcmd.exe set config /section:ipsecurity /-\"[ipaddress='127.0.0.1',allowed='true']\"”
“c:\\Windows\\System32\\inetsrv\\appcmd.exe set config /section:ipSecurity /allowUnlisted:false”
“c:\\Windows\\System32\\inetsrv\\appcmd.exe set config /section:ipsecurity /+\"[ipaddress='127.0.0.1',allowed='true']\"”
6, Stop the IIS service
int :StopIisService()
{
IMSAdminBase *pIMeta;
METADATA_HANDLE MyHandle;
HRESULT hres;
METADATA_RECORD metaRecord = {0};
DWORD dwBuffer = 0;
CoInitialize (NULL);
// get a pointer to the IIS Admin Base Object
hres = CoCreateInstance(CLSID_MSAdminBase, NULL, CLSCTX_ALL,
IID_IMSAdminBase, (void **) &pIMeta);
if (FAILED(hres))
{
CoUninitialize();
return FALSE;
}
hres = pIMeta->OpenKey(METADATA_MASTER_ROOT_HANDLE, L"/LM/W3SVC",
METADATA_PERMISSION_READ|METADATA_PERMISSION_WRITE, 20, &MyHandle);
if ( FAILED (hres) )
{
pIMeta->CloseKey(MyHandle);
pIMeta->SaveData();
pIMeta->Release();
CoUninitialize();
return FALSE;
}
dwBuffer = MD_SERVER_COMMAND_STOP;
ZeroMemory(&metaRecord, sizeof(metaRecord));
metaRecord.dwMDIdentifier = MD_SERVER_COMMAND;
metaRecord.dwMDAttributes = METADATA_INHERIT;
metaRecord.dwMDUserType = IIS_MD_UT_SERVER;
metaRecord.dwMDDataType = DWORD_METADATA;
metaRecord.dwMDDataLen = sizeof(DWORD);
metaRecord.pbMDData = (unsigned char*)&dwBuffer;
hres = pIMeta->SetData(MyHandle, CComBSTR("/1"), &metaRecord);
if(FAILED(hres))
{
pIMeta->CloseKey(MyHandle);
pIMeta->SaveData();
pIMeta->Release();
CoUninitialize();
return FALSE;
}
pIMeta->CloseKey(MyHandle);
pIMeta->SaveData();
pIMeta->Release();
CoUninitialize();
return TRUE;
}
7, Start the IIS service
int CIisConfig::StartIisService()
{
IMSAdminBase *pIMeta;
METADATA_HANDLE MyHandle;
HRESULT hres;
METADATA_RECORD metaRecord = {0};
DWORD dwBuffer = 0;
int nReStartTime = 2;
int i = 0;
for (i = 0; i < nReStartTime; i ++)
{
CoInitialize (NULL);
// get a pointer to the IIS Admin Base Object
hres = CoCreateInstance(CLSID_MSAdminBase, NULL, CLSCTX_ALL,
IID_IMSAdminBase, (void **) &pIMeta);
if (FAILED(hres))
{
CoUninitialize();
return FALSE;
}
hres = pIMeta->OpenKey(METADATA_MASTER_ROOT_HANDLE, L"/LM/W3SVC",
METADATA_PERMISSION_READ|METADATA_PERMISSION_WRITE, 20, &MyHandle);
if ( FAILED (hres) )
{
pIMeta->CloseKey(MyHandle);
pIMeta->SaveData();
pIMeta->Release();
CoUninitialize();
Sleep(500);
continue;
//return FALSE;
}
else
{
break;
}
}
if (i == nReStartTime)
{
return FALSE;
}
dwBuffer = MD_SERVER_COMMAND_START;
ZeroMemory(&metaRecord, sizeof(metaRecord));
metaRecord.dwMDIdentifier = MD_SERVER_COMMAND;
metaRecord.dwMDAttributes = METADATA_INHERIT;
metaRecord.dwMDUserType = IIS_MD_UT_SERVER;
metaRecord.dwMDDataType = DWORD_METADATA;
metaRecord.dwMDDataLen = sizeof(DWORD);
metaRecord.pbMDData = (unsigned char*)&dwBuffer;
hres = pIMeta->SetData(MyHandle, CComBSTR("/1"), &metaRecord);
if(FAILED(hres))
{
pIMeta->CloseKey(MyHandle);
pIMeta->SaveData();
pIMeta->Release();
CoUninitialize();
return FALSE;
}
pIMeta->CloseKey(MyHandle);
pIMeta->SaveData();
pIMeta->Release();
CoUninitialize();
return TRUE;
}
ATTACH: (iisipscurity.vbs)
' Remember to enable Integrated Windows Authentication and
' disable Anonymous Access or you will get and Server 500 error.
Dim ArgObj 'Object which contains the command line argument
Dim SecObj
Dim MyIPSec
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Set ArgObj = WScript.Arguments
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' Get the IIS object that holds the info for the default site.
' This could be any site root/vdir, or IIS://LocalHost/W3SVC for global
' properties.
Set SecObj = GetObject("IIS://LocalHost/W3SVC/1/Root")
' Get the IIsIPSecurity object
Set MyIPSec = SecObj.IPSecurity
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
If (ArgObj.Count = 1) Then
If (ArgObj.Item(0) = "get") Then
If (TRUE = MyIPSec.GrantByDefault) Then
WScript.Echo "GrantByDefault now set to TRUE."
Else 'If (FALSE = MyIPSec.GrantByDefault) Then
WScript.Echo "GrantByDefault now set to FALSE."
End If
WScript.Quit (GENERAL_FAILURE)
ElseIf (ArgObj.Item(0) = "http") Then
If (TRUE = SecObj.AccessSSL) Then
WScript.Echo "only support https."
Else 'If (FALSE = SecObj.AccessSSL) Then
WScript.Echo "support http also."
End If
WScript.Quit (GENERAL_FAILURE)
End If
ElseIf (ArgObj.Count = 2) Then
If (ArgObj.Item(0) = "set" and (ArgObj.Item(1) = "true" or ArgObj.Item(1) = "false")) Then
If (ArgObj.Item(1) = "true") Then
WScript.Echo "GrantByDefault now set to TRUE."
MyIPSec.GrantByDefault = TRUE
ElseIf (ArgObj.Item(1) = "false") Then
WScript.Echo "GrantByDefault now set to FALSE."
MyIPSec.GrantByDefault = FALSE
IPList = MyIPSec.IPGrant
i = UBound(IPList) + 1
ReDim Preserve IPList(i)
IPList(i) = "127.0.0.1"
MyIPSec.IPGrant = IPList
End If
'Set the info in the database
SecObj.IPSecurity = MyIPSec
SecObj.Setinfo
WScript.Quit (GENERAL_FAILURE)
ElseIf (ArgObj.Item(0) = "http" and (ArgObj.Item(1) = "true" or ArgObj.Item(1) = "false")) Then
If (ArgObj.Item(1) = "true") Then
SecObj.AccessSSL = True
WScript.Echo "only support https."
Else 'If (FALSE = SecObj.AccessSSL) Then
WScript.Echo "support http also."
SecObj.AccessSSL = False
End If
'Set the info in the database
SecObj.Setinfo
WScript.Quit (GENERAL_FAILURE)
End If
End If
WScript.Echo "get : get the remote access;"
WScript.Echo "set true : the remote access is true;"
WScript.Echo "set false : the remote access is false;"
WScript.Echo "http : the status must using https or not;"
WScript.Echo "http true : only support https;"
WScript.Echo "http false : support http also."