IIS: Enable IIS remote management

You can use Windows PowerShell remoting to expedite enabling remote management from a remote server.

Jason Helmick

Have you ever wanted to remotely manage an IIS server, change its configuration or add a simple Web site—and do so from a remote location? For obvious security reasons you can’t just open IIS Manager and connect to a remote server. Each IIS server you intend to manage must have remote management enabled, configured and assigned a certificate for HTTPS.

Enabling remote IIS management using the graphical IIS Manager is quick and easy, but only if you’re sitting at the Web server or using Remote Desktop Protocol (RDP). If you have several Web servers that need remote management—or if, like me, you’re using Server Core—the GUI IIS Manager isn’t practical or even possible.

You can enable remote management on any number of remote Web servers using Windows PowerShell. You’ll be able to do this to as many Web servers as you need, all at once. You’ll use Windows PowerShell with a special feature called Windows PowerShell remoting.

You’ll have to enable Windows PowerShell remoting on all the IIS servers. There’s no way to avoid that. The best way to enable remoting is through a Group Policy Object (GPO). If you don’t know to do this or need more information about the process, check out the free eBook, “Secrets of PowerShell Remoting,” by Don Jones and Dr. Tobias Weltner.

Before you say, “I’m not allowed to do this,” sit down and read this guide. Set it up in a test environment and invite your security friends to examine it and get permission to enable remoting. If your Web servers are running on Windows Server 2012, you already have remoting enabled. If not, you’ll have to complete this before trying the steps outlined here.

Windows PowerShell remoting is completely secure and you’ll need it for many IIS-related management tasks in the future. The process to enable remote management isn’t complicated, but there are several steps. Here’s what to expect:

  1. Create a Windows PowerShell session for each of the servers
  2. Install the IIS Web Management Service (WMSvc)
  3. Enable the IIS WMSvc
  4. Start the IIS WMSvc
  5. Replace the temporary certificate
  6. Connect using the IIS Manager

In this example, I’ll enable remote management on four IIS servers named Web1, Web2, Web3 and Web4—all at the same time. After getting them working, I’ll replace the temporary certificate with a trusted certificate from Active Directory Certificate Services (AD CS).

1. Create Windows PowerShell remoting sessions for the Web servers

The first step is to create a Windows PowerShell remoting session for the Web servers. Start by creating a variable “$Servers” that holds the computer names of the Web servers. Then create and store the sessions in a variable “$Sessions”:

PS> C:\> $Servers = 'web1', 'web2', 'web3', 'web4'
PS> C:\> $Sessions = New-PSSession –ComputerName $Servers

You’ll need both variables throughout the process. Don’t attempt to shorten this to a single one-liner. You could fill $Servers from a text file, CSV file or Active Directory using the Get-ADComputer cmdlet, but that’s another topic.

2. Install the IIS WMSvc

The IIS WMSvc is an additional component you’ll need to add to IIS. Using the remoting sessions, Windows PowerShell makes this easy (the first line won’t be necessary if you’re using Windows Server 2012):

PS C:\> Invoke-Command –Session $Sessions –ScriptBlock {Import-Module ServerManager}
PS C:\> Invoke-Command –Session $Sessions –ScriptBlock {Add-WindowsFeature Web-Mgmt-Service}

At this point, you’ve installed the IIS WMSvc. Enabling the service is the next step.

3. Enable the IIS WMSvc

The default settings for the management service are set to permit Windows credentials, use port 8172 and apply a temporary certificate. Use these settings for now and change the temporary certificate to a trusted one at the end of this process. To enable the management service, change a registry key on the remote Web servers:

PS C:\> Invoke-command –Session $Sessions -ScriptBlock{Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\WebManagement\Server -Name EnableRemoteManagement -Value 1}

Now that the management service is enabled, you can have it started.

4. Start the IIS WMSvc

The IIS WMSvc isn’t started by default. In fact, the service is set to manual startup. If you reboot a Web server in the future, the management service won’t start. Change the startup type to Automatic, and then start the service:

PS C:\> Invoke-command –Session $Sessions -ScriptBlock {Set-Service -name WMSVC -StartupType Automatic}
PS C:\> Invoke-command –Session $Sessions -ScriptBlock {Start-service WMSVC}

At this point, the management service is running and you can remotely manage the Web servers using the IIS Manager. The only problem is the certificate in use is untrusted and temporary, so replace this certificate with a trusted one.

5. Replacing the temporary certificate

There are many options for replacing the temporary certificate, including the new IIS 8 feature of having certificates in the Central Certificate Store. This is my favorite.

I’ll go through the brief process of copying and installing a new certificate from a .pfx file, and then setting the Web site bindings for the new certificate. This example has a wildcard certificate on my local computer C:\_.Company.loc.pfx. First, copy the certificate (.pfx file) to the remote Web servers, then use CertUtil.exe to install the certificate:

S C:\> $Servers | Foreach-Object {Copy-Item -Path C:\_.Company.loc.pfx -Destination "\\$_\c$"}
PS> c:\> Invoke-Command -Session $Sessions {certutil -p P@ssw0rd -importpfx c:\_.company.loc.pfx}

Notice I sent the password in clear text. Windows PowerShell remoting is completely secure and encrypted. After the certificate is installed, it’s important to remember to delete the .pfx file from the Web servers:

PS> $Servers | Foreach-Object {Remove-Item -Path "\\$_\c$\_.Company.loc.pfx"}

At this point, you’ll need the Thumbprint of the installed certificate and you’ll need to change the binding for the management service. To do this, you’ll need the IIS provider. Start by loading the WebAdministration module on the remote Web servers:

PS C:\> Invoke-Command -Session $Sessions {Import-Module WebAdministration}

Get the certificate Thumbprint to make a new binding:

PS C:\> Invoke-Command -Session $Sessions {$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where {$_.subject -like "*company*"} | Select-Object -ExpandProperty Thumbprint}

Remove the old SSL binding:

PS C:\> Invoke-command -Session $Sessions {Remove-Item -Path IIS:\SslBindings\!8172}

Add the new SSL binding using the certificate Thumbprint:

PS C:\> Invoke-Command -Session $Sessions {Get-Item -Path "cert:\localmachine\my\$cert" | New-Item -Path IIS:\SslBindings\!8172}

Now you’re ready to connect to the Web servers using the IIS Manager.

6. Connect to the remote Web servers using the IIS Manager

The last step is to open your IIS Manager, select the Start Page on the left pane and in the center pane select “Connect to a server.” Supply the server name and your credentials and you’ll see a new connection displayed in the navigation pane of the IIS Manager.

Because I perform this operation quite a bit, I took the previous commands and put them into a script. If you think you might need to do this more than once—and I’m sure you will—it’s always best to automate this process.

Jason Helmick

Jason Helmick has more than 20 years of experience in IT as an enterprise consultant, trainer and author. As the director of Windows PowerShell technologies at Interface Technical Training, he focuses on automation with Active Directory and IIS. You can see more about IIS in his upcoming book from Manning Publications, “Learn Windows IIS in a Month of Lunches.