Securing IIS with Active Directory and PowerShell

To secure IIS with Active Directory and PowerShell on Windows Server, first join the server to the domain, enable Windows Authentication in IIS Manager while disabling Anonymous Authentication, configure authorization rules to allow only specific AD security groups, and automate the entire process with scripts from the WebAdministration module. This delivers centralized authentication, Kerberos-based single sign-on, least-privilege enforcement, and consistent policy application across servers without manual repetition or configuration drift.

Active Directory integration eliminates local credential stores and supports detailed auditing through domain controller logs. PowerShell scripts reduce human error, enable remote execution via PSRemoting, and can incorporate group membership checks from the ActiveDirectory module. The techniques below are demonstrated on Windows Server 2022 with IIS 10 yet transfer directly to maintained versions. Test all changes on staging systems first; run scripts elevated and validate Kerberos ticket behavior for production workloads.

#Prerequisites

Confirm the following before beginning configuration. Missing any item commonly produces authentication failures, permission denied errors when modifying IIS settings, or inability to query AD group membership.

• Windows Server joined to an Active Directory domain with line-of-sight to at least one domain controller
• IIS role installed with Windows Authentication feature enabled and application pools running under domain accounts where required
• Domain and local administrative credentials; RSAT-AD-PowerShell feature for the ActiveDirectory module
• WebAdministration PowerShell module available (install via Server Manager or Web Platform Installer if absent)

#Configuring IIS for Active Directory Authentication

With the server domain-joined, open IIS Manager, select the site or application, and switch authentication providers to delegate credential validation to Active Directory. This replaces local accounts with domain identities and supports SSO. A common pitfall is leaving Anonymous Authentication enabled, which bypasses AD checks entirely.

• Launch IIS Manager and select the target site in the Connections tree
• Double-click the Authentication feature
• Disable Anonymous Authentication
• Enable Windows Authentication
• Select Windows Authentication, click Providers in the Actions pane, and move Negotiate above NTLM to ensure Kerberos is preferred

Next restrict access to authorized AD groups using URL Authorization. This implements least privilege and prevents broad exposure of the application.

<configuration>
  <system.web>
    <authorization>
      <allow roles="Domain\WebAdmins" />
      <deny users="*" />
    </authorization>
  </system.web>
</configuration>

Place the snippet above in the application's web.config. After saving, attempt access with an account inside the WebAdmins group (should succeed) and an account outside it (should return 403 Forbidden). Check the IIS logs and Windows Security event log for details on failures.

#Automating IIS Security with PowerShell

Manual changes do not scale in hosting fleets. Import the WebAdministration module and script the same settings shown above. The cmdlets write directly to applicationHost.config or web.config, ensuring repeatability. Run all commands in an elevated session; failing to do so is a frequent source of access-denied errors.

Import-Module WebAdministration

# Enable Windows Authentication for Default Web Site
Set-WebConfigurationProperty -Filter "/system.webServer/security/authentication/windowsAuthentication" -Name "enabled" -Value "True" -PSPath "IIS:\" -Location "Default Web Site"

# Disable Anonymous Authentication
Set-WebConfigurationProperty -Filter "/system.webServer/security/authentication/anonymousAuthentication" -Name "enabled" -Value "False" -PSPath "IIS:\" -Location "Default Web Site"

# Restart the site
Restart-WebAppPool -Name "DefaultAppPool"

Extend the script with Get-ChildItem IIS:\Sites to loop across all sites. Combine with Get-ADGroupMember to validate group membership before applying rules. Add Write-Output or Export-Csv statements for audit trails and schedule the script via Task Scheduler. For remote servers use Invoke-Command after Enable-PSRemoting.

#Integrating Active Directory Groups for Role-Based Access

Create domain security groups such as WebAdmins, IIS_ReadOnly, and IIS_FullAccess in Active Directory Users and Computers. Map them to IIS authorization rules so membership alone grants or denies access. The ActiveDirectory module lets you query and script these mappings dynamically.

Import-Module ActiveDirectory

$site = "MySite"
$allowedGroup = "Domain\WebAdmins"

# Add authorization rule
Add-WebConfiguration -Filter "/system.web/authorization" -Value @{action="Allow";roles=$allowedGroup} -PSPath "IIS:\" -Location $site

# Deny all others
Add-WebConfiguration -Filter "/system.web/authorization" -Value @{action="Deny";users="*"} -PSPath "IIS:\" -Location $site

After the commands complete, run iisreset /restart or recycle the relevant app pool. Verify effective rules with Get-WebConfiguration and test both allowed and denied accounts. This pattern scales by storing group-to-site mappings in a CSV and looping over them.

#Monitoring and Updates for Microsoft Platforms

Stay current with Microsoft updates that address IIS and AD vulnerabilities. For instance, the May 2023 Patch Tuesday addressed vulnerabilities in Windows Server 2022, including AD certificate services (CVE-2023-29357). Deploy via Windows Update or WSUS. Monitor Event Viewer for AD authentication failures (Event ID 4625), use Get-HotFix to validate patch levels, and enable IIS Failed Request Tracing rules for status codes 401-403.

• Review Security and System logs daily for Kerberos or NTLM errors
• Script configuration drift detection with Get-WebConfiguration and compare against a baseline
• Use PowerShell remoting for centralized visibility across server fleets

Invoke-Command -ComputerName Server01,Server02 -ScriptBlock { Get-WebConfiguration "/system.webServer/security/authentication/windowsAuthentication" -PSPath IIS:\Sites\Default\ }

Implement these configurations to fortify your IIS setups against common threats. Regularly audit with PowerShell scripts and keep abreast of Microsoft security bulletins to maintain a secure hosting environment.