Thursday, 2 January 2014

IIS setting for SharePoint 2013

Some checks and reminders for IIS - This is a work in progress!

1.> Change the IIS log location for existing websites, this needs to be done on each WFE in your farm, providing you want to change them. 
PS Script to Change the IIS log directory for existing web sites.
2.> Disable IIS recycling
3.> Ensure app pool accounts have low levels of network permissions.
4.> Certificates used by IIS, when do they expire.
5.> Application Initialisation for IIS8 or warm-up scripts to stop the long delays after and IISREST/app pool recycle.

   **************
CPU over utilisation


   ********************

Verify when certificates are going to expire:

import-module webadministration
$DaysToExpiration = 365
#change this once it's working
$expirationDate = (Get-Date).AddDays($DaysToExpiration)
$expirationDate5yrs = (Get-Date).AddDays(1020)
$certs = Get-ChildItem IIS:SSLBindings
foreach($cert in $certs)
{
 $store = $cert.Store.ToString()
 Write-Host " Cert Store:" $cert.Store.ToString()
 Write-Host " Cert Port:" $cert.Port.ToString()
 Write-Host " Cert Thumbprint:" $cert.Thumbprint
  $body = Get-ChildItem CERT:LocalMachine/$store
  foreach ($me in $body) {

   if ($expirationDate -gt $me.NotAfter) {
    Write-Host " Expiring soon" -BackgroundColor red
   }
   elseif ($expirationDate5yrs -gt $me.NotAfter) {
    Write-Host " Expiring in 5 years" -BackgroundColor Yellow
   }
   elseif ($expirationDate -le $me.NotAfter) {
    Write-Host " Expiring more than a year away" -BackgroundColor green
   }
   Write-Host " - Body subject: " $me.Subject
   Write-Host " - Body thumbprint: " $me.Thumbprint
   Write-Host " - Body fiendly name: "$me.FriendlyName
   Write-Host " - Body Expiry: "$me.NotAfter
  }
     Write-Host ""
}

 *********************
 Check the service account do not have too many permissions:
Script below retrieves pswd to show client potential issue

Import-Module WebAdministration
$webapps = Get-WebApplication
foreach ($webapp in get-childitem IIS:\AppPools\)
{
$iispath = "IIS:\AppPools\" + $webapp.name
$pswd = $webapp.processModel.password
$state = (Get-WebAppPoolState -Name $webapp.name).Value
$color = "White"
$forecolor = "Black"
if ($pswd.Length -gt 0)  {$color = "red"} # verify the domain accounts don't have excessive priviges
if ($state -eq "Stopped")  {$forecolor = "blue"} #Why are there stopped IIS websites
Write-Host "Name:" $webapp.name " | Version:" (Get-ItemProperty $iispath managedRuntimeVersion).Value `
" | Username:" $webapp.processModel.userName " | Pswd:" $pswd `
" | State:" $state -BackgroundColor $color -ForegroundColor $forecolor
}

 Tip: Advise client to change Windows service account used to run the SP timer job.  Check ramifications.


**********************************

0 comments:

Post a comment